opacacms 0.1.11 → 0.1.13

package/src/server/middlewares/admin.ts

@@ -1,27 +0,0 @@
-import type { Context, Next } from "hono";
-
-export const adminMiddleware = async (c: Context, next: Next) => {
-  const user = c.get("user");
-
-  // Check if it's one of the few allowed "public" admin endpoints
-  const isPublicAdmin =
-    c.req.path.endsWith("/__admin/metadata") || c.req.path.endsWith("/__admin/setup");
-
-  if (!user && !isPublicAdmin) {
-    return c.json({ message: "Unauthorized" }, 401);
-  }
-
-  // Public admin endpoints are allowed anonymously (they return sanitized safe data)
-  if (isPublicAdmin) {
-    await next();
-    return;
-  }
-
-  // For everything else, require authenticated user with admin role
-  if (user.role === "admin" || user.role?.includes("admin")) {
-    await next();
-    return;
-  }
-
-  return c.json({ message: "Forbidden" }, 403);
-};

package/src/server/middlewares/auth.ts

@@ -1,89 +0,0 @@
-import type { Session, User } from "better-auth";
-import type { Context, MiddlewareHandler, Next } from "hono";
-import type { Auth } from "../../auth";
-import { logger } from "../../utils/logger";
-
-export type AuthContextVariables = {
-  user: User | null;
-  session: Session | null;
-  apiKey?: {
-    id: string;
-    name: string | null;
-    permissions?: Record<string, string[]> | null;
-    referenceId: string;
-  } | null;
-};
-
-export function createAuthMiddleware(
-  getAuth: () => Auth | undefined,
-): MiddlewareHandler<{ Variables: AuthContextVariables }> {
-  return async (c: Context, next: Next) => {
-    const auth = getAuth();
-
-    if (!auth) {
-      c.set("user", null);
-      c.set("session", null);
-      c.set("apiKey", null);
-      await next();
-      return;
-    }
-
-    // 1. Try Session Auth
-    const session = await auth.api.getSession({ headers: c.req.raw.headers });
-    if (session) {
-      c.set("user", session.user);
-      c.set("session", session.session);
-      c.set("apiKey", null);
-      await next();
-      return;
-    }
-
-    // 2. Try API Key Auth
-    const authHeader = c.req.header("Authorization");
-    if (authHeader && authHeader.startsWith("Bearer ")) {
-      const token = authHeader.split(" ")[1];
-      if (token) {
-        try {
-          // verifyApiKey expects { headers, body: { key: string } }
-          const result = await (auth.api as any).verifyApiKey({
-            headers: c.req.raw.headers,
-            body: { key: token },
-          });
-
-          if (result && result.valid && result.key) {
-            c.set("apiKey", {
-              id: result.key.id,
-              name: result.key.name,
-              permissions: result.key.permissions,
-              referenceId: result.key.referenceId,
-            });
-
-            // Optimize fetching User for API Keys by reading directly from local context or optimized DB query
-            // Instead of fully simulating `auth.api.getUser`, we can extract the user info directly
-            // from the adapter.
-            try {
-              const ownerResult = await auth.options.database?.findOne?.("_users", {
-                id: result.key.referenceId,
-              });
-              c.set("user", ownerResult || null);
-            } catch (e) {
-              logger.warn("Failed to fetch API key owner from database:", e);
-              c.set("user", null);
-            }
-
-            c.set("session", null);
-            await next();
-            return;
-          }
-        } catch (err) {
-          logger.warn("API Key verification failed:", err);
-        }
-      }
-    }
-
-    c.set("user", null);
-    c.set("session", null);
-    c.set("apiKey", null);
-    await next();
-  };
-}

package/src/server/middlewares/context.ts

@@ -1,17 +0,0 @@
-import type { Context, MiddlewareHandler, Next } from "hono";
-import type { OpacaConfig } from "../../types";
-
-export type OpacaContextVariables = {
-  config: OpacaConfig;
-  db: OpacaConfig["db"];
-};
-
-export function createContextMiddleware(
-  config: OpacaConfig,
-): MiddlewareHandler<{ Variables: OpacaContextVariables }> {
-  return async (c: Context, next: Next) => {
-    c.set("config", config);
-    c.set("db", config.db);
-    await next();
-  };
-}

package/src/server/middlewares/cors.ts

@@ -1,24 +0,0 @@
-import type { MiddlewareHandler } from "hono";
-import { cors } from "hono/cors";
-import type { OpacaConfig } from "../../types";
-
-export function createCorsMiddleware(config: OpacaConfig): MiddlewareHandler {
-  const trustedOrigins = config.trustedOrigins || [];
-
-  return cors({
-    origin: async (origin, _c) => {
-      // If trustedOrigins is a function, evaluate it
-      const allowed =
-        typeof trustedOrigins === "function" ? await trustedOrigins(_c.req.raw) : trustedOrigins;
-
-      // If origin is in the list, allow it. If the list is empty, allow none (safe default)
-      if (Array.isArray(allowed) && allowed.includes(origin)) {
-        return origin;
-      }
-      return undefined;
-    },
-    allowMethods: ["POST", "GET", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    exposeHeaders: ["Content-Length"],
-    credentials: true,
-  });
-}

package/src/server/middlewares/database-init.ts

@@ -1,74 +0,0 @@
-import type { MiddlewareHandler } from "hono";
-import { type Auth, createAuth } from "../../auth";
-import { runAuthMigrations } from "../../auth/migrations";
-import { getSystemCollections } from "../../db/system-schema";
-import type { OpacaConfig } from "../../types";
-import { logger } from "../../utils/logger";
-
-/**
- * Middleware for database connection and schema synchronization.
- * This runs once per server startup via a 'migrated' flag in the shared state.
- */
-export function createDatabaseInitMiddleware(
-  config: OpacaConfig,
-  state: { auth: Auth | undefined; migrated: boolean },
-): MiddlewareHandler {
-  const supportsAuth =
-    config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
-
-  return async (_c, next) => {
-    if (!state.migrated) {
-      const isDev = typeof process !== "undefined" && process.env.NODE_ENV !== "production";
-
-      if (isDev) {
-        logger.info(`Connecting to database: ${logger.format("yellow", config.db.name)}...`);
-      } else {
-        logger.debug(`Connecting to database: ${config.db.name}...`);
-      }
-
-      await config.db.connect();
-
-      // 1. Load internal schema mapping (Always required for adapter to function)
-      // This doesn't modify the DB unless push: true
-      if (isDev) {
-        logger.debug("Synchronizing database schema...");
-      }
-
-      const allCollections = [...config.collections];
-      // Inject system collections (auth + assets) for migration
-      for (const systemCol of getSystemCollections()) {
-        if (!allCollections.find((c) => c.slug === systemCol.slug)) {
-          allCollections.push(systemCol);
-        }
-      }
-
-      await config.db.migrate(allCollections, config.globals);
-
-      if (isDev) {
-        logger.success("Database schema synchronized.");
-      }
-
-      // 2. Control whether migrations/schema pushing happens automatically
-      const shouldMigrate = config.runMigrationsOnStartup || isDev;
-
-      if (shouldMigrate) {
-        if (config.runMigrationsOnStartup && config.db.runMigrations) {
-          logger.info("Running file-based migrations on startup...");
-          await config.db.runMigrations();
-        }
-
-        // Run auth table migrations
-        await runAuthMigrations(config.db);
-      } else {
-        logger.debug("Automatic schema migrations skipped (Production).");
-      }
-
-      // Create auth instance AFTER database is connected and tables exist
-      if (supportsAuth && !state.auth) {
-        state.auth = await createAuth(config);
-      }
-      state.migrated = true;
-    }
-    await next();
-  };
-}

package/src/server/middlewares/rate-limit.ts

@@ -1,77 +0,0 @@
-
-import type { Context, MiddlewareHandler } from "hono";
-import { rateLimiter } from "hono-rate-limiter";
-import type { OpacaConfig } from "@/types";
-import { logger } from "@/utils/logger";
-
-export function createRateLimitMiddleware(config: OpacaConfig): MiddlewareHandler {
-  const rateLimitConfig = config.api?.rateLimit;
-
-  if (rateLimitConfig?.enabled === false) {
-    return async (_c, next) => await next();
-  }
-
-  const windowMs = rateLimitConfig?.windowMs || 60000;
-  const limit = rateLimitConfig?.limit || 100;
-
-  return async (c, next) => {
-    // 1. Check for manual provider in config (e.g. Cloudflare ratelimit binding)
-    let provider = rateLimitConfig?.provider?.(c as any);
-
-    // 2. Auto-detect Cloudflare RateLimit binding if no manual provider/store is provided
-    if (!provider && !rateLimitConfig?.store && c.env) {
-      // Look for a binding that looks like a RateLimit binding (has 'limit' method)
-      const rateLimitKey = Object.keys(c.env).find(
-        (key) => (c.env as any)[key]?.limit && typeof (c.env as any)[key].limit === "function",
-      );
-      if (rateLimitKey) {
-        provider = (c.env as any)[rateLimitKey];
-      }
-    }
-
-    // 3. If a provider (like native Cloudflare binding) is found, use it
-    if (provider) {
-      const limiter = rateLimiter({
-        binding: () => provider,
-        keyGenerator:
-          (rateLimitConfig?.keyGenerator as any) ||
-          ((c: Context) =>
-            c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || "anonymous"),
-      });
-      return limiter(c, next);
-    }
-
-    // 4. Fallback to Store-based or Memory-based rate limiting
-    let resolvedStore = rateLimitConfig?.store;
-
-    // Auto-detect KV store if on Cloudflare and no store/provider is found
-    if (!resolvedStore && c.env) {
-      const kvBindingKey = Object.keys(c.env).find(
-        (key) => key.startsWith("OPACA_") && (c.env as any)[key]?.put && (c.env as any)[key]?.get,
-      );
-
-      if (kvBindingKey) {
-        try {
-          const { WorkersKVStore } = await import("@hono-rate-limiter/cloudflare");
-          resolvedStore = new WorkersKVStore({ namespace: (c.env as any)[kvBindingKey] });
-        } catch (e) {
-          logger.error("Failed to load @hono-rate-limiter/cloudflare dynamic import. Make sure you are in a Cloudflare environment.", e);
-        }
-      }
-    }
-
-    const limiter = rateLimiter({
-      windowMs,
-      limit,
-      standardHeaders: "draft-6",
-      store: resolvedStore,
-      keyGenerator:
-        (rateLimitConfig?.keyGenerator as any) ||
-        ((c: Context) =>
-          c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || "anonymous"),
-      message: "Too many requests from this IP, please try again after a minute.",
-    });
-
-    return limiter(c, next);
-  };
-}

package/src/server/router.ts

@@ -1,47 +0,0 @@
-import { Hono } from "hono";
-
-import type { Auth } from "../auth";
-import type { OpacaConfig } from "../types";
-
-import { createAdminRouter } from "./admin-router";
-import { mountCollectionRoutes, mountGlobalRoutes } from "./collection-router";
-import {
-  type ApiContextVariables,
-  setupAuthMiddlewares,
-  setupMiddlewares,
-} from "./setup-middlewares";
-import { createAssetsServingRouter, createSystemRouter } from "./system-router";
-
-export type { ApiContextVariables } from "./setup-middlewares";
-
-export function createAPIRouter(config: OpacaConfig): Hono<{ Variables: ApiContextVariables }> {
-  // Auth and migration state
-  const state = { auth: undefined as Auth | undefined, migrated: false };
-
-  // Create Router
-  const router = new Hono<{ Variables: ApiContextVariables }>().basePath("/api");
-
-  // Apply Middlewares
-  setupMiddlewares(router, config, state);
-  setupAuthMiddlewares(router, config, state);
-
-  // Health Check
-  router.get("/", (c) => {
-    return c.json({ status: "ok", version: "1.0.0", appName: config.appName });
-  });
-
-  // Mount Admin API routes
-  router.route("/__admin", createAdminRouter(config, state));
-
-  // Mount System API routes (Assets management)
-  router.route("/__system", createSystemRouter(config));
-
-  // Serve Assets
-  router.route("/", createAssetsServingRouter(config));
-
-  // Mount Collections & Globals dynamic routes
-  mountCollectionRoutes(router, config, state);
-  mountGlobalRoutes(router, config, state);
-
-  return router;
-}

package/src/server/setup-middlewares.ts

@@ -1,58 +0,0 @@
-import type { Hono } from "hono";
-import type { Auth } from "../auth";
-import type { OpacaConfig } from "../types";
-import { logger } from "../utils/logger";
-import { type AuthContextVariables, createAuthMiddleware } from "./middlewares/auth";
-import { createContextMiddleware, type OpacaContextVariables } from "./middlewares/context";
-import { createCorsMiddleware } from "./middlewares/cors";
-import { createDatabaseInitMiddleware } from "./middlewares/database-init";
-import { createRateLimitMiddleware } from "./middlewares/rate-limit";
-
-export type ApiContextVariables = OpacaContextVariables & AuthContextVariables;
-
-export function setupMiddlewares(
-  router: Hono<{ Variables: ApiContextVariables }>,
-  config: OpacaConfig,
-  state: { auth: Auth | undefined; migrated: boolean },
-) {
-  // Add X-Powered-By header
-  router.use("*", async (c, next) => {
-    await next();
-    c.res.headers.set("X-Powered-By", "OpacaCMS");
-  });
-
-  // Core Middlewares
-  router.use("*", createContextMiddleware(config));
-  router.use("*", createRateLimitMiddleware(config));
-  router.use("*", createCorsMiddleware(config));
-  router.use("*", createDatabaseInitMiddleware(config, state));
-
-  // Global Error Handler
-  router.onError((err, c) => {
-    logger.error(`API Error: ${err.message}`, err);
-    return c.json({ message: "Internal Server Error", error: err.message }, 500);
-  });
-}
-
-export function setupAuthMiddlewares(
-  router: Hono<{ Variables: ApiContextVariables }>,
-  config: OpacaConfig,
-  state: { auth: Auth | undefined },
-) {
-  const supportsAuth =
-    config.db.name === "sqlite" || config.db.name === "postgres" || config.db.name === "d1";
-
-  if (supportsAuth) {
-    router.use(
-      "*",
-      createAuthMiddleware(() => state.auth),
-    );
-
-    router.on(["POST", "GET"], ["/auth/*"], async (c) => {
-      if (!state.auth) {
-        return c.json({ message: "Auth not initialized" }, 503);
-      }
-      return await state.auth.handler(c.req.raw);
-    });
-  }
-}

package/src/server/system-router.ts

@@ -1,35 +0,0 @@
-import { Hono } from "hono";
-import { getSystemCollections } from "../db/system-schema";
-import type { OpacaConfig } from "../types";
-import { createAssetsHandlers } from "./assets";
-import { adminMiddleware } from "./middlewares/admin";
-import type { ApiContextVariables } from "./router";
-
-export function createSystemRouter(config: OpacaConfig) {
-  const systemRouter = new Hono<{ Variables: ApiContextVariables }>();
-
-  if (config.storages) {
-    const assetsHandlers = createAssetsHandlers(config);
-
-    systemRouter.post("/assets/upload", adminMiddleware, assetsHandlers.upload);
-    systemRouter.get("/assets", adminMiddleware, assetsHandlers.list);
-    systemRouter.post("/assets/presign-upload", adminMiddleware, assetsHandlers.presign);
-  }
-
-  return systemRouter;
-}
-
-export function createAssetsServingRouter(config: OpacaConfig) {
-  const assetsServingRouter = new Hono<{ Variables: ApiContextVariables }>();
-
-  if (config.storages) {
-    const assetsHandlers = createAssetsHandlers(config);
-    const assetCol = getSystemCollections().find((c) => c.slug === "_opaca_assets");
-    const assetPath = `/${assetCol?.apiPath || assetCol?.slug || "_opaca_assets"}`;
-
-    // Serve Assets (Public/Admin depending on access, but for now allow public if URL is known)
-    assetsServingRouter.get(`${assetPath}/:id/view`, assetsHandlers.serve);
-  }
-
-  return assetsServingRouter;
-}

package/src/server.ts

@@ -1,9 +0,0 @@
-// Server-only entry point (runtime-agnostic core)
-// DB adapters are imported separately via opacacms/db/postgres, opacacms/db/sqlite, etc.
-
-export * from "./config";
-export * from "./db/adapter";
-export * from "./server/admin";
-export * from "./server/handlers";
-export * from "./server/router";
-export * from "./types";

package/src/storage/adapters/cloudflare-r2.ts

@@ -1,136 +0,0 @@
-import type { R2Bucket } from "@cloudflare/workers-types";
-import { FileTooLargeError, Invalidmime_typeError, StorageError } from "../errors";
-import type {
-  FileData,
-  FileRecord,
-  StorageAdapter,
-  StorageAdapterConfig,
-  UploadOptions,
-} from "../types";
-
-export interface R2AdapterConfig extends StorageAdapterConfig {
-  bucketBinding: R2Bucket; // e.g., env.MY_ASSETS_BUCKET
-}
-
-export function createR2Storage(config: R2AdapterConfig): StorageAdapter {
-  const getFullKey = (filename: string) => {
-    return config.prefix ? `${config.prefix.replace(/\/$/, "")}/${filename}` : filename;
-  };
-
-  const getPublicUrl = (filename: string) => {
-    if (!config.publicUrl) {
-      throw new Error(
-        "Cloudflare R2 requires a 'publicUrl' (custom domain) configured in the adapter to return accessible URLs.",
-      );
-    }
-    return `${config.publicUrl.replace(/\/$/, "")}/${getFullKey(filename)}`;
-  };
-
-  return {
-    name: "cloudflare-r2",
-
-    async upload(file: FileRecord, options?: UploadOptions): Promise<FileData> {
-      try {
-        if (options?.allowedmime_types && !options.allowedmime_types.includes(file.mime_type)) {
-          throw new Invalidmime_typeError(
-            "cloudflare-r2",
-            options.allowedmime_types,
-            file.mime_type,
-          );
-        }
-
-        if (options?.maxFileSize && file.filesize > options.maxFileSize) {
-          throw new FileTooLargeError("cloudflare-r2", options.maxFileSize, file.filesize);
-        }
-
-        let finalFilename = file.filename;
-        if (options?.generateUniqueName) {
-          const ext = file.original_filename.split(".").pop() || "";
-          const hash = crypto.randomUUID().split("-")[0];
-          finalFilename = `${finalFilename.replace(`.${ext}`, "")}-${hash}.${ext}`;
-        }
-
-        const key = getFullKey(finalFilename);
-
-        const body = file.buffer || file.stream;
-        if (!body) {
-          throw new StorageError(
-            "cloudflare-r2",
-            "upload",
-            `No content provided for file ${file.filename}`,
-          );
-        }
-
-        await config.bucketBinding.put(key, body as any, {
-          httpMetadata: {
-            contentType: file.mime_type,
-          },
-        });
-
-        return {
-          filename: finalFilename,
-          mime_type: file.mime_type,
-          filesize: file.filesize,
-          url: getPublicUrl(finalFilename),
-        };
-      } catch (error) {
-        if (error instanceof StorageError) throw error;
-        throw new StorageError(
-          "cloudflare-r2",
-          "upload",
-          `Failed to upload ${file.filename} to R2 bucket`,
-          error,
-        );
-      }
-    },
-
-    async delete(filename: string): Promise<void> {
-      try {
-        await config.bucketBinding.delete(getFullKey(filename));
-      } catch (error) {
-        throw new StorageError(
-          "cloudflare-r2",
-          "delete",
-          `Failed to delete ${filename} from R2 bucket`,
-          error,
-        );
-      }
-    },
-
-    async exists(filename: string): Promise<boolean> {
-      try {
-        const head = await config.bucketBinding.head(getFullKey(filename));
-        return head !== null;
-      } catch (error) {
-        throw new StorageError(
-          "cloudflare-r2",
-          "exists",
-          `Failed to check existence of ${filename} in R2 bucket`,
-          error,
-        );
-      }
-    },
-
-    async download(filename: string): Promise<ReadableStream<Uint8Array>> {
-      try {
-        const object = await config.bucketBinding.get(getFullKey(filename));
-        if (!object) {
-          throw new StorageError("cloudflare-r2", "download", `File not found: ${filename}`);
-        }
-        return object.body as unknown as ReadableStream<Uint8Array>;
-      } catch (error) {
-        if (error instanceof StorageError) throw error;
-        throw new StorageError(
-          "cloudflare-r2",
-          "download",
-          `Failed to download ${filename} from R2 bucket`,
-          error,
-        );
-      }
-    },
-
-    // Note: Cloudflare R2 does not natively support presigned URLs for client-side uploads
-    // via the internal binding API. To support Direct-to-Cloud uploads on Cloudflare,
-    // developers should use the `createS3Adapter` pointing to their R2 S3-compatible endpoint.
-  };
-}