nca-ai-cms-astro-plugin 1.1.4 → 1.1.6

package/README.md

@@ -85,6 +85,9 @@ ncaAiCms({
 | `/api/prompts` | Manage prompt templates |
 | `/api/scheduler` | Manage scheduled posts |
 | `/api/articles/*` | Article operations |
+| `/api/db/export` | Export settings + prompts as JSON |
+| `/api/db/import` | Import settings + prompts (merge/upsert) |
+| `/api/db/download` | Download raw SQLite database backup |
 
 All `/api/*` and `/editor` routes are protected by cookie-based authentication.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nca-ai-cms-astro-plugin",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "type": "module",
   "exports": {
     ".": "./src/index.ts",

package/src/api/articles/create.ts

@@ -19,13 +19,6 @@ const CreateArticleSchema = z.object({
 // POST /api/articles/create - Generate content + image and save in one call
 export const POST: APIRoute = async ({ request }) => {
   try {
-    // CSRF: reject cross-origin requests
-    const origin = request.headers.get('origin');
-    const requestUrl = new URL(request.url);
-    if (origin && new URL(origin).origin !== requestUrl.origin) {
-      return jsonError('Forbidden', 403);
-    }
-
     let body: unknown;
     try {
       body = await request.json();

package/src/components/editor/SettingsTab.tsx

@@ -294,37 +294,40 @@ export function SettingsTab() {
         <div style={{ ...styles.plannerForm, flexDirection: 'row', alignItems: 'center' }}>
           <span style={{ ...styles.label, marginRight: 'auto' }}>Datenbank-Verwaltung</span>
           <a
-            href="/api/db/download"
+            href="/api/db/export"
             style={{ ...styles.editButton, textDecoration: 'none', display: 'inline-flex', alignItems: 'center', gap: '0.4rem' }}
           >
-            ↓ DB herunterladen
+            ↓ DB exportieren
           </a>
           <label style={{ ...styles.editButton, cursor: 'pointer', display: 'inline-flex', alignItems: 'center', gap: '0.4rem', margin: 0 }}>
-            ↑ DB hochladen
+            ↑ DB importieren
             <input
               type="file"
-              accept=".db,.sqlite,.sqlite3"
+              accept=".json"
               style={styles.srOnly}
               onChange={async (e) => {
                 const file = e.target.files?.[0];
                 if (!file) return;
-                if (!confirm(`Datenbank "${file.name}" hochladen? Die aktuelle DB wird ueberschrieben.`)) {
+                if (!confirm(`Datenbank "${file.name}" importieren? Die aktuellen Daten werden ersetzt.`)) {
                   e.target.value = '';
                   return;
                 }
-                const formData = new FormData();
-                formData.append('database', file);
                 try {
-                  const res = await fetch('/api/db/upload', { method: 'POST', body: formData });
+                  const text = await file.text();
+                  JSON.parse(text);
+                  const res = await fetch('/api/db/import', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: text,
+                  });
                   const data = await res.json();
                   if (res.ok) {
-                    alert('Datenbank hochgeladen. Seite wird neu geladen.');
-                    window.location.reload();
+                    loadData();
                   } else {
-                    alert('Fehler: ' + (data.error || 'Upload fehlgeschlagen'));
+                    alert('Fehler: ' + (data.error || 'Import fehlgeschlagen'));
                   }
                 } catch {
-                  alert('Upload fehlgeschlagen');
+                  alert('Import fehlgeschlagen. Bitte eine gueltige JSON-Datei waehlen.');
                 }
                 e.target.value = '';
               }}

package/src/pages/robots.txt.ts

@@ -1,4 +1,5 @@
 import type { APIContext } from 'astro';
+import { getPublicOrigin } from '../utils/originUtils.js';
 
 export function generateRobotsTxt(siteUrl: string): string {
   const base = siteUrl.replace(/\/+$/, '');
@@ -14,7 +15,7 @@ Sitemap: ${base}/sitemap.xml
 }
 
 export function GET(context: APIContext): Response {
-  const siteUrl = context.site?.toString() ?? context.url.origin;
+  const siteUrl = getPublicOrigin(context);
   const body = generateRobotsTxt(siteUrl);
 
   return new Response(body, {

package/src/pages/sitemap.xml.ts

@@ -1,6 +1,7 @@
 import type { APIContext } from 'astro';
 import { ArticleService } from '../services/ArticleService';
 import type { ArticleData } from '../services/ArticleService';
+import { getPublicOrigin } from '../utils/originUtils.js';
 
 const STATIC_PAGES = ['/', '/impressum', '/ueber-ai-cms'];
 
@@ -43,7 +44,7 @@ ${[...staticEntries, ...articleEntries].join('\n')}
 }
 
 export async function GET(context: APIContext): Promise<Response> {
-  const siteUrl = context.site?.toString() ?? context.url.origin;
+  const siteUrl = getPublicOrigin(context);
   const service = new ArticleService();
   const articles = await service.list();
 

package/src/utils/originUtils.ts

@@ -0,0 +1,15 @@
+import type { APIContext } from 'astro';
+
+export function getPublicOrigin(context: APIContext): string {
+  if (context.site) {
+    return context.site.toString().replace(/\/+$/, '');
+  }
+
+  const proto = context.request.headers.get('x-forwarded-proto');
+  const host = context.request.headers.get('x-forwarded-host');
+  if (proto && host) {
+    return `${proto}://${host}`;
+  }
+
+  return context.url.origin;
+}

package/update.md

@@ -1,3 +1,67 @@
+# v1.1.6
+
+## Fix: reverse proxy compatibility
+
+### Removed: broken CSRF check in `/api/articles/create`
+- The origin comparison (`request.headers.get('origin')` vs `request.url`) fails behind reverse proxies (Traefik/Nginx) because `request.url` resolves to the internal container URL
+- Route is already protected by auth middleware — CSRF check was redundant
+- Fixes 403 Forbidden when generating articles in production
+
+### New: `getPublicOrigin()` utility
+- Resolves the correct external URL behind reverse proxies
+- Priority: `context.site` → `X-Forwarded-Proto`/`X-Forwarded-Host` → `context.url.origin`
+- Nginx already sets these headers on all proxy locations
+
+### Fixed: robots.txt and sitemap.xml URLs
+- Both files used `context.url.origin` which returned `http://127.0.0.1:4321` behind proxy
+- Now use `getPublicOrigin()` to produce correct external URLs
+
+---
+
+# v1.1.5
+
+## Refactor: Settings import/export with merge semantics
+
+### New: JSON settings export/import endpoints
+- `GET /api/db/export` — exports site settings and prompts as a JSON file download
+- `POST /api/db/import` — imports settings and/or prompts with upsert (merge) semantics
+
+### Import features
+- **Merge, not replace** — importing prompts won't delete your settings, importing settings won't delete your prompts
+- **Partial import** — payload only needs to include the sections you want to update (`siteSettings`, `prompts`, or both)
+- **No restart needed** — uses the live `astro:db` connection, no file replacement, no connection disruption
+- **Validation** — payload is validated before import with clear error messages
+
+### Breaking: SQLite file upload removed
+- `POST /api/db/upload` now returns `410 Gone` with migration instructions
+- The old SQLite file upload caused infinite redirect loops by breaking the live DB connection
+- Use `GET /api/db/export` + `POST /api/db/import` instead
+
+### Export format
+```json
+{
+  "version": 1,
+  "exportedAt": "2026-03-24T12:00:00.000Z",
+  "siteSettings": [{ "key": "content.branche", "value": "Tech", "updatedAt": "..." }],
+  "prompts": [{ "id": "p1", "name": "Blog", "category": "content", "promptText": "...", "updatedAt": "..." }]
+}
+```
+
+### Cleanup
+- Removed dead `dbUploadUtils.ts` and its tests
+- Upload test updated for 410 stub
+
+---
+
+# v1.1.3 / v1.1.4
+
+## Internal: DB upload refactoring (superseded by v1.1.5)
+- Extracted upload utilities to `dbUploadUtils.ts`
+- Added `DbTransferService` with JSON export/import
+- These versions contained intermediate work that was refined in v1.1.5
+
+---
+
 # v1.1.2
 
 ## Feature: Delete button in InlineEditor