mktcms 0.2.13 → 0.2.14

package/dist/runtime/server/api/admin/pdf.post.js

@@ -2,13 +2,18 @@ import z from "zod";
 import { createError, defineEventHandler, getValidatedQuery, readMultipartFormData } from "h3";
 import { useStorage } from "nitropack/runtime";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { isPdfPath } from "../../../shared/contentFiles.js";
+import { assertUploadSize, getMaxUploadBytes } from "../../utils/uploadGuard.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const form = await readMultipartFormData(event);
+  const maxUploadBytes = getMaxUploadBytes();
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   if (!form) {
     throw createError({
       statusCode: 400,
@@ -28,25 +33,24 @@ export default defineEventHandler(async (event) => {
       statusMessage: "Invalid file upload"
     });
   }
-  const fileExtension = file.filename.toLowerCase().slice(file.filename.lastIndexOf("."));
-  const targetExtension = decodedPath.toLowerCase().slice(decodedPath.lastIndexOf("."));
-  if (targetExtension !== ".pdf") {
+  if (!isPdfPath(contentKey)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid target file type. Only PDF files are allowed."
     });
   }
-  if (fileExtension !== ".pdf") {
+  if (!isPdfPath(file.filename)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid file type. Only PDF files are allowed."
     });
   }
-  await useStorage("content").setItemRaw(decodedPath, Buffer.from(file.data));
+  assertUploadSize(file.data, maxUploadBytes);
+  await useStorage("content").setItemRaw(contentKey, Buffer.from(file.data));
   try {
-    await syncGitContent("PDF ersetzt", [decodedPath]);
+    await syncGitContent("PDF ersetzt", [contentKey]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
-  return { success: true, path: decodedPath };
+  return { success: true, path: contentKey };
 });

package/dist/runtime/server/api/admin/txt.js

@@ -1,14 +1,15 @@
 import { z } from "zod";
 import { createError, defineEventHandler, getValidatedQuery } from "h3";
 import { useStorage } from "nitropack/runtime";
+import { normalizeContentKey } from "../../utils/contentKey.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  const file = await storage.getItem(decodedPath);
+  const file = await storage.getItem(contentKey);
   if (!file) {
     throw createError({
       statusCode: 404,

package/dist/runtime/server/api/admin/txt.post.js

@@ -2,6 +2,8 @@ import { z } from "zod";
 import { defineEventHandler, getValidatedQuery, readValidatedBody } from "h3";
 import { useStorage } from "nitropack/runtime";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 const querySchema = z.object({
   path: z.string().min(1)
 });
@@ -12,13 +14,13 @@ const bodySchema = z.object({
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
   const { text, commitMessage } = await readValidatedBody(event, (body) => bodySchema.parse(body));
-  const decodedPath = decodeURIComponent(path);
+  const contentKey = normalizeContentKey(path);
   const storage = useStorage("content");
-  await storage.setItem(decodedPath, text);
+  await storage.setItem(contentKey, text);
   try {
-    await syncGitContent(commitMessage, [decodedPath]);
+    await syncGitContent(commitMessage, [contentKey]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
   return { success: true };
 });

package/dist/runtime/server/api/admin/upload.js

@@ -2,6 +2,10 @@ import z from "zod";
 import { createError, defineEventHandler, getValidatedQuery, readMultipartFormData } from "h3";
 import { useStorage } from "nitropack/runtime";
 import syncGitContent from "../../utils/syncGitContent.js";
+import { normalizeContentKey, normalizeContentPrefix } from "../../utils/contentKey.js";
+import { CONTENT_UPLOAD_EXTENSIONS, hasAllowedExtension } from "../../../shared/contentFiles.js";
+import { assertUploadSize, getMaxUploadBytes } from "../../utils/uploadGuard.js";
+import { toGitErrorMessage } from "../../utils/gitVersioning.js";
 function sanitizeFilename(filename) {
   return filename.replace(/[/:\\]/g, "_");
 }
@@ -10,8 +14,9 @@ const querySchema = z.object({
 });
 export default defineEventHandler(async (event) => {
   const form = await readMultipartFormData(event);
+  const maxUploadBytes = getMaxUploadBytes();
   const { path } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const sanePath = path ? path.replace(/^\//, "").replace(/\/$/, "") : void 0;
+  const contentPrefix = normalizeContentPrefix(path);
   if (!form) {
     throw createError({
       statusCode: 400,
@@ -31,20 +36,19 @@ export default defineEventHandler(async (event) => {
       statusMessage: "Invalid file upload"
     });
   }
-  const allowedExtensions = [".pdf", ".jpg", ".jpeg", ".png", ".gif", ".webp", ".md", ".docx", ".txt", ".csv", ".json"];
-  const fileExtension = file.filename.toLowerCase().slice(file.filename.lastIndexOf("."));
-  if (!allowedExtensions.includes(fileExtension)) {
+  if (!hasAllowedExtension(file.filename, CONTENT_UPLOAD_EXTENSIONS)) {
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid file type. Only PDF, JPG, JPEG, PNG, GIF, WEBP, MD, DOCX, TXT, CSV, and JSON files are allowed."
     });
   }
-  const filePath = [sanePath, sanitizeFilename(file.filename)].filter(Boolean).join(":");
+  assertUploadSize(file.data, maxUploadBytes);
+  const filePath = normalizeContentKey([contentPrefix, sanitizeFilename(file.filename)].filter(Boolean).join(":"));
   await useStorage("content").setItemRaw(filePath, Buffer.from(file.data));
   try {
     await syncGitContent("Datei hinzugef\xFCgt", [filePath]);
   } catch (error) {
-    console.error("Git-Fehler:", error);
+    console.error("Git-Fehler:", toGitErrorMessage(error, "Git sync failed"));
   }
   return { success: true, path: filePath };
 });

package/dist/runtime/server/api/content/[path].js

@@ -3,18 +3,20 @@ import { createError, defineEventHandler, getValidatedRouterParams, send } from
 import { useStorage } from "nitropack/runtime";
 import { toNodeBuffer } from "../../utils/toNodeBuffer.js";
 import { parsedFile } from "../../utils/parsedFile.js";
+import { normalizeContentKey } from "../../utils/contentKey.js";
+import { isCsvPath, isImagePath, isJsonPath, isMarkdownPath, isPdfPath, toFileExtension } from "../../../shared/contentFiles.js";
 function getFileType(path) {
-  const isImage = path.match(/\.(png|jpg|jpeg|gif|webp)$/i);
-  const isPdf = path.endsWith(".pdf");
-  const isJson = path.endsWith(".json");
-  const isCSV = path.endsWith(".csv");
-  const isMarkdown = path.endsWith(".md");
+  const isImage = isImagePath(path);
+  const isPdf = isPdfPath(path);
+  const isJson = isJsonPath(path);
+  const isCSV = isCsvPath(path);
+  const isMarkdown = isMarkdownPath(path);
   return { isImage, isPdf, isJson, isCSV, isMarkdown };
 }
 function getContentType(path) {
   const { isImage, isPdf, isJson, isCSV, isMarkdown } = getFileType(path);
   if (isImage) {
-    const ext = path.split(".").pop()?.toLowerCase();
+    const ext = toFileExtension(path).slice(1);
     if (ext === "jpg") {
       return "image/jpeg";
     } else {
@@ -33,12 +35,12 @@ const paramsSchema = z.object({
 });
 export default defineEventHandler(async (event) => {
   const { path } = await getValidatedRouterParams(event, (params) => paramsSchema.parse(params));
-  const decodedPath = decodeURIComponent(path);
-  const { isImage, isPdf } = getFileType(decodedPath);
-  event.node.res.setHeader("Content-Type", getContentType(decodedPath));
+  const contentKey = normalizeContentKey(path);
+  const { isImage, isPdf } = getFileType(contentKey);
+  event.node.res.setHeader("Content-Type", getContentType(contentKey));
   const storage = useStorage("content");
   if (isImage || isPdf) {
-    const raw = await storage.getItemRaw(decodedPath);
+    const raw = await storage.getItemRaw(contentKey);
     if (!raw) {
       throw createError({
         statusCode: 404,
@@ -49,12 +51,12 @@ export default defineEventHandler(async (event) => {
     event.node.res.setHeader("Content-Length", String(body.byteLength));
     return send(event, body);
   }
-  const file = await storage.getItem(decodedPath);
+  const file = await storage.getItem(contentKey);
   if (!file) {
     throw createError({
       statusCode: 404,
       statusMessage: "File not found"
     });
   }
-  return parsedFile(decodedPath, file);
+  return parsedFile(contentKey, file);
 });

package/dist/runtime/server/api/content/list.js

@@ -3,30 +3,32 @@ import { useStorage } from "nitropack/runtime";
 import { defineEventHandler, getValidatedQuery } from "h3";
 import { marked } from "marked";
 import { parseFrontmatter } from "../../utils/parseFrontmatter.js";
+import { normalizeContentPrefix } from "../../utils/contentKey.js";
+import { isCsvPath, isImagePath, isJsonPath, isMarkdownPath, isTextPath } from "../../../shared/contentFiles.js";
 const querySchema = z.object({
   path: z.string().optional(),
   type: z.string()
 });
 export default defineEventHandler(async (event) => {
   const { path, type } = await getValidatedQuery(event, (query) => querySchema.parse(query));
-  const decodedPath = path ? decodeURIComponent(path) : void 0;
+  const contentPrefix = normalizeContentPrefix(path);
   const storage = useStorage("content");
-  const keys = await storage.getKeys(decodedPath);
+  const keys = await storage.getKeys(contentPrefix);
   const filteredKeys = keys.filter((key) => {
     if (type === "md") {
-      return key.endsWith(".md");
+      return isMarkdownPath(key);
     }
     if (type === "json") {
-      return key.endsWith(".json");
+      return isJsonPath(key);
     }
     if (type === "csv") {
-      return key.endsWith(".csv");
+      return isCsvPath(key);
     }
     if (type === "txt") {
-      return key.endsWith(".txt");
+      return isTextPath(key);
     }
     if (type === "image") {
-      return key.match(/\.(png|jpg|jpeg|gif|webp)$/i);
+      return isImagePath(key);
     }
     return false;
   });

package/dist/runtime/server/middleware/auth.js

@@ -1,5 +1,6 @@
 import { useRuntimeConfig } from "nitropack/runtime";
 import { createError, defineEventHandler, getCookie, getRequestURL, sendRedirect } from "h3";
+import { ADMIN_AUTH_COOKIE_NAME } from "../utils/authCookie.js";
 export default defineEventHandler(async (event) => {
   const pathname = getRequestURL(event).pathname;
   const isAdminLoginRoute = pathname === "/admin/login" || pathname === "/api/admin/login";
@@ -7,7 +8,7 @@ export default defineEventHandler(async (event) => {
   const isAdminApiRoute = pathname === "/api/admin" || pathname.startsWith("/api/admin/");
   if (isAdminLoginRoute || !isAdminRoute && !isAdminApiRoute) return;
   const { mktcms: { adminAuthKey } } = useRuntimeConfig();
-  const authKeyCookie = getCookie(event, "mktcms_admin_auth_key");
+  const authKeyCookie = getCookie(event, ADMIN_AUTH_COOKIE_NAME);
   if (!authKeyCookie || authKeyCookie !== adminAuthKey.toString() || adminAuthKey === "") {
     if (isAdminApiRoute) {
       throw createError({ statusCode: 401, statusMessage: "Unauthorized" });

package/dist/runtime/server/utils/authCookie.d.ts

@@ -0,0 +1,9 @@
+import type { H3Event } from 'h3';
+export declare const ADMIN_AUTH_COOKIE_NAME = "mktcms_admin_auth_key";
+export declare function getAuthCookieOptions(event: H3Event): {
+    httpOnly: boolean;
+    maxAge: number;
+    path: any;
+    sameSite: "lax" | "strict" | "none";
+    secure: boolean;
+};

package/dist/runtime/server/utils/authCookie.js

@@ -0,0 +1,12 @@
+import { useRuntimeConfig } from "nitropack/runtime";
+export const ADMIN_AUTH_COOKIE_NAME = "mktcms_admin_auth_key";
+export function getAuthCookieOptions(event) {
+  const { mktcms: { authCookieMaxAgeSeconds, authCookiePath, authCookieSameSite, authCookieSecure } } = useRuntimeConfig(event);
+  return {
+    httpOnly: true,
+    maxAge: Number(authCookieMaxAgeSeconds) || 7 * 24 * 60 * 60,
+    path: authCookiePath || "/",
+    sameSite: authCookieSameSite || "lax",
+    secure: Boolean(authCookieSecure)
+  };
+}

package/dist/runtime/server/utils/contentKey.d.ts

@@ -0,0 +1,2 @@
+export declare function normalizeContentKey(input: string): string;
+export declare function normalizeContentPrefix(input?: string): string;

package/dist/runtime/server/utils/contentKey.js

@@ -0,0 +1,67 @@
+import { createError } from "h3";
+function invalidContentKeyError() {
+  return createError({
+    statusCode: 400,
+    statusMessage: "Invalid content path"
+  });
+}
+function hasControlCharacters(value) {
+  for (const char of value) {
+    const code = char.charCodeAt(0);
+    if (code >= 0 && code <= 31 || code === 127) {
+      return true;
+    }
+  }
+  return false;
+}
+function normalizeContentKeyInternal(input, options = {}) {
+  const raw = input.trim();
+  if (!raw) {
+    if (options.allowEmpty) {
+      return "";
+    }
+    throw invalidContentKeyError();
+  }
+  let decoded;
+  try {
+    decoded = decodeURIComponent(raw);
+  } catch {
+    throw invalidContentKeyError();
+  }
+  if (!decoded.trim()) {
+    if (options.allowEmpty) {
+      return "";
+    }
+    throw invalidContentKeyError();
+  }
+  if (decoded.startsWith("/") || decoded.startsWith("\\") || /^[a-z]:[\\/]/i.test(decoded)) {
+    throw invalidContentKeyError();
+  }
+  const unifiedSeparators = decoded.replace(/[\\/]+/g, ":").trim();
+  if (!unifiedSeparators) {
+    if (options.allowEmpty) {
+      return "";
+    }
+    throw invalidContentKeyError();
+  }
+  if (hasControlCharacters(unifiedSeparators)) {
+    throw invalidContentKeyError();
+  }
+  const segments = unifiedSeparators.split(":");
+  if (segments.some((segment) => !segment)) {
+    throw invalidContentKeyError();
+  }
+  if (segments.some((segment) => segment === "." || segment === "..")) {
+    throw invalidContentKeyError();
+  }
+  return segments.join(":");
+}
+export function normalizeContentKey(input) {
+  return normalizeContentKeyInternal(input);
+}
+export function normalizeContentPrefix(input) {
+  if (!input) {
+    return "";
+  }
+  return normalizeContentKeyInternal(input, { allowEmpty: true });
+}

package/dist/runtime/server/utils/gitErrorSanitization.d.ts

@@ -0,0 +1 @@
+export declare function toGitErrorMessage(error: unknown, fallback: string): string;

package/dist/runtime/server/utils/gitErrorSanitization.js

@@ -0,0 +1,17 @@
+export function toGitErrorMessage(error, fallback) {
+  const rawMessage = error instanceof Error ? error.message : String(error);
+  const message = rawMessage.replace(/https?:\/\/[^\s@]+@/gi, "https://***@").replace(/(ghp_[A-Za-z0-9]+)/g, "***").replace(/(github_pat_\w+)/g, "***").replace(/(token=)[^&\s]+/gi, "$1***").replace(/(x-access-token:)[^@\s]+/gi, "$1***");
+  if (/conflict|merge conflict|could not apply|needs merge|merge failed/i.test(message)) {
+    return "Git operation failed due to merge conflicts. Resolve conflicts and retry.";
+  }
+  if (/authentication failed|could not read username|access denied|permission denied/i.test(message)) {
+    return "Git operation failed due to authentication error. Check NUXT_MKTCMS_GIT_USER, NUXT_MKTCMS_GIT_REPO and NUXT_MKTCMS_GIT_TOKEN.";
+  }
+  if (/not possible to fast-forward|non-fast-forward|fetch first/i.test(message)) {
+    return "Git operation failed because the target branch cannot be fast-forwarded. Pull and reconcile the branch state first.";
+  }
+  if (/timed out|network is unreachable|could not resolve host|econnreset|econnrefused|etimedout/i.test(message)) {
+    return "Git operation failed due to a network error. Please retry.";
+  }
+  return fallback;
+}

package/dist/runtime/server/utils/gitVersioning.d.ts

@@ -1,10 +1,10 @@
+export { toGitErrorMessage } from './gitErrorSanitization.js';
 export declare const MKTCMS_GIT_BOT_NAME = "Kunde";
 export declare const MKTCMS_GIT_BOT_EMAIL = "admin@mktcode.de";
 export declare function gitBotIdentityArgs(): string[];
 export declare const SUPPORTED_WEBSITE_BRANCHES: readonly ["main", "staging"];
 export type WebsiteBranch = typeof SUPPORTED_WEBSITE_BRANCHES[number];
 export declare function isSupportedWebsiteBranch(branch: string): branch is WebsiteBranch;
-export declare function toGitErrorMessage(error: unknown, fallback: string): string;
 type GitClientOptions = {
     baseDir?: string;
     authUrlOverride?: string;
@@ -51,4 +51,3 @@ export declare function mergeCounterpartBranchIntoCurrent(options?: MergeOptions
     sourceBranch: "main" | "staging";
     targetBranch: "main" | "staging";
 }>;
-export {};

package/dist/runtime/server/utils/gitVersioning.js

@@ -1,5 +1,7 @@
 import { useRuntimeConfig } from "nitropack/runtime";
 import { simpleGit } from "simple-git";
+import { toGitErrorMessage } from "./gitErrorSanitization.js";
+export { toGitErrorMessage } from "./gitErrorSanitization.js";
 export const MKTCMS_GIT_BOT_NAME = "Kunde";
 export const MKTCMS_GIT_BOT_EMAIL = "admin@mktcode.de";
 export function gitBotIdentityArgs() {
@@ -14,19 +16,6 @@ export const SUPPORTED_WEBSITE_BRANCHES = ["main", "staging"];
 export function isSupportedWebsiteBranch(branch) {
   return SUPPORTED_WEBSITE_BRANCHES.includes(branch);
 }
-export function toGitErrorMessage(error, fallback) {
-  const message = error instanceof Error ? error.message : String(error);
-  if (/conflict|merge conflict|could not apply|needs merge|merge failed/i.test(message)) {
-    return "Git operation failed due to merge conflicts. Resolve conflicts and retry.";
-  }
-  if (/authentication failed|could not read username|access denied|permission denied/i.test(message)) {
-    return "Git operation failed due to authentication error. Check NUXT_MKTCMS_GIT_USER, NUXT_MKTCMS_GIT_REPO and NUXT_MKTCMS_GIT_TOKEN.";
-  }
-  if (/not possible to fast-forward|non-fast-forward|fetch first/i.test(message)) {
-    return "Git operation failed because the target branch cannot be fast-forwarded. Pull and reconcile the branch state first.";
-  }
-  return `${fallback}: ${message}`;
-}
 export function isVersioningEnabled() {
   const { public: { mktcms: { showVersioning } } } = useRuntimeConfig();
   return Boolean(showVersioning);

package/dist/runtime/server/utils/loginRateLimit.d.ts

@@ -0,0 +1,4 @@
+import type { H3Event } from 'h3';
+export declare function assertLoginNotRateLimited(event: H3Event): void;
+export declare function recordFailedLoginAttempt(event: H3Event): void;
+export declare function clearFailedLoginAttempts(event: H3Event): void;

package/dist/runtime/server/utils/loginRateLimit.js

@@ -0,0 +1,72 @@
+import { createError, getRequestIP } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+const attempts = /* @__PURE__ */ new Map();
+function getState(clientId) {
+  const state = attempts.get(clientId);
+  if (state) {
+    return state;
+  }
+  const next = {
+    failedAt: [],
+    blockedUntil: 0
+  };
+  attempts.set(clientId, next);
+  return next;
+}
+function getClientId(event) {
+  const forwarded = getRequestIP(event, { xForwardedFor: true });
+  return forwarded || event.node.req.socket.remoteAddress || "unknown";
+}
+function getRateLimitSettings(event) {
+  const {
+    mktcms: {
+      loginRateLimitMaxAttempts,
+      loginRateLimitWindowSeconds,
+      loginRateLimitBlockSeconds
+    }
+  } = useRuntimeConfig(event);
+  const maxAttempts = Math.max(1, Number(loginRateLimitMaxAttempts) || 5);
+  const windowMs = Math.max(1, Number(loginRateLimitWindowSeconds) || 300) * 1e3;
+  const blockMs = Math.max(1, Number(loginRateLimitBlockSeconds) || 600) * 1e3;
+  return {
+    maxAttempts,
+    windowMs,
+    blockMs
+  };
+}
+function clearStaleAttempts(state, now, windowMs) {
+  state.failedAt = state.failedAt.filter((ts) => now - ts <= windowMs);
+}
+export function assertLoginNotRateLimited(event) {
+  const { windowMs } = getRateLimitSettings(event);
+  const clientId = getClientId(event);
+  const now = Date.now();
+  const state = getState(clientId);
+  clearStaleAttempts(state, now, windowMs);
+  if (state.blockedUntil > now) {
+    const retryAfterSeconds = Math.ceil((state.blockedUntil - now) / 1e3);
+    throw createError({
+      statusCode: 429,
+      statusMessage: "Too many login attempts. Please try again later.",
+      data: {
+        retryAfterSeconds
+      }
+    });
+  }
+}
+export function recordFailedLoginAttempt(event) {
+  const { maxAttempts, windowMs, blockMs } = getRateLimitSettings(event);
+  const clientId = getClientId(event);
+  const now = Date.now();
+  const state = getState(clientId);
+  clearStaleAttempts(state, now, windowMs);
+  state.failedAt.push(now);
+  if (state.failedAt.length >= maxAttempts) {
+    state.blockedUntil = now + blockMs;
+    state.failedAt = [];
+  }
+}
+export function clearFailedLoginAttempts(event) {
+  const clientId = getClientId(event);
+  attempts.delete(clientId);
+}

package/dist/runtime/server/utils/uploadGuard.d.ts

@@ -0,0 +1,2 @@
+export declare function getMaxUploadBytes(): number;
+export declare function assertUploadSize(fileData: Buffer | Uint8Array | string, maxBytes: number): void;

package/dist/runtime/server/utils/uploadGuard.js

@@ -0,0 +1,20 @@
+import { createError } from "h3";
+import { useRuntimeConfig } from "nitropack/runtime";
+import { DEFAULT_MAX_UPLOAD_BYTES } from "../../shared/contentFiles.js";
+export function getMaxUploadBytes() {
+  const { mktcms: { uploadMaxBytes } } = useRuntimeConfig();
+  const parsed = Number(uploadMaxBytes);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return DEFAULT_MAX_UPLOAD_BYTES;
+  }
+  return Math.floor(parsed);
+}
+export function assertUploadSize(fileData, maxBytes) {
+  const byteLength = typeof fileData === "string" ? Buffer.byteLength(fileData) : fileData.byteLength;
+  if (byteLength > maxBytes) {
+    throw createError({
+      statusCode: 413,
+      statusMessage: `Upload too large. Maximum allowed size is ${maxBytes} bytes.`
+    });
+  }
+}

package/dist/runtime/shared/contentFiles.d.ts

@@ -0,0 +1,15 @@
+export declare const IMAGE_EXTENSIONS: readonly [".jpg", ".jpeg", ".png", ".gif", ".webp"];
+export declare const PDF_EXTENSIONS: readonly [".pdf"];
+export declare const TEXT_EXTENSIONS: readonly [".txt", ".json"];
+export declare const EDITABLE_EXTENSIONS: readonly [".md", ".csv", ".txt", ".json"];
+export declare const CONTENT_UPLOAD_EXTENSIONS: readonly [".pdf", ".jpg", ".jpeg", ".png", ".gif", ".webp", ".md", ".docx", ".txt", ".csv", ".json"];
+export declare const DEFAULT_MAX_UPLOAD_BYTES: number;
+export declare function toFileExtension(filePath: string): string;
+export declare function hasAllowedExtension(filePath: string, allowedExtensions: readonly string[]): boolean;
+export declare function isImagePath(filePath: string): boolean;
+export declare function isPdfPath(filePath: string): boolean;
+export declare function isTextPath(filePath: string): boolean;
+export declare function isMarkdownPath(filePath: string): boolean;
+export declare function isCsvPath(filePath: string): boolean;
+export declare function isJsonPath(filePath: string): boolean;
+export declare function toAcceptAttribute(extensions: readonly string[]): string;

package/dist/runtime/shared/contentFiles.js

@@ -0,0 +1,38 @@
+export const IMAGE_EXTENSIONS = [".jpg", ".jpeg", ".png", ".gif", ".webp"];
+export const PDF_EXTENSIONS = [".pdf"];
+export const TEXT_EXTENSIONS = [".txt", ".json"];
+export const EDITABLE_EXTENSIONS = [".md", ".csv", ".txt", ".json"];
+export const CONTENT_UPLOAD_EXTENSIONS = [".pdf", ...IMAGE_EXTENSIONS, ".md", ".docx", ".txt", ".csv", ".json"];
+export const DEFAULT_MAX_UPLOAD_BYTES = 50 * 1024 * 1024;
+export function toFileExtension(filePath) {
+  const dotIndex = filePath.lastIndexOf(".");
+  if (dotIndex < 0) {
+    return "";
+  }
+  return filePath.slice(dotIndex).toLowerCase();
+}
+export function hasAllowedExtension(filePath, allowedExtensions) {
+  const extension = toFileExtension(filePath);
+  return extension !== "" && allowedExtensions.includes(extension);
+}
+export function isImagePath(filePath) {
+  return hasAllowedExtension(filePath, IMAGE_EXTENSIONS);
+}
+export function isPdfPath(filePath) {
+  return hasAllowedExtension(filePath, PDF_EXTENSIONS);
+}
+export function isTextPath(filePath) {
+  return hasAllowedExtension(filePath, TEXT_EXTENSIONS);
+}
+export function isMarkdownPath(filePath) {
+  return hasAllowedExtension(filePath, [".md"]);
+}
+export function isCsvPath(filePath) {
+  return hasAllowedExtension(filePath, [".csv"]);
+}
+export function isJsonPath(filePath) {
+  return hasAllowedExtension(filePath, [".json"]);
+}
+export function toAcceptAttribute(extensions) {
+  return extensions.join(",");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mktcms",
-  "version": "0.2.13",
+  "version": "0.2.14",
   "description": "Simple CMS module for Nuxt",
   "repository": "mktcode/mktcms",
   "license": "MIT",

package/dist/runtime/app/composables/useImport.d.ts

@@ -1,6 +0,0 @@
-export default function useImport(): {
-    uploadError: import("vue").Ref<string | null, string | null>;
-    isUploading: import("vue").Ref<boolean, boolean>;
-    fileInput: import("vue").Ref<HTMLInputElement | null, HTMLInputElement | null>;
-    uploadFile: (event: Event) => Promise<void>;
-};

package/dist/runtime/app/composables/useImport.js

@@ -1,37 +0,0 @@
-import { ref } from "vue";
-export default function useImport() {
-  const uploadError = ref(null);
-  const fileInput = ref(null);
-  const isUploading = ref(false);
-  async function uploadFile(event) {
-    if (isUploading.value) return;
-    isUploading.value = true;
-    uploadError.value = null;
-    const input = event.target;
-    if (!input.files) {
-      return;
-    }
-    const file = input.files[0];
-    if (!file) {
-      return;
-    }
-    const formData = new FormData();
-    formData.append("file", file);
-    try {
-      await $fetch("/api/admin/import", {
-        method: "POST",
-        body: formData
-      });
-    } catch (error) {
-      uploadError.value = error.data?.statusMessage || "Fehler beim Hochladen der Datei";
-      input.value = "";
-    }
-    isUploading.value = false;
-  }
-  return {
-    uploadError,
-    isUploading,
-    fileInput,
-    uploadFile
-  };
-}

package/dist/runtime/server/api/admin/import.d.ts

@@ -1,5 +0,0 @@
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<{
-    success: boolean;
-    count: number;
-}>>;
-export default _default;