domma-cms 0.3.0 → 0.5.2

package/server/routes/api/layouts.js

@@ -1,39 +1,49 @@
-/**
- * Layouts (Presets) API
- * GET /api/layouts       - get all layout presets
- * PUT /api/layouts       - save layout presets
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-
-export async function layoutsRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requirePermission('layouts')] };
-
-    fastify.get('/layouts', guard, async () => {
-        return getConfig('presets');
-    });
-
-    fastify.put('/layouts', guard, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid presets data' });
-        }
-        saveConfig('presets', data);
-        return { success: true };
-    });
-
-  fastify.get('/layouts/options', guard, async () => {
-    return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
-  });
-
-  fastify.put('/layouts/options', guard, async (request, reply) => {
-    const data = request.body;
-    if (!data || typeof data !== 'object') {
-      return reply.status(400).send({error: 'Invalid layout options'});
-    }
-    const site = getConfig('site');
-    site.layoutOptions = {...site.layoutOptions, ...data};
-    saveConfig('site', site);
-    return {success: true};
-  });
-}
+/**
+ * Layouts (Presets) API
+ * GET /api/layouts       - get all layout presets
+ * PUT /api/layouts       - save layout presets
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+export async function layoutsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('layouts', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('layouts', 'update')]};
+
+    fastify.get('/layouts', canRead, async () => {
+        return getConfig('presets');
+    });
+
+    fastify.put('/layouts', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object' || Array.isArray(data)) {
+            return reply.status(400).send({ error: 'Invalid presets data: expected an object' });
+        }
+        // Each preset value must be an object with at least a name field
+        for (const [key, preset] of Object.entries(data)) {
+            if (!preset || typeof preset !== 'object' || Array.isArray(preset)) {
+                return reply.status(400).send({ error: `Invalid preset "${key}": expected an object` });
+            }
+            if (typeof preset.name !== 'string' || !preset.name.trim()) {
+                return reply.status(400).send({ error: `Invalid preset "${key}": missing or empty "name" field` });
+            }
+        }
+        saveConfig('presets', data);
+        return { success: true };
+    });
+
+    fastify.get('/layouts/options', canRead, async () => {
+    return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
+  });
+
+    fastify.put('/layouts/options', canUpdate, async (request, reply) => {
+    const data = request.body;
+    if (!data || typeof data !== 'object') {
+      return reply.status(400).send({error: 'Invalid layout options'});
+    }
+    const site = getConfig('site');
+    site.layoutOptions = {...site.layoutOptions, ...data};
+    saveConfig('site', site);
+    return {success: true};
+  });
+}

package/server/routes/api/media.js

@@ -1,92 +1,118 @@
-/**
- * Media API
- * GET    /api/media       - list media files
- * POST   /api/media       - upload a file
- * DELETE /api/media/:name - delete a file
- */
-import path from 'path';
-import {deleteMedia, listMedia, renameMedia, saveMedia} from '../../services/content.js';
-import {getImageInfo, isEditableImage, transformImage} from '../../services/images.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-
-// Safe filename: strip path traversal and restrict to alphanumeric + safe chars
-function sanitiseFilename(name) {
-    return path.basename(name).replace(/[^a-zA-Z0-9._-]/g, '_');
-}
-
-export async function mediaRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requirePermission('media')] };
-
-    fastify.get('/media', guard, async () => {
-        return listMedia();
-    });
-
-    fastify.post('/media', guard, async (request, reply) => {
-      const results = [];
-      for await (const data of request.files()) {
-        const filename = sanitiseFilename(data.filename);
-        const chunks = [];
-        for await (const chunk of data.file) {
-          chunks.push(chunk);
-        }
-        results.push(await saveMedia(filename, Buffer.concat(chunks)));
-      }
-      if (!results.length) return reply.status(400).send({error: 'No file uploaded'});
-      return reply.status(201).send(results.length === 1 ? results[0] : results);
-    });
-
-  fastify.patch('/media/:name', guard, async (request, reply) => {
-    const oldName = sanitiseFilename(request.params.name);
-    const newName = sanitiseFilename(request.body?.newName ?? '');
-    if (!newName) return reply.status(400).send({error: 'newName is required.'});
-    if (oldName === newName) return reply.status(400).send({error: 'New name is the same as the current name.'});
-    try {
-      return await renameMedia(oldName, newName);
-    } catch (err) {
-      return reply.status(409).send({error: err.message});
-    }
-  });
-
-    fastify.delete('/media/:name', guard, async (request, reply) => {
-        const name = sanitiseFilename(request.params.name);
-        await deleteMedia(name);
-        return { success: true };
-    });
-
-  fastify.get('/media/:name/info', guard, async (request, reply) => {
-    const name = sanitiseFilename(request.params.name);
-    if (!isEditableImage(name)) {
-      return reply.status(400).send({error: 'Not an editable image format'});
-    }
-    try {
-      return await getImageInfo(name);
-    } catch {
-      return reply.status(404).send({error: 'File not found'});
-    }
-  });
-
-  fastify.post('/media/:name/transform', guard, async (request, reply) => {
-    const name = sanitiseFilename(request.params.name);
-    if (!isEditableImage(name)) {
-      return reply.status(400).send({error: 'Not an editable image format'});
-    }
-
-    const {operations = {}, saveAs} = request.body ?? {};
-
-    // Sanitise fields that reference filesystem paths
-    if (operations.watermark?.image) {
-      operations.watermark.image = sanitiseFilename(operations.watermark.image);
-    }
-    if (operations._deleteOriginal) {
-      operations._deleteOriginal = sanitiseFilename(operations._deleteOriginal);
-    }
-
-    const outputFilename = saveAs ? sanitiseFilename(saveAs) : null;
-
-    try {
-      return await transformImage(name, operations, outputFilename);
-    } catch (err) {
-      return reply.status(500).send({error: err.message});
-    }
-  });
-}
+/**
+ * Media API
+ * GET    /api/media       - list media files
+ * POST   /api/media       - upload a file
+ * DELETE /api/media/:name - delete a file
+ */
+import path from 'path';
+import {deleteMedia, listMedia, renameMedia, saveMedia} from '../../services/content.js';
+import {getImageInfo, isEditableImage, transformImage} from '../../services/images.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+const ALLOWED_MIME_TYPES = new Set([
+  // Images
+  'image/jpeg', 'image/jpg', 'image/png', 'image/gif', 'image/webp',
+  'image/svg+xml', 'image/x-icon', 'image/bmp', 'image/tiff',
+  // Documents
+  'application/pdf', 'text/plain', 'text/csv',
+  'application/msword',
+  'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+  'application/vnd.ms-excel',
+  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+  // Video
+  'video/mp4', 'video/webm', 'video/ogg',
+  // Audio
+  'audio/mpeg', 'audio/mp3', 'audio/ogg', 'audio/wav', 'audio/webm',
+]);
+
+// Safe filename: strip path traversal and restrict to alphanumeric + safe chars
+function sanitiseFilename(name) {
+    return path.basename(name).replace(/[^a-zA-Z0-9._-]/g, '_');
+}
+
+export async function mediaRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('media', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('media', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('media', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('media', 'delete')]};
+
+    fastify.get('/media', canRead, async () => {
+        return listMedia();
+    });
+
+    fastify.post('/media', canCreate, async (request, reply) => {
+      const results = [];
+      for await (const data of request.files()) {
+        const filename = sanitiseFilename(data.filename);
+        if (!ALLOWED_MIME_TYPES.has(data.mimetype)) {
+          // Drain the stream to avoid leaving it open
+          for await (const _ of data.file) { /* drain */ }
+          return reply.code(400).send({
+            error: `File type '${data.mimetype}' is not allowed. Allowed types: images, documents, audio, video.`,
+          });
+        }
+        const chunks = [];
+        for await (const chunk of data.file) {
+          chunks.push(chunk);
+        }
+        results.push(await saveMedia(filename, Buffer.concat(chunks)));
+      }
+      if (!results.length) return reply.status(400).send({error: 'No file uploaded'});
+      return reply.status(201).send(results.length === 1 ? results[0] : results);
+    });
+
+    fastify.patch('/media/:name', canUpdate, async (request, reply) => {
+    const oldName = sanitiseFilename(request.params.name);
+    const newName = sanitiseFilename(request.body?.newName ?? '');
+    if (!newName) return reply.status(400).send({error: 'newName is required.'});
+    if (oldName === newName) return reply.status(400).send({error: 'New name is the same as the current name.'});
+    try {
+      return await renameMedia(oldName, newName);
+    } catch (err) {
+      return reply.status(409).send({error: err.message});
+    }
+  });
+
+    fastify.delete('/media/:name', canDelete, async (request, reply) => {
+        const name = sanitiseFilename(request.params.name);
+        await deleteMedia(name);
+        return { success: true };
+    });
+
+    fastify.get('/media/:name/info', canRead, async (request, reply) => {
+    const name = sanitiseFilename(request.params.name);
+    if (!isEditableImage(name)) {
+      return reply.status(400).send({error: 'Not an editable image format'});
+    }
+    try {
+      return await getImageInfo(name);
+    } catch {
+      return reply.status(404).send({error: 'File not found'});
+    }
+  });
+
+    fastify.post('/media/:name/transform', canUpdate, async (request, reply) => {
+    const name = sanitiseFilename(request.params.name);
+    if (!isEditableImage(name)) {
+      return reply.status(400).send({error: 'Not an editable image format'});
+    }
+
+    const {operations = {}, saveAs} = request.body ?? {};
+
+    // Sanitise fields that reference filesystem paths
+    if (operations.watermark?.image) {
+      operations.watermark.image = sanitiseFilename(operations.watermark.image);
+    }
+    if (operations._deleteOriginal) {
+      operations._deleteOriginal = sanitiseFilename(operations._deleteOriginal);
+    }
+
+    const outputFilename = saveAs ? sanitiseFilename(saveAs) : null;
+
+    try {
+      return await transformImage(name, operations, outputFilename);
+    } catch (err) {
+      return reply.status(500).send({error: err.message});
+    }
+  });
+}

package/server/routes/api/navigation.js

@@ -1,36 +1,40 @@
-/**
- * Navigation API
- * GET /api/navigation    - get navigation config
- * PUT /api/navigation    - save navigation config
- */
-import { getConfig, saveConfig } from '../../config.js';
-import { authenticate, requirePermission } from '../../middleware/auth.js';
-
-export async function navigationRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requirePermission('navigation')] };
-
-    fastify.get('/navigation', guard, async () => {
-        return getConfig('navigation');
-    });
-
-    fastify.put('/navigation', guard, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid navigation data' });
-        }
-        // Normalise child key: Domma navbar expects `items`, not `children`
-        if (Array.isArray(data.items)) {
-            data.items = data.items.map(item => {
-                const children = item.items || item.children;
-                if (children?.length) {
-                    const { children: _c, ...rest } = item;
-                    return { ...rest, items: children };
-                }
-                const { children: _c, ...rest } = item;
-                return rest;
-            });
-        }
-        saveConfig('navigation', data);
-        return { success: true };
-    });
-}
+/**
+ * Navigation API
+ * GET /api/navigation    - get navigation config
+ * PUT /api/navigation    - save navigation config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+export async function navigationRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('navigation', 'update')]};
+
+    fastify.get('/navigation', canRead, async () => {
+        return getConfig('navigation');
+    });
+
+    fastify.put('/navigation', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid navigation data' });
+        }
+        if (!Array.isArray(data.items) && !Array.isArray(data)) {
+            return reply.status(400).send({ error: 'Navigation must be an array of items' });
+        }
+        // Normalise child key: Domma navbar expects `items`, not `children`
+        if (Array.isArray(data.items)) {
+            data.items = data.items.map(item => {
+                const children = item.items || item.children;
+                if (children?.length) {
+                    const { children: _c, ...rest } = item;
+                    return { ...rest, items: children };
+                }
+                const { children: _c, ...rest } = item;
+                return rest;
+            });
+        }
+        saveConfig('navigation', data);
+        return { success: true };
+    });
+}

package/server/routes/api/pages.js

@@ -1,118 +1,132 @@
-/**
- * Pages API
- * GET    /api/pages          - list all pages
- * GET    /api/pages/*        - get single page by URL path
- * POST   /api/pages          - create page
- * PUT    /api/pages/*        - update page
- * DELETE /api/pages/*        - delete page
- */
-import {createPage, deletePage, getPage, listPages, renamePage, updatePage} from '../../services/content.js';
-import {parseMarkdown} from '../../services/markdown.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-import {getConfig, saveConfig} from '../../config.js';
-
-export async function pagesRoutes(fastify) {
-    const guard = { preHandler: [authenticate, requirePermission('pages')] };
-
-  // Render markdown preview (shortcodes + sanitize, no frontmatter)
-  fastify.post('/pages/preview', guard, async (request, reply) => {
-    const {markdown} = request.body;
-    if (typeof markdown !== 'string') return reply.status(400).send({error: 'markdown must be a string'});
-    const {html} = parseMarkdown(`---\ntitle: preview\n---\n${markdown}`);
-    return {html};
-  });
-
-    // List all pages
-    fastify.get('/pages', guard, async (request, reply) => {
-        const pages = await listPages();
-        return pages.map(p => ({
-            urlPath: p.urlPath,
-            title: p.title,
-            slug: p.slug,
-            status: p.status,
-            layout: p.layout,
-            showInNav: p.showInNav,
-            sortOrder: p.sortOrder,
-          category: p.category || null,
-          visibility: p.visibility || 'public',
-            updatedAt: p.updatedAt,
-            createdAt: p.createdAt
-        }));
-    });
-
-    // Get single page
-    fastify.get('/pages/*', guard, async (request, reply) => {
-        const urlPath = '/' + request.params['*'];
-        const page = await getPage(urlPath);
-        if (!page) return reply.status(404).send({ error: 'Page not found' });
-        return page;
-    });
-
-    // Create page
-    fastify.post('/pages', guard, async (request, reply) => {
-        const { urlPath, frontmatter, body } = request.body;
-        if (!urlPath) return reply.status(400).send({ error: 'urlPath is required' });
-
-        const existing = await getPage(urlPath);
-        if (existing) return reply.status(409).send({ error: 'Page already exists at that path' });
-
-        const page = await createPage(urlPath, frontmatter || {}, body || '');
-        return reply.status(201).send(page);
-    });
-
-    // Update page (optionally rename to a new URL path)
-    fastify.put('/pages/*', guard, async (request, reply) => {
-        const urlPath = '/' + request.params['*'];
-        const { frontmatter, body, newUrlPath } = request.body;
-
-        const existing = await getPage(urlPath);
-        if (!existing) return reply.status(404).send({ error: 'Page not found' });
-
-        if (newUrlPath && newUrlPath !== urlPath) {
-            const conflict = await getPage(newUrlPath);
-            if (conflict) return reply.status(409).send({ error: 'A page already exists at that path' });
-
-            await renamePage(urlPath, newUrlPath);
-            await rewriteNavLinks(urlPath, newUrlPath);
-
-            const page = await updatePage(newUrlPath, frontmatter || {}, body);
-            return page;
-        }
-
-        const page = await updatePage(urlPath, frontmatter || {}, body);
-        return page;
-    });
-
-    // Delete page
-    fastify.delete('/pages/*', guard, async (request, reply) => {
-        const urlPath = '/' + request.params['*'];
-        const existing = await getPage(urlPath);
-        if (!existing) return reply.status(404).send({ error: 'Page not found' });
-
-        await deletePage(urlPath);
-        return { success: true };
-    });
-}
-
-/**
- * Rewrite any navigation item URLs that match oldUrlPath to newUrlPath,
- * then persist the updated navigation config.
- *
- * @param {string} oldUrlPath
- * @param {string} newUrlPath
- * @returns {Promise<void>}
- */
-async function rewriteNavLinks(oldUrlPath, newUrlPath) {
-    const nav = getConfig('navigation');
-    if (!nav?.items?.length) return;
-
-    let changed = false;
-    for (const item of nav.items) {
-        if (item.url === oldUrlPath) { item.url = newUrlPath; changed = true; }
-        for (const child of item.children || []) {
-            if (child.url === oldUrlPath) { child.url = newUrlPath; changed = true; }
-        }
-    }
-
-    if (changed) await saveConfig('navigation', nav);
-}
+/**
+ * Pages API
+ * GET    /api/pages          - list all pages
+ * GET    /api/pages/*        - get single page by URL path
+ * POST   /api/pages          - create page
+ * PUT    /api/pages/*        - update page
+ * DELETE /api/pages/*        - delete page
+ */
+import {createPage, deletePage, getPage, listPages, renamePage, updatePage} from '../../services/content.js';
+import {parseMarkdown} from '../../services/markdown.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import {getConfig, saveConfig} from '../../config.js';
+
+export async function pagesRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('pages', 'read')]};
+    const canCreate = {preHandler: [authenticate, requirePermission('pages', 'create')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('pages', 'update')]};
+    const canDelete = {preHandler: [authenticate, requirePermission('pages', 'delete')]};
+
+  // Render markdown preview (shortcodes + sanitize, no frontmatter)
+    fastify.post('/pages/preview', canRead, async (request, reply) => {
+    const {markdown} = request.body;
+    if (typeof markdown !== 'string') return reply.status(400).send({error: 'markdown must be a string'});
+    const {html} = await parseMarkdown(`---\ntitle: preview\n---\n${markdown}`);
+    return {html};
+  });
+
+    // Aggregate unique tags from all pages — must be registered before the wildcard /pages/* route
+    fastify.get('/pages/tags', canRead, async (request, reply) => {
+        const pages = await listPages();
+        const tagSet = new Set();
+        pages.forEach(p => {
+            if (Array.isArray(p.tags)) p.tags.forEach(t => { if (t) tagSet.add(t); });
+        });
+        return { tags: [...tagSet].sort() };
+    });
+
+    // List all pages
+    fastify.get('/pages', canRead, async (request, reply) => {
+        const pages = await listPages();
+        return pages.map(p => ({
+            urlPath: p.urlPath,
+            title: p.title,
+            slug: p.slug,
+            status: p.status,
+            layout: p.layout,
+            showInNav: p.showInNav,
+            sortOrder: p.sortOrder,
+          category: p.category || null,
+          visibility: p.visibility || 'public',
+          tags: p.tags || [],
+            updatedAt: p.updatedAt,
+            createdAt: p.createdAt
+        }));
+    });
+
+    // Get single page
+    fastify.get('/pages/*', canRead, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const page = await getPage(urlPath);
+        if (!page) return reply.status(404).send({ error: 'Page not found' });
+        return page;
+    });
+
+    // Create page
+    fastify.post('/pages', canCreate, async (request, reply) => {
+        const { urlPath, frontmatter, body } = request.body;
+        if (!urlPath) return reply.status(400).send({ error: 'urlPath is required' });
+
+        const existing = await getPage(urlPath);
+        if (existing) return reply.status(409).send({ error: 'Page already exists at that path' });
+
+        const page = await createPage(urlPath, frontmatter || {}, body || '');
+        return reply.status(201).send(page);
+    });
+
+    // Update page (optionally rename to a new URL path)
+    fastify.put('/pages/*', canUpdate, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const { frontmatter, body, newUrlPath } = request.body;
+
+        const existing = await getPage(urlPath);
+        if (!existing) return reply.status(404).send({ error: 'Page not found' });
+
+        if (newUrlPath && newUrlPath !== urlPath) {
+            const conflict = await getPage(newUrlPath);
+            if (conflict) return reply.status(409).send({ error: 'A page already exists at that path' });
+
+            await renamePage(urlPath, newUrlPath);
+            await rewriteNavLinks(urlPath, newUrlPath);
+
+            const page = await updatePage(newUrlPath, frontmatter || {}, body);
+            return page;
+        }
+
+        const page = await updatePage(urlPath, frontmatter || {}, body);
+        return page;
+    });
+
+    // Delete page
+    fastify.delete('/pages/*', canDelete, async (request, reply) => {
+        const urlPath = '/' + request.params['*'];
+        const existing = await getPage(urlPath);
+        if (!existing) return reply.status(404).send({ error: 'Page not found' });
+
+        await deletePage(urlPath);
+        return { success: true };
+    });
+}
+
+/**
+ * Rewrite any navigation item URLs that match oldUrlPath to newUrlPath,
+ * then persist the updated navigation config.
+ *
+ * @param {string} oldUrlPath
+ * @param {string} newUrlPath
+ * @returns {Promise<void>}
+ */
+async function rewriteNavLinks(oldUrlPath, newUrlPath) {
+    const nav = getConfig('navigation');
+    if (!nav?.items?.length) return;
+
+    let changed = false;
+    for (const item of nav.items) {
+        if (item.url === oldUrlPath) { item.url = newUrlPath; changed = true; }
+        for (const child of item.children || []) {
+            if (child.url === oldUrlPath) { child.url = newUrlPath; changed = true; }
+        }
+    }
+
+    if (changed) await saveConfig('navigation', nav);
+}