domma-cms 0.9.10 → 0.12.0

package/scripts/setup.js

@@ -7,10 +7,11 @@
  *
  * Steps:
  *   1. Generate JWT_SECRET (skips if already set)
- *   2. Create admin account (skips if users already exist)
- *   3. Set site title and tagline
- *   4. Pick a theme
- *   5. Set server port
+ *   2. Generate INSTANCE_SECRET (skips if already set)
+ *   3. Create admin account (skips if users already exist)
+ *   4. Set site title and tagline
+ *   5. Pick a theme
+ *   6. Set server port
  */
 import {createInterface} from 'node:readline/promises';
 import {randomBytes} from 'node:crypto';
@@ -154,9 +155,26 @@ if (!isPlaceholder) {
 }
 
 // ---------------------------------------------------------------------------
-// Step 2 — Admin Account
+// Step 2 — Instance Secret
 // ---------------------------------------------------------------------------
-section('2. Admin Account');
+section('2. Instance Secret');
+
+const existingSecret = env.INSTANCE_SECRET ?? '';
+const isInstanceSecretSet = existingSecret && existingSecret.length >= 32;
+
+if (isInstanceSecretSet) {
+    console.log('  ✓ INSTANCE_SECRET already configured — skipping.');
+} else {
+    const secret = randomBytes(32).toString('hex');
+    env.INSTANCE_SECRET = secret;
+    await writeEnv(env);
+    console.log('  ✓ INSTANCE_SECRET generated and written to .env');
+}
+
+// ---------------------------------------------------------------------------
+// Step 3 — Admin Account
+// ---------------------------------------------------------------------------
+section('3. Admin Account');
 
 const userCount = await countUsers();
 if (userCount > 0) {
@@ -189,7 +207,7 @@ if (userCount > 0) {
         email:     email.toLowerCase(),
         name,
         password:  hash,
-        role:      'admin',
+        role:      'super-admin',
         isActive:  true,
         createdAt: now,
         updatedAt: now,
@@ -207,9 +225,9 @@ if (userCount > 0) {
 }
 
 // ---------------------------------------------------------------------------
-// Step 3 — Site Identity
+// Step 4 — Site Identity
 // ---------------------------------------------------------------------------
-section('3. Site Identity');
+section('4. Site Identity');
 
 {
     const rl = createInterface({ input: process.stdin, output: process.stdout });
@@ -235,9 +253,9 @@ section('3. Site Identity');
 }
 
 // ---------------------------------------------------------------------------
-// Step 4 — Theme
+// Step 5 — Theme
 // ---------------------------------------------------------------------------
-section('4. Theme');
+section('5. Theme');
 
 THEMES.forEach((t, i) => {
     const num = String(i + 1).padStart(2);
@@ -261,9 +279,9 @@ THEMES.forEach((t, i) => {
 }
 
 // ---------------------------------------------------------------------------
-// Step 5 — Port
+// Step 6 — Port
 // ---------------------------------------------------------------------------
-section('5. Server Port');
+section('6. Server Port');
 
 {
     const rl = createInterface({input: process.stdin, output: process.stdout});

package/server/middleware/auth.js

@@ -125,6 +125,54 @@ export function canManageUser(actorRole, targetRole) {
     return getRoleLevel(actorRole) < getRoleLevel(targetRole);
 }
 
+/**
+ * Check whether a user role satisfies a visibility requirement.
+ * Used by both requireVisibility() and the public page renderer.
+ *
+ * @param {string|null} userRole   - The visitor's role, or null if unauthenticated
+ * @param {string}      visibility - Required visibility ('public', 'private', or a role name)
+ * @returns {boolean} true if access is granted
+ */
+export function checkVisibility(userRole, visibility) {
+    if (!visibility || visibility === 'public') return true;
+    if (!userRole) return false;                              // unauthenticated, non-public page
+    const userLevel       = getRoleLevel(userRole);
+    const requiredLevel   = getRoleLevel(visibility);
+    const threshold       = requiredLevel === Infinity ? 0 : requiredLevel;
+    return userLevel <= threshold;
+}
+
+/**
+ * Fastify preHandler factory — gates a route by visibility level.
+ * Works identically to the content-page visibility system.
+ * Returns a no-op for 'public' so it is safe to apply unconditionally.
+ *
+ * @param {string} visibility - 'public' | 'private' | any role name
+ * @returns {Function} Fastify preHandler
+ */
+export function requireVisibility(visibility) {
+    if (!visibility || visibility === 'public') {
+        return (_request, _reply, done) => { if (done) done(); };
+    }
+
+    return async (request, reply) => {
+        let userRole = null;
+        try {
+            const decoded = await request.jwtVerify();
+            if (decoded.type === 'access') userRole = decoded.role;
+        } catch { /* unauthenticated */ }
+
+        if (!checkVisibility(userRole, visibility)) {
+            const code = userRole ? 403 : 401;
+            return reply.code(code).send({
+                statusCode: code,
+                error:      code === 403 ? 'Forbidden' : 'Unauthorised',
+                message:    code === 403 ? 'Insufficient role for this resource' : 'Authentication required'
+            });
+        }
+    };
+}
+
 /**
  * Return role names ordered from most to least privileged.
  * Computed from the roles cache.

package/server/middleware/managerAuth.js

@@ -0,0 +1,36 @@
+/**
+ * Manager auth middleware — shared-secret guard for inbound requests from domma-cms-manager.
+ * Completely separate from JWT authenticate. Do NOT mix these two auth surfaces.
+ */
+import { timingSafeEqual, createHmac } from 'crypto';
+
+/**
+ * Fastify preHandler — validates the X-Manager-Token or Authorization: Bearer header
+ * against the MANAGER_SECRET environment variable using timing-safe comparison.
+ *
+ * @param {import('fastify').FastifyRequest} request
+ * @param {import('fastify').FastifyReply} reply
+ * @param {Function} done
+ */
+export function requireManager(request, reply, done) {
+    const secret = process.env.MANAGER_SECRET;
+
+    if (!secret || secret.length < 32) {
+        return reply.code(503).send({ error: 'Manager push notifications are not configured on this server.' });
+    }
+
+    const authHeader = request.headers['x-manager-token'] || request.headers['authorization'] || '';
+    const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : authHeader;
+
+    if (!token) {
+        return reply.code(401).send({ error: 'Manager token required.' });
+    }
+
+    // Compare HMAC digests — always 32 bytes regardless of input length, preventing timing oracle
+    const digest = (s) => createHmac('sha256', 'domma-cms').update(s).digest();
+    if (!timingSafeEqual(digest(token), digest(secret))) {
+        return reply.code(403).send({ error: 'Invalid manager token.' });
+    }
+
+    done();
+}

package/server/routes/api/actions.js

@@ -178,7 +178,7 @@ export async function actionsRoutes(fastify) {
         }
 
         const user          = request.user;
-        const allowedRoles  = action.access?.roles || ['admin'];
+        const allowedRoles  = action.access?.roles || ['admin', 'super-admin'];
         const userLevel     = getRoleLevel(user?.role);
         const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 

package/server/routes/api/auth.js

@@ -11,6 +11,7 @@ import crypto from 'node:crypto';
 import {config, getConfig} from '../../config.js';
 import {hooks} from '../../services/hooks.js';
 import {authenticate, getPermissionsForRole} from '../../middleware/auth.js';
+import {getRoleLevel} from '../../services/roles.js';
 import {GROUP_ORDER, REGISTRY} from '../../services/permissionRegistry.js';
 import {
     clearResetToken,
@@ -80,7 +81,7 @@ export async function authRoutes(fastify) {
 
         setupInProgress = true;
         try {
-            const user = await createUser({name, email, password, role: 'admin'});
+            const user = await createUser({name, email, password, role: 'super-admin'});
             const {token, refreshToken} = signTokens(fastify, user);
             return reply.status(201).send({token, refreshToken, user});
         } finally {
@@ -107,7 +108,7 @@ export async function authRoutes(fastify) {
 
         await touchLastLogin(user.id);
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
         hooks.emit('user:loggedIn', {userId: user.id, email: user.email, role: user.role});
         const { token, refreshToken } = signTokens(fastify, safeUser);
         return { token, refreshToken, user: safeUser };
@@ -270,7 +271,7 @@ export async function authRoutes(fastify) {
             return reply.status(401).send({ error: 'User not found or inactive' });
         }
 
-        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role, level: getRoleLevel(user.role) };
         const token = fastify.jwt.sign({ ...safeUser, type: 'access' }, { expiresIn: accessTokenExpiry });
         return { token };
     });

package/server/routes/api/layouts.js

@@ -1,49 +1,173 @@
-/**
- * Layouts (Presets) API
- * GET /api/layouts       - get all layout presets
- * PUT /api/layouts       - save layout presets
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-
-export async function layoutsRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('layouts', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('layouts', 'update')]};
-
-    fastify.get('/layouts', canRead, async () => {
-        return getConfig('presets');
-    });
-
-    fastify.put('/layouts', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object' || Array.isArray(data)) {
-            return reply.status(400).send({ error: 'Invalid presets data: expected an object' });
-        }
-        // Each preset value must be an object with at least a name field
-        for (const [key, preset] of Object.entries(data)) {
-            if (!preset || typeof preset !== 'object' || Array.isArray(preset)) {
-                return reply.status(400).send({ error: `Invalid preset "${key}": expected an object` });
-            }
-            if (typeof preset.name !== 'string' || !preset.name.trim()) {
-                return reply.status(400).send({ error: `Invalid preset "${key}": missing or empty "name" field` });
-            }
-        }
-        saveConfig('presets', data);
-        return { success: true };
-    });
-
-    fastify.get('/layouts/options', canRead, async () => {
-    return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
-  });
-
-    fastify.put('/layouts/options', canUpdate, async (request, reply) => {
-    const data = request.body;
-    if (!data || typeof data !== 'object') {
-      return reply.status(400).send({error: 'Invalid layout options'});
-    }
-    const site = getConfig('site');
-    site.layoutOptions = {...site.layoutOptions, ...data};
-    saveConfig('site', site);
-    return {success: true};
-  });
-}
+/**
+ * Layouts (Presets) API
+ * GET    /api/layouts        - get all layout presets
+ * PUT    /api/layouts        - bulk-save layout presets (legacy, kept for compatibility)
+ * POST   /api/layouts        - create a new preset
+ * PUT    /api/layouts/:key   - update a single preset
+ * DELETE /api/layouts/:key   - delete a preset (builtin presets cannot be deleted)
+ * GET    /api/layouts/options - get layout options
+ * PUT    /api/layouts/options - save layout options
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+
+const VALID_WIDTHS = new Set(['narrow', 'normal', 'wide', 'full']);
+const BG_COLOR_RE = /^[a-zA-Z0-9#(),.\s%/-]+$/;
+const CLASS_RE = /[^a-zA-Z0-9\s_-]/g;
+
+const BUILTIN_PRESETS = {
+    default: {
+        key: 'default', label: 'Default',
+        description: 'Standard page with navbar and footer.',
+        builtin: true, navbar: true, footer: true, sidebar: false,
+        width: 'normal', bgColor: '', bgImage: '', class: ''
+    },
+    landing: {
+        key: 'landing', label: 'Landing Page',
+        description: 'Full-width landing page with navbar, no footer.',
+        builtin: true, navbar: true, footer: false, sidebar: false,
+        width: 'full', bgColor: '', bgImage: '', class: ''
+    },
+    blank: {
+        key: 'blank', label: 'Blank',
+        description: 'Minimal page with no navbar or footer.',
+        builtin: true, navbar: false, footer: false, sidebar: false,
+        width: 'normal', bgColor: '', bgImage: '', class: ''
+    }
+};
+
+function slugify(str) {
+    return str.toLowerCase().trim().replace(/\s+/g, '-').replace(/[^a-z0-9-]/g, '');
+}
+
+function sanitisePreset(data) {
+    return {
+        navbar: data.navbar !== false,
+        footer: data.footer !== false,
+        sidebar: data.sidebar === true,
+        width: VALID_WIDTHS.has(data.width) ? data.width : 'normal',
+        bgColor: data.bgColor && BG_COLOR_RE.test(data.bgColor) ? data.bgColor : '',
+        bgImage: typeof data.bgImage === 'string' ? data.bgImage.trim() : '',
+        class: typeof data.class === 'string' ? data.class.replace(CLASS_RE, '').trim() : '',
+        label: String(data.label || '').slice(0, 60).trim(),
+        description: String(data.description || '').slice(0, 200).trim()
+    };
+}
+
+export async function layoutsRoutes(fastify) {
+    // ── Merge-in seeding: ensure built-in presets exist ──────────────────────
+    const existing = getConfig('presets') || {};
+    let seeded = false;
+    for (const [key, preset] of Object.entries(BUILTIN_PRESETS)) {
+        if (!existing[key]) {
+            existing[key] = preset;
+            seeded = true;
+        }
+    }
+    if (seeded) saveConfig('presets', existing);
+
+    const canRead = {preHandler: [authenticate, requirePermission('layouts', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('layouts', 'update')]};
+
+    // ── Existing routes ───────────────────────────────────────────────────────
+    fastify.get('/layouts', canRead, async () => {
+        return getConfig('presets');
+    });
+
+    fastify.put('/layouts', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object' || Array.isArray(data)) {
+            return reply.status(400).send({error: 'Invalid presets data: expected an object'});
+        }
+        for (const [key, preset] of Object.entries(data)) {
+            if (!preset || typeof preset !== 'object' || Array.isArray(preset)) {
+                return reply.status(400).send({error: `Invalid preset "${key}": expected an object`});
+            }
+            if (typeof preset.label !== 'string' || !preset.label.trim()) {
+                return reply.status(400).send({error: `Invalid preset "${key}": missing or empty "label" field`});
+            }
+        }
+        saveConfig('presets', data);
+        return {success: true};
+    });
+
+    // ── New CRUD routes ───────────────────────────────────────────────────────
+    fastify.post('/layouts', canUpdate, async (request, reply) => {
+        const {label, description, ...rest} = request.body || {};
+        if (!label || !String(label).trim()) {
+            return reply.status(400).send({error: 'label is required'});
+        }
+        const key = slugify(label);
+        if (!key) {
+            return reply.status(400).send({error: 'label must contain at least one alphanumeric character'});
+        }
+        const presets = getConfig('presets') || {};
+        if (presets[key]) {
+            return reply.status(409).send({error: 'A preset with this key already exists'});
+        }
+        presets[key] = {
+            key,
+            builtin: false,
+            ...sanitisePreset({label, description, ...rest})
+        };
+        saveConfig('presets', presets);
+        return {success: true, key, preset: presets[key]};
+    });
+
+    fastify.put('/layouts/:key', canUpdate, async (request, reply) => {
+        const {key} = request.params;
+        const presets = getConfig('presets') || {};
+        if (!presets[key]) {
+            return reply.status(404).send({error: `Preset "${key}" not found`});
+        }
+        const {label, description, ...rest} = request.body || {};
+        if (!label || !String(label).trim()) {
+            return reply.status(400).send({error: 'label is required'});
+        }
+        presets[key] = {
+            ...presets[key],
+            label: String(label).slice(0, 60).trim(),
+            description: String(description || '').slice(0, 200).trim(),
+            ...sanitisePreset({label, description, ...rest}),
+            key,
+            builtin: presets[key].builtin  // never overwrite builtin flag
+        };
+        saveConfig('presets', presets);
+        return {success: true, preset: presets[key]};
+    });
+
+    fastify.delete('/layouts/:key', canUpdate, async (request, reply) => {
+        const {key} = request.params;
+        const presets = getConfig('presets') || {};
+        if (!presets[key]) {
+            return reply.status(404).send({error: `Preset "${key}" not found`});
+        }
+        if (presets[key].builtin) {
+            return reply.status(400).send({error: 'Built-in presets cannot be deleted'});
+        }
+        delete presets[key];
+        saveConfig('presets', presets);
+        return {success: true};
+    });
+
+    // ── Layout options ────────────────────────────────────────────────────────
+    fastify.get('/layouts/options', canRead, async () => {
+        return getConfig('site')?.layoutOptions ?? {spacerSize: 8};
+    });
+
+    fastify.put('/layouts/options', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({error: 'Invalid layout options'});
+        }
+        const site = getConfig('site');
+        const {spacerSize, spacerClass} = data;
+        site.layoutOptions = {
+            ...site.layoutOptions,
+            ...(spacerSize !== undefined ? {spacerSize: Math.max(0, Math.min(500, parseInt(spacerSize, 10) || 0))} : {}),
+            ...(spacerClass !== undefined ? {spacerClass: String(spacerClass).replace(/[^a-zA-Z0-9\s_-]/g, '').trim()} : {})
+        };
+        saveConfig('site', site);
+        return {success: true};
+    });
+}

package/server/routes/api/notifications.js

@@ -0,0 +1,155 @@
+/**
+ * Notifications API
+ * POST   /api/system/notifications              - Manager push (requireManager)
+ * GET    /api/system/notifications              - List active notifications (admin/manager)
+ * GET    /api/system/notifications/unread-count - Unread count for bell badge
+ * POST   /api/system/notifications/:id/read     - Mark read (idempotent)
+ * POST   /api/system/notifications/:id/dismiss  - Mark dismissed
+ * DELETE /api/system/notifications/:id          - Hard delete (admin only)
+ */
+import { authenticate, requirePermission } from '../../middleware/auth.js';
+import { requireManager } from '../../middleware/managerAuth.js';
+import { getAdapter } from '../../services/adapterRegistry.js';
+
+const SLUG = 'notifications';
+
+export async function notificationsRoutes(fastify) {
+    const canRead   = { preHandler: [authenticate, requirePermission('notifications', 'read')]   };
+    const canDelete = { preHandler: [authenticate, requirePermission('notifications', 'delete')] };
+
+    // --- Manager inbound push ---
+    fastify.post('/system/notifications', { preHandler: [requireManager] }, async (request, reply) => {
+        const { title, body, severity = 'info', link, expiresAt } = request.body || {};
+
+        if (!title || typeof title !== 'string' || !title.trim()) {
+            return reply.code(400).send({ error: 'title is required.' });
+        }
+        if (!body || typeof body !== 'string' || !body.trim()) {
+            return reply.code(400).send({ error: 'body is required.' });
+        }
+        const VALID_SEVERITIES = ['info', 'success', 'warning', 'critical'];
+        if (!VALID_SEVERITIES.includes(severity)) {
+            return reply.code(400).send({ error: `severity must be one of: ${VALID_SEVERITIES.join(', ')}.` });
+        }
+
+        if (link !== undefined && link !== null && link !== '') {
+            if (typeof link !== 'string' || !/^https?:\/\//i.test(link)) {
+                return reply.code(400).send({ error: 'link must be an absolute https:// or http:// URL.' });
+            }
+        }
+
+        if (expiresAt !== undefined && expiresAt !== null && expiresAt !== '') {
+            if (typeof expiresAt !== 'string' || isNaN(Date.parse(expiresAt))) {
+                return reply.code(400).send({ error: 'expiresAt must be a valid ISO 8601 datetime string.' });
+            }
+        }
+
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.insert(SLUG, {
+            title: title.trim(),
+            body: body.trim(),
+            severity,
+            source: 'manager',
+            link: link || null,
+            createdAt: new Date().toISOString(),
+            expiresAt: expiresAt || null,
+            readBy: [],
+            dismissedBy: []
+        });
+
+        return reply.code(201).send(entry);
+    });
+
+    // --- List active notifications for current user ---
+    fastify.get('/system/notifications', canRead, async (request) => {
+        const userId = request.user.id;
+        const now = new Date().toISOString();
+        const adapter = await getAdapter(SLUG);
+        const all = await adapter.all(SLUG);
+
+        return all
+            .filter(entry => {
+                const d = entry.data;
+                // Exclude expired
+                if (d.expiresAt && d.expiresAt < now) return false;
+                // Exclude dismissed by this user
+                if (Array.isArray(d.dismissedBy) && d.dismissedBy.includes(userId)) return false;
+                return true;
+            })
+            .sort((a, b) => b.data.createdAt.localeCompare(a.data.createdAt))
+            .map(entry => ({
+                ...entry,
+                unread: !Array.isArray(entry.data.readBy) || !entry.data.readBy.includes(userId)
+            }));
+    });
+
+    // --- Unread count (lightweight — for bell badge) ---
+    fastify.get('/system/notifications/unread-count', canRead, async (request) => {
+        const userId = request.user.id;
+        const now = new Date().toISOString();
+        const adapter = await getAdapter(SLUG);
+        const all = await adapter.all(SLUG);
+
+        const count = all.filter(entry => {
+            const d = entry.data;
+            if (d.expiresAt && d.expiresAt < now) return false;
+            if (Array.isArray(d.dismissedBy) && d.dismissedBy.includes(userId)) return false;
+            return !Array.isArray(d.readBy) || !d.readBy.includes(userId);
+        }).length;
+
+        return { count };
+    });
+
+    // --- Mark read (idempotent) ---
+    fastify.post('/system/notifications/:id/read', canRead, async (request, reply) => {
+        const { id } = request.params;
+        const userId = request.user.id;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        const readBy = Array.isArray(entry.data.readBy) ? entry.data.readBy : [];
+        if (readBy.includes(userId)) return { ok: true }; // already read — idempotent
+
+        const updated = await adapter.update(SLUG, id, {
+            ...entry.data,
+            readBy: [...readBy, userId]
+        });
+
+        return { ok: true, entry: updated };
+    });
+
+    // --- Dismiss ---
+    fastify.post('/system/notifications/:id/dismiss', canRead, async (request, reply) => {
+        const { id } = request.params;
+        const userId = request.user.id;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        const dismissedBy = Array.isArray(entry.data.dismissedBy) ? entry.data.dismissedBy : [];
+        const readBy = Array.isArray(entry.data.readBy) ? entry.data.readBy : [];
+
+        const updated = await adapter.update(SLUG, id, {
+            ...entry.data,
+            dismissedBy: dismissedBy.includes(userId) ? dismissedBy : [...dismissedBy, userId],
+            readBy: readBy.includes(userId) ? readBy : [...readBy, userId] // dismissing also marks read
+        });
+
+        return { ok: true, entry: updated };
+    });
+
+    // --- Hard delete (admin only) ---
+    fastify.delete('/system/notifications/:id', canDelete, async (request, reply) => {
+        const { id } = request.params;
+        const adapter = await getAdapter(SLUG);
+        const entry = await adapter.get(SLUG, id);
+
+        if (!entry) return reply.code(404).send({ error: 'Notification not found.' });
+
+        await adapter.remove(SLUG, id);
+        return { ok: true };
+    });
+}