mktcms 0.2.12 → 0.2.14

package/README.md

@@ -1,8 +1,10 @@
-# Simple CMS module for Nuxt
+# MktCMS
+
+A file based CMS for self-hosted Nuxt apps.
 
 ![Screenshot of Admin UI](https://raw.githubusercontent.com/mktcode/mktcms/refs/heads/main/docs/screenshot.png)
 
-This is my personal, minimalist alternative to @nuxt/content and Studio, which are fantastic projects, but sometimes lacking the kind of complete documentation I’m looking for. Over time I will probably migrate more and and more (MDC already supported), and keep this repo as a custom nuxt template for my projects. If you find it useful, feel free to use it as well and contribute to it.
+This is my personal, minimalist alternative to @nuxt/content and Studio, which are fantastic projects, but sometimes lacking the kind of complete documentation I’m looking for. Over time I will maybe migrate more and more (MDC already supported), and just keep [the website template](https://github.com/mktcode/mktcms-website-template) and the [server utility](https://github.com/mktcode/mktcms-server). If you find this useful, feel free to use it and contribute to it.
 
 [![npm version][npm-version-src]][npm-version-href]
 [![npm downloads][npm-downloads-src]][npm-downloads-href]
@@ -15,7 +17,7 @@ This is my personal, minimalist alternative to @nuxt/content and Studio, which a
 
 ## Features
 
-- Simple Admin UI to manage content files
+- Simple Admin UI with Git integration to manage content
 - Composables to use the content in your Nuxt app
 - `sendMail` utility to send emails via SMTP
 - [MDC](https://github.com/nuxt-content/mdc) support

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "mktcms",
   "configKey": "mktcms",
-  "version": "0.2.12",
+  "version": "0.2.14",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -15,6 +15,14 @@ const module$1 = defineNuxtModule({
     const resolver = createResolver(import.meta.url);
     _nuxt.options.runtimeConfig.mktcms = defu((_nuxt.options.runtimeConfig.mktcms, {
       adminAuthKey: "",
+      authCookieMaxAgeSeconds: 7 * 24 * 60 * 60,
+      authCookiePath: "/",
+      authCookieSameSite: "lax",
+      authCookieSecure: process.env.NODE_ENV === "production",
+      loginRateLimitMaxAttempts: 5,
+      loginRateLimitWindowSeconds: 300,
+      loginRateLimitBlockSeconds: 600,
+      uploadMaxBytes: 50 * 1024 * 1024,
       smtpHost: "",
       smtpPort: 465,
       smtpSecure: true,
@@ -143,11 +151,6 @@ const module$1 = defineNuxtModule({
       route: "/api/admin/blob",
       handler: resolver.resolve("./runtime/server/api/admin/blob")
     });
-    addServerHandler({
-      route: "/api/admin/import",
-      method: "post",
-      handler: resolver.resolve("./runtime/server/api/admin/import")
-    });
     addServerHandler({
       route: "/api/admin/upload",
       handler: resolver.resolve("./runtime/server/api/admin/upload")

package/dist/runtime/app/components/content/editor/txt.vue

@@ -6,6 +6,7 @@ const { path } = usePathParam();
 const { data: content } = await useFetch(`/api/admin/txt?path=${path}`);
 const isSaving = ref(false);
 const savingSuccessful = ref(false);
+const commitMessage = ref("Inhaltliche \xC4nderungen");
 async function saveContent() {
   if (content.value === void 0) return;
   isSaving.value = true;
@@ -13,7 +14,8 @@ async function saveContent() {
   await useFetch(`/api/admin/txt?path=${path}`, {
     method: "POST",
     body: {
-      text: content.value
+      text: content.value,
+      commitMessage: commitMessage.value
     }
   });
   isSaving.value = false;
@@ -28,9 +30,27 @@ async function saveContent() {
       class="w-full h-24 resize-y border border-gray-300 p-2 box-border font-mono"
     />
 
+    <div class="mt-3">
+      <label
+        for="commit-message"
+        class="block mb-1"
+      >
+        Kommentar / Änderungsgrund
+      </label>
+      <input
+        id="commit-message"
+        v-model="commitMessage"
+        type="text"
+        required
+        class="w-full border border-gray-200 rounded-sm px-3 py-2"
+        placeholder="Inhaltliche Änderungen"
+      >
+    </div>
+
     <button
       type="button"
       class="button w-full justify-center mt-3"
+      :disabled="!commitMessage.trim() || isSaving"
       @click="saveContent"
     >
       <span v-if="isSaving">Speichern...</span>

package/dist/runtime/app/components/content/index.vue

@@ -3,11 +3,9 @@ import { useFetch } from "#app";
 import TreeNode from "./treeNode.vue";
 import FileIcon from "./fileIcon.vue";
 import FileButtons from "./fileButtons.vue";
-import useImport from "../../composables/useImport";
-const { data: list, refresh } = await useFetch("/api/admin/list", {
+const { data: list } = await useFetch("/api/admin/list", {
   query: { path: "" }
 });
-const { fileInput, uploadFile } = useImport();
 function filenameWithoutExtension(filename) {
   return filename.replace(/\.[^/.]+$/, "");
 }
@@ -86,22 +84,12 @@ function fileExtension(filename) {
       class="flex flex-col gap-4"
     >
       <p>Keine Dateien oder Verzeichnisse gefunden.</p>
-      <button
+      <NuxtLink
+        to="/admin/new"
         class="button"
-        @click="fileInput?.click()"
-      >
-        Dateien importieren
-      </button>
-      <input
-        ref="fileInput"
-        type="file"
-        class="hidden"
-        accept=".zip"
-        @change="async (e) => {
-  await uploadFile(e);
-  await refresh();
-}"
       >
+        Datei hochladen
+      </NuxtLink>
     </div>
   </div>
 </template>

package/dist/runtime/app/components/content/upload.vue

@@ -1,10 +1,14 @@
 <script setup>
 import { onMounted, ref, useFetch, useRoute } from "#imports";
 import useAdminUpload from "../../composables/useAdminUpload";
+import { CONTENT_UPLOAD_EXTENSIONS, IMAGE_EXTENSIONS, PDF_EXTENSIONS, toAcceptAttribute } from "../../../shared/contentFiles";
 const { data: list } = await useFetch("/api/admin/list");
 const route = useRoute();
 const dir = ref(route.query.dir || "");
 const newSubdir = ref("");
+const uploadAccept = toAcceptAttribute(CONTENT_UPLOAD_EXTENSIONS);
+const imageAccept = toAcceptAttribute(IMAGE_EXTENSIONS);
+const pdfAccept = toAcceptAttribute(PDF_EXTENSIONS);
 const { isUploading, fileInput, fileInputImg, fileInputPdf, path, uploadFiles } = useAdminUpload();
 onMounted(() => {
   path.value = dir.value;
@@ -98,7 +102,7 @@ onMounted(() => {
       ref="fileInput"
       class="hidden"
       type="file"
-      accept=".pdf,.jpg,.jpeg,.png,.gif,.webp,.md,.docx,.txt,.csv,.json"
+      :accept="uploadAccept"
       @change="async (e) => {
   await uploadFiles(e);
 }"
@@ -107,7 +111,7 @@ onMounted(() => {
       ref="fileInputImg"
       class="hidden"
       type="file"
-      accept=".jpg,.jpeg,.png,.gif,.webp"
+      :accept="imageAccept"
       @change="async (e) => {
   await uploadFiles(e);
 }"
@@ -116,7 +120,7 @@ onMounted(() => {
       ref="fileInputPdf"
       class="hidden"
       type="file"
-      accept=".pdf"
+      :accept="pdfAccept"
       @change="async (e) => {
   await uploadFiles(e);
 }"

package/dist/runtime/app/composables/useFileType.js

@@ -1,10 +1,10 @@
+import { isCsvPath, isImagePath, isMarkdownPath, isPdfPath, isTextPath } from "../../shared/contentFiles.js";
 export default function useFileType(path) {
-  const normalizedPath = path.toLowerCase();
-  const isImage = normalizedPath.match(/\.(png|jpg|jpeg|gif|webp)$/) !== null;
-  const isPdf = normalizedPath.endsWith(".pdf");
-  const isMarkdown = normalizedPath.endsWith(".md");
-  const isCsv = normalizedPath.endsWith(".csv");
-  const isText = normalizedPath.match(/\.(txt|json)$/) !== null;
+  const isImage = isImagePath(path);
+  const isPdf = isPdfPath(path);
+  const isMarkdown = isMarkdownPath(path);
+  const isCsv = isCsvPath(path);
+  const isText = isTextPath(path);
   return {
     isImage,
     isPdf,

package/dist/runtime/app/pages/admin/login.vue

@@ -7,6 +7,7 @@ const { public: { mktcms: { siteUrl } } } = useRuntimeConfig();
 const adminAuthKey = ref("");
 const adminAuthKeyFileInput = ref(null);
 const wasHere = useLocalStorage("mktcms_admin_was_here", false);
+const loginError = ref(null);
 function openAdminAuthKeyFilePicker() {
   adminAuthKeyFileInput.value?.click();
 }
@@ -28,14 +29,31 @@ async function onAdminAuthKeyFileSelected(event) {
     input.value = "";
 }
 async function login() {
-  await $fetch("/api/admin/login", {
-    method: "POST",
-    body: {
-      adminAuthKey: adminAuthKey.value
+  loginError.value = null;
+  try {
+    await $fetch("/api/admin/login", {
+      method: "POST",
+      body: {
+        adminAuthKey: adminAuthKey.value
+      }
+    });
+    wasHere.value = true;
+    await navigateTo("/admin");
+  } catch (error) {
+    const statusCode = Number(error?.statusCode || error?.response?.status || error?.data?.statusCode);
+    if (statusCode === 429) {
+      const retryAfterSeconds = Number(
+        error?.data?.data?.retryAfterSeconds || error?.response?._data?.data?.retryAfterSeconds
+      );
+      if (Number.isFinite(retryAfterSeconds) && retryAfterSeconds > 0) {
+        loginError.value = `Zu viele Anmeldeversuche. Bitte warte ${retryAfterSeconds} Sekunden und versuche es dann erneut.`;
+        return;
+      }
+      loginError.value = "Zu viele Anmeldeversuche. Bitte warte einen Moment und versuche es dann erneut.";
+      return;
     }
-  });
-  wasHere.value = true;
-  await navigateTo("/admin");
+    loginError.value = "Anmeldung fehlgeschlagen. Der eingegebene Schl\xFCssel ist ung\xFCltig.";
+  }
 }
 </script>
 
@@ -86,6 +104,15 @@ async function login() {
         >
           Anmelden
         </button>
+
+        <div
+          v-if="loginError"
+          class="mt-3 rounded-md border border-red-300 bg-red-50 px-3 py-2 text-sm text-red-700"
+          role="alert"
+          aria-live="polite"
+        >
+          {{ loginError }}
+        </div>
       </div>
     </div>
   </Admin>

package/dist/runtime/server/api/admin/blob.js

@@ -2,21 +2,22 @@ import { z } from "zod";
 import { createError, defineEventHandler, getValidatedQuery, send } from "h3";
 import { useStorage } from "nitropack/runtime";
 import { toNodeBuffer } from "../../utils/toNodeBuffer.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  const file = await storage.getItemRaw(decodedPath);
+  const file = await storage.getItemRaw(contentKey);
   if (!file) {
     throw createError({
       statusCode: 404,
       statusMessage: "File not found"
     });
   }
-  const extension = decodedPath.split(".").pop()?.toLowerCase() || "bin";
+  const extension = contentKey.split(".").pop()?.toLowerCase() || "bin";
   const mimeTypes = {
     png: "image/png",
     jpg: "image/jpeg",

package/dist/runtime/server/api/admin/csv.js

@@ -2,14 +2,15 @@ import { z } from "zod";
 import { createError, defineEventHandler, getValidatedQuery } from "h3";
 import { useStorage } from "nitropack/runtime";
 import { parse } from "csv-parse/sync";
+import { normalizeContentKey } from "../../utils/contentKey.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  const file = await storage.getItem(decodedPath);
+  const file = await storage.getItem(contentKey);
   if (!file) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/admin/csv.post.js

@@ -3,6 +3,8 @@ import { defineEventHandler, getValidatedQuery, readValidatedBody } from "h3";
 import { useStorage } from "nitropack/runtime";
 import { stringify } from "csv-stringify/sync";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
@@ -16,18 +18,18 @@ const bodySchema = z.object({
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
   const { table, commitMessage } = await readValidatedBody(event, (body) => bodySchema.parse(body));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const content = stringify(table.rows, {
     header: true,
     columns: table.headers,
     delimiter: ";"
   });
   const storage = useStorage("content");
-  await storage.setItem(decodedPath, content);
+  await storage.setItem(contentKey, content);
   try {
-    await syncGitContent(commitMessage, [decodedPath]);
+    await syncGitContent(commitMessage, [contentKey]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
   return { success: true };
 });

package/dist/runtime/server/api/admin/delete.js

@@ -2,18 +2,20 @@ import { z } from "zod";
 import { defineEventHandler, getValidatedQuery } from "h3";
 import { useStorage } from "nitropack/runtime";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  await storage.removeItem(decodedPath);
+  await storage.removeItem(contentKey);
   try {
-    await syncGitContent("Datei gel\xF6scht", [decodedPath]);
+    await syncGitContent("Datei gel\xF6scht", [contentKey]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
   return { success: true };
 });

package/dist/runtime/server/api/admin/download.js

@@ -1,20 +1,23 @@
 import { z } from "zod";
 import { defineEventHandler, getValidatedQuery } from "h3";
 import { useStorage } from "nitropack/runtime";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { isCsvPath, isImagePath, isJsonPath, isPdfPath, toFileExtension } from "../../../shared/contentFiles.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  const file = await storage.getItemRaw(decodedPath);
-  const isImage = decodedPath.match(/\.(png|jpg|jpeg|gif|webp)$/i);
-  const isPdf = decodedPath.endsWith(".pdf");
-  const isJson = decodedPath.endsWith(".json");
-  const isCSV = decodedPath.endsWith(".csv");
+  const file = await storage.getItemRaw(contentKey);
+  const isImage = isImagePath(contentKey);
+  const isPdf = isPdfPath(contentKey);
+  const isJson = isJsonPath(contentKey);
+  const isCSV = isCsvPath(contentKey);
   if (isImage) {
-    event.node.res.setHeader("Content-Type", "image/" + decodedPath.split(".").pop()?.toLowerCase());
+    const extension = toFileExtension(contentKey).slice(1);
+    event.node.res.setHeader("Content-Type", "image/" + extension);
   } else if (isPdf) {
     event.node.res.setHeader("Content-Type", "application/pdf");
   } else if (isJson || isCSV) {
@@ -22,6 +25,6 @@ export default defineEventHandler(async (event) => {
   } else {
     event.node.res.setHeader("Content-Type", "text/plain; charset=utf-8");
   }
-  event.node.res.setHeader("Content-Disposition", `attachment; filename="${decodedPath.split(":").pop()}"`);
+  event.node.res.setHeader("Content-Disposition", `attachment; filename="${contentKey.split(":").pop()}"`);
   return file;
 });

package/dist/runtime/server/api/admin/git-branch.js

@@ -1,5 +1,5 @@
 import { createError, defineEventHandler } from "h3";
-import { getCounterpartBranch, getCurrentBranchName, hasRemoteBranch, isSupportedWebsiteBranch, isVersioningEnabled } from "../../utils/gitVersioning.js";
+import { getCounterpartBranch, getCurrentBranchName, hasRemoteBranch, isSupportedWebsiteBranch, isVersioningEnabled, toGitErrorMessage } from "../../utils/gitVersioning.js";
 export default defineEventHandler(async () => {
   try {
     if (!isVersioningEnabled()) {
@@ -36,9 +36,10 @@ export default defineEventHandler(async () => {
     if (error?.statusCode && error?.statusMessage) {
       throw error;
     }
+    const safeMessage = toGitErrorMessage(error, "Failed to get current Git branch");
     throw createError({
       statusCode: 500,
-      statusMessage: error?.message || "Failed to get current Git branch"
+      statusMessage: safeMessage
     });
   }
 });

package/dist/runtime/server/api/admin/git-history.js

@@ -1,6 +1,6 @@
 import { z } from "zod";
 import { createError, defineEventHandler, getValidatedQuery } from "h3";
-import { getGitHistoryPage, isVersioningEnabled } from "../../utils/gitVersioning.js";
+import { getGitHistoryPage, isVersioningEnabled, toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   page: z.coerce.number().int().min(1).default(1),
   perPage: z.coerce.number().int().min(1).max(100).default(25)
@@ -19,9 +19,10 @@ export default defineEventHandler(async (event) => {
     if (error?.statusCode && error?.statusMessage) {
       throw error;
     }
+    const safeMessage = toGitErrorMessage(error, "Failed to load Git history");
     throw createError({
       statusCode: 500,
-      statusMessage: error?.message || "Failed to load Git history"
+      statusMessage: safeMessage
     });
   }
 });

package/dist/runtime/server/api/admin/git-update-status.js

@@ -1,5 +1,5 @@
 import { createError, defineEventHandler } from "h3";
-import { getBranchUpdateStatus, isVersioningEnabled } from "../../utils/gitVersioning.js";
+import { getBranchUpdateStatus, isVersioningEnabled, toGitErrorMessage } from "../../utils/gitVersioning.js";
 export default defineEventHandler(async () => {
   try {
     if (!isVersioningEnabled()) {
@@ -13,9 +13,10 @@ export default defineEventHandler(async () => {
     if (error?.statusCode && error?.statusMessage) {
       throw error;
     }
+    const safeMessage = toGitErrorMessage(error, "Failed to get Git update status");
     throw createError({
       statusCode: 500,
-      statusMessage: error?.message || "Failed to get Git update status"
+      statusMessage: safeMessage
     });
   }
 });

package/dist/runtime/server/api/admin/git-update.post.js

@@ -1,5 +1,5 @@
 import { createError, defineEventHandler } from "h3";
-import { isVersioningEnabled, mergeCounterpartBranchIntoCurrent } from "../../utils/gitVersioning.js";
+import { isVersioningEnabled, mergeCounterpartBranchIntoCurrent, toGitErrorMessage } from "../../utils/gitVersioning.js";
 function toStatusCode(message) {
   if (/Versioning feature is disabled/i.test(message)) {
     return 404;
@@ -36,7 +36,7 @@ export default defineEventHandler(async () => {
     if (error?.statusCode && error?.statusMessage) {
       throw error;
     }
-    const message = error?.message || "Failed to update branch";
+    const message = toGitErrorMessage(error, "Failed to update branch");
     throw createError({
       statusCode: toStatusCode(message),
       statusMessage: message

package/dist/runtime/server/api/admin/image.post.js

@@ -3,13 +3,18 @@ import { createError, defineEventHandler, getValidatedQuery, readMultipartFormDa
 import { useStorage } from "nitropack/runtime";
 import sharp from "sharp";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { IMAGE_EXTENSIONS, hasAllowedExtension, toFileExtension } from "../../../shared/contentFiles.js";
+import { assertUploadSize, getMaxUploadBytes } from "../../utils/uploadGuard.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const form = await readMultipartFormData(event);
+  const maxUploadBytes = getMaxUploadBytes();
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   if (!form) {
     throw createError({
       statusCode: 400,
@@ -29,21 +34,20 @@ export default defineEventHandler(async (event) => {
       statusMessage: "Invalid file upload"
     });
   }
-  const allowedExtensions = [".jpg", ".jpeg", ".png", ".gif", ".webp"];
-  const fileExtension = file.filename.toLowerCase().slice(file.filename.lastIndexOf("."));
-  const targetExtension = decodedPath.toLowerCase().slice(decodedPath.lastIndexOf("."));
-  if (!allowedExtensions.includes(targetExtension)) {
+  const targetExtension = toFileExtension(contentKey);
+  if (!hasAllowedExtension(contentKey, IMAGE_EXTENSIONS)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid target file type. Only JPG, JPEG, PNG, GIF, WEBP files are allowed."
     });
   }
-  if (!allowedExtensions.includes(fileExtension)) {
+  if (!hasAllowedExtension(file.filename, IMAGE_EXTENSIONS)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid file type. Only JPG, JPEG, PNG, GIF, WEBP files are allowed."
     });
   }
+  assertUploadSize(file.data, maxUploadBytes);
   const image = sharp(file.data);
   const metadata = await image.metadata();
   if (metadata.width && metadata.height) {
@@ -84,11 +88,11 @@ export default defineEventHandler(async (event) => {
       });
   }
   const outputBuffer = await image.toBuffer();
-  await useStorage("content").setItemRaw(decodedPath, outputBuffer);
+  await useStorage("content").setItemRaw(contentKey, outputBuffer);
   try {
-    await syncGitContent("Bild ersetzt", [decodedPath]);
+    await syncGitContent("Bild ersetzt", [contentKey]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
-  return { success: true, path: decodedPath };
+  return { success: true, path: contentKey };
 });

package/dist/runtime/server/api/admin/list.js

@@ -1,22 +1,27 @@
 import z from "zod";
 import { useStorage } from "nitropack/runtime";
 import { defineEventHandler, getValidatedQuery } from "h3";
+import { normalizeContentPrefix } from "../../utils/contentKey.js";
+import { isImagePath } from "../../../shared/contentFiles.js";
+function alphaSort(a, b) {
+  return a.localeCompare(b, void 0, { numeric: true, sensitivity: "base" });
+}
 const querySchema = z.object({
   path: z.string().optional(),
   type: z.enum(["image"]).optional()
 });
 export default defineEventHandler(async (event) => {
   const { path, type } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = path ? decodeURIComponent(path) : "";
+  const contentPrefix = normalizeContentPrefix(path);
   const storage = useStorage("content");
-  const keys = await storage.getKeys(decodedPath);
-  const keysWithoutPath = decodedPath ? keys.map((key) => key.replace(decodedPath + ":", "")) : keys;
+  const keys = await storage.getKeys(contentPrefix);
+  const keysWithoutPath = contentPrefix ? keys.map((key) => key.replace(contentPrefix + ":", "")) : keys;
   const files = keysWithoutPath.filter((key) => !key.includes(":"));
-  const filteredFiles = type === "image" ? files.filter((file) => file.match(/\.(png|jpg|jpeg|gif|webp)$/i)) : files;
+  const filteredFiles = type === "image" ? files.filter((file) => isImagePath(file)) : files;
   const dirs = keysWithoutPath.filter((key) => key.includes(":")).map((key) => key.split(":")[0]);
   const uniqueDirs = Array.from(new Set(dirs));
   return {
-    files: filteredFiles,
-    dirs: uniqueDirs
+    files: [...filteredFiles].sort(alphaSort),
+    dirs: [...uniqueDirs].sort(alphaSort)
   };
 });

package/dist/runtime/server/api/admin/login.js

@@ -1,18 +1,20 @@
 import { useRuntimeConfig } from "nitropack/runtime";
 import { createError, defineEventHandler, readValidatedBody, setCookie } from "h3";
 import z from "zod";
+import { ADMIN_AUTH_COOKIE_NAME, getAuthCookieOptions } from "../../utils/authCookie.js";
+import { assertLoginNotRateLimited, clearFailedLoginAttempts, recordFailedLoginAttempt } from "../../utils/loginRateLimit.js";
 const bodySchema = z.object({
   adminAuthKey: z.string()
 });
 export default defineEventHandler(async (event) => {
   const { mktcms: { adminAuthKey } } = useRuntimeConfig();
+  assertLoginNotRateLimited(event);
   const body = await readValidatedBody(event, (body2) => bodySchema.parse(body2));
   if (body.adminAuthKey !== adminAuthKey.toString()) {
+    recordFailedLoginAttempt(event);
     throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
   }
-  setCookie(event, "mktcms_admin_auth_key", adminAuthKey.toString(), {
-    httpOnly: true,
-    maxAge: 7 * 24 * 60 * 60
-  });
+  clearFailedLoginAttempts(event);
+  setCookie(event, ADMIN_AUTH_COOKIE_NAME, adminAuthKey.toString(), getAuthCookieOptions(event));
   return { message: "Login successful" };
 });

package/dist/runtime/server/api/admin/logout.js

@@ -1,6 +1,7 @@
 import { defineEventHandler, deleteCookie } from "h3";
+import { ADMIN_AUTH_COOKIE_NAME, getAuthCookieOptions } from "../../utils/authCookie.js";
 export default defineEventHandler(async (event) => {
-  deleteCookie(event, "mktcms_admin_auth_key");
+  deleteCookie(event, ADMIN_AUTH_COOKIE_NAME, getAuthCookieOptions(event));
   event.node.res.writeHead(302, { Location: "/admin/login" });
   event.node.res.end();
 });

package/dist/runtime/server/api/admin/md.js

@@ -2,14 +2,15 @@ import { z } from "zod";
 import { createError, defineEventHandler, getValidatedQuery } from "h3";
 import { useStorage } from "nitropack/runtime";
 import { parseFrontmatter } from "../../utils/parseFrontmatter.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  const file = await storage.getItem(decodedPath);
+  const file = await storage.getItem(contentKey);
   if (!file) {
     throw createError({
       statusCode: 404,