initiation librodrome

2026-02-20 12:55:10 +01:00
commit 35e2897a73
208 changed files with 18951 additions and 0 deletions
--- a/server/api/admin/auth/check.get.ts
+++ b/server/api/admin/auth/check.get.ts
@@ -0,0 +1,20 @@
+export default defineEventHandler((event) => {
+  const config = useRuntimeConfig()
+
+  if (!config.adminSecret) {
+    throw createError({ statusCode: 503, statusMessage: 'Admin not configured' })
+  }
+
+  const token = getAdminToken(event)
+  if (!token) {
+    throw createError({ statusCode: 401, statusMessage: 'Not authenticated' })
+  }
+
+  const payload = verifyToken(token, config.adminSecret)
+  if (!payload) {
+    clearAdminCookie(event)
+    throw createError({ statusCode: 401, statusMessage: 'Invalid or expired token' })
+  }
+
+  return { authenticated: true }
+})
--- a/server/api/admin/auth/login.post.ts
+++ b/server/api/admin/auth/login.post.ts
@@ -0,0 +1,17 @@
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig()
+
+  if (!config.adminPassword || !config.adminSecret) {
+    throw createError({ statusCode: 503, statusMessage: 'Admin not configured' })
+  }
+
+  const body = await readBody<{ password?: string }>(event)
+
+  if (!body?.password || body.password !== config.adminPassword) {
+    throw createError({ statusCode: 401, statusMessage: 'Invalid password' })
+  }
+
+  setAdminCookie(event, config.adminSecret)
+
+  return { ok: true }
+})
--- a/server/api/admin/auth/logout.post.ts
+++ b/server/api/admin/auth/logout.post.ts
@@ -0,0 +1,4 @@
+export default defineEventHandler((event) => {
+  clearAdminCookie(event)
+  return { ok: true }
+})
--- a/server/api/admin/chapters/[slug].get.ts
+++ b/server/api/admin/chapters/[slug].get.ts
@@ -0,0 +1,30 @@
+import { readFile } from 'node:fs/promises'
+import { join } from 'node:path'
+
+export default defineEventHandler(async (event) => {
+  const slug = getRouterParam(event, 'slug')
+
+  if (!slug || !/^[a-z0-9-]+$/.test(slug)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid slug' })
+  }
+
+  const filePath = join(process.cwd(), 'content', 'book', `${slug}.md`)
+
+  try {
+    const raw = await readFile(filePath, 'utf-8')
+    const fmMatch = raw.match(/^---\n([\s\S]*?)\n---\n?/)
+
+    let frontmatter = ''
+    let body = raw
+
+    if (fmMatch) {
+      frontmatter = fmMatch[1]
+      body = raw.slice(fmMatch[0].length)
+    }
+
+    return { slug, frontmatter, body }
+  }
+  catch {
+    throw createError({ statusCode: 404, statusMessage: `Chapter "${slug}" not found` })
+  }
+})
--- a/server/api/admin/chapters/[slug].put.ts
+++ b/server/api/admin/chapters/[slug].put.ts
@@ -0,0 +1,23 @@
+import { writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+
+export default defineEventHandler(async (event) => {
+  const slug = getRouterParam(event, 'slug')
+
+  if (!slug || !/^[a-z0-9-]+$/.test(slug)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid slug' })
+  }
+
+  const body = await readBody<{ frontmatter: string; body: string }>(event)
+
+  if (!body?.frontmatter && !body?.body) {
+    throw createError({ statusCode: 400, statusMessage: 'Missing content' })
+  }
+
+  const filePath = join(process.cwd(), 'content', 'book', `${slug}.md`)
+  const content = `---\n${body.frontmatter.trim()}\n---\n${body.body}`
+
+  await writeFile(filePath, content, 'utf-8')
+
+  return { ok: true }
+})
--- a/server/api/admin/chapters/index.get.ts
+++ b/server/api/admin/chapters/index.get.ts
@@ -0,0 +1,47 @@
+import { readdir, readFile } from 'node:fs/promises'
+import { join } from 'node:path'
+
+export default defineEventHandler(async () => {
+  const bookDir = join(process.cwd(), 'content', 'book')
+  const files = await readdir(bookDir)
+  const mdFiles = files.filter(f => f.endsWith('.md')).sort()
+
+  const chapters = await Promise.all(
+    mdFiles.map(async (file) => {
+      const raw = await readFile(join(bookDir, file), 'utf-8')
+      const slug = file.replace(/\.md$/, '')
+      const frontmatter = parseFrontmatter(raw)
+      return { slug, ...frontmatter }
+    }),
+  )
+
+  return chapters.sort((a, b) => (a.order ?? 0) - (b.order ?? 0))
+})
+
+function parseFrontmatter(content: string): Record<string, unknown> {
+  const match = content.match(/^---\n([\s\S]*?)\n---/)
+  if (!match) return {}
+
+  const lines = match[1].split('\n')
+  const result: Record<string, unknown> = {}
+
+  for (const line of lines) {
+    const colonIdx = line.indexOf(':')
+    if (colonIdx === -1) continue
+    const key = line.slice(0, colonIdx).trim()
+    let value: string | number = line.slice(colonIdx + 1).trim()
+    // Remove quotes
+    if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+      value = value.slice(1, -1)
+    }
+    // Parse numbers
+    if (/^\d+$/.test(value)) {
+      result[key] = parseInt(value, 10)
+    }
+    else {
+      result[key] = value
+    }
+  }
+
+  return result
+}
--- a/server/api/admin/content/config.put.ts
+++ b/server/api/admin/content/config.put.ts
@@ -0,0 +1,5 @@
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  await writeYaml('librodrome.config.yml', body)
+  return { ok: true }
+})
--- a/server/api/admin/content/pages/[name].put.ts
+++ b/server/api/admin/content/pages/[name].put.ts
@@ -0,0 +1,11 @@
+export default defineEventHandler(async (event) => {
+  const name = getRouterParam(event, 'name')
+
+  if (!name || !/^[a-z0-9-]+$/.test(name)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid page name' })
+  }
+
+  const body = await readBody(event)
+  await writeYaml(`pages/${name}.yml`, body)
+  return { ok: true }
+})
--- a/server/api/admin/content/site.put.ts
+++ b/server/api/admin/content/site.put.ts
@@ -0,0 +1,5 @@
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+  await writeYaml('site.yml', body)
+  return { ok: true }
+})
--- a/server/api/admin/media/[...path].delete.ts
+++ b/server/api/admin/media/[...path].delete.ts
@@ -0,0 +1,31 @@
+import { unlink } from 'node:fs/promises'
+import { join } from 'node:path'
+
+export default defineEventHandler(async (event) => {
+  const path = getRouterParam(event, 'path')
+
+  if (!path) {
+    throw createError({ statusCode: 400, statusMessage: 'No path provided' })
+  }
+
+  // Prevent path traversal
+  if (path.includes('..')) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid path' })
+  }
+
+  const publicDir = join(process.cwd(), 'public')
+  const filePath = join(publicDir, path)
+
+  // Ensure file is within public dir
+  if (!filePath.startsWith(publicDir)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid path' })
+  }
+
+  try {
+    await unlink(filePath)
+    return { ok: true }
+  }
+  catch {
+    throw createError({ statusCode: 404, statusMessage: 'File not found' })
+  }
+})
--- a/server/api/admin/media/index.get.ts
+++ b/server/api/admin/media/index.get.ts
@@ -0,0 +1,52 @@
+import { readdir, stat } from 'node:fs/promises'
+import { join, relative } from 'node:path'
+
+interface MediaFile {
+  name: string
+  path: string
+  size: number
+  type: string
+  modifiedAt: string
+}
+
+export default defineEventHandler(async () => {
+  const publicDir = join(process.cwd(), 'public')
+  const files: MediaFile[] = []
+
+  await walk(publicDir, publicDir, files)
+
+  return files.sort((a, b) => b.modifiedAt.localeCompare(a.modifiedAt))
+})
+
+async function walk(dir: string, root: string, files: MediaFile[]) {
+  const entries = await readdir(dir, { withFileTypes: true })
+
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name)
+
+    // Skip hidden files and gratewizard-app
+    if (entry.name.startsWith('.') || entry.name === 'gratewizard-app') continue
+
+    if (entry.isDirectory()) {
+      await walk(fullPath, root, files)
+    }
+    else {
+      const info = await stat(fullPath)
+      const relPath = '/' + relative(root, fullPath)
+      const ext = entry.name.split('.').pop()?.toLowerCase() ?? ''
+
+      let type = 'other'
+      if (['jpg', 'jpeg', 'png', 'gif', 'webp', 'svg'].includes(ext)) type = 'image'
+      else if (['mp3', 'wav', 'ogg', 'flac', 'm4a'].includes(ext)) type = 'audio'
+      else if (['pdf'].includes(ext)) type = 'document'
+
+      files.push({
+        name: entry.name,
+        path: relPath,
+        size: info.size,
+        type,
+        modifiedAt: info.mtime.toISOString(),
+      })
+    }
+  }
+}
--- a/server/api/admin/media/upload.post.ts
+++ b/server/api/admin/media/upload.post.ts
@@ -0,0 +1,37 @@
+import { writeFile, mkdir } from 'node:fs/promises'
+import { join, dirname } from 'node:path'
+
+export default defineEventHandler(async (event) => {
+  const formData = await readMultipartFormData(event)
+
+  if (!formData || formData.length === 0) {
+    throw createError({ statusCode: 400, statusMessage: 'No files provided' })
+  }
+
+  const publicDir = join(process.cwd(), 'public')
+  const uploaded: string[] = []
+
+  for (const file of formData) {
+    if (!file.filename || !file.data) continue
+
+    // Sanitize filename
+    const safeName = file.filename.replace(/[^a-zA-Z0-9._-]/g, '_')
+
+    // Determine subdirectory from content type
+    let subdir = 'uploads'
+    const type = file.type ?? ''
+    if (type.startsWith('image/')) subdir = 'images'
+    else if (type.startsWith('audio/')) subdir = 'audio'
+    else if (type === 'application/pdf') subdir = 'pdf'
+
+    const targetDir = join(publicDir, subdir)
+    await mkdir(targetDir, { recursive: true })
+
+    const targetPath = join(targetDir, safeName)
+    await writeFile(targetPath, file.data)
+
+    uploaded.push(`/${subdir}/${safeName}`)
+  }
+
+  return { ok: true, files: uploaded }
+})
--- a/server/api/admin/messages/[id].delete.ts
+++ b/server/api/admin/messages/[id].delete.ts
@@ -0,0 +1,19 @@
+export default defineEventHandler(async (event) => {
+  const id = Number(getRouterParam(event, 'id'))
+
+  if (!id || isNaN(id)) {
+    throw createError({ statusCode: 400, statusMessage: 'ID invalide' })
+  }
+
+  const data = await readYaml<{ messages: any[] }>('messages.yml')
+
+  const index = data.messages.findIndex(m => m.id === id)
+  if (index === -1) {
+    throw createError({ statusCode: 404, statusMessage: 'Message non trouvé' })
+  }
+
+  data.messages.splice(index, 1)
+  await writeYaml('messages.yml', data)
+
+  return { ok: true }
+})
--- a/server/api/admin/messages/[id].put.ts
+++ b/server/api/admin/messages/[id].put.ts
@@ -0,0 +1,23 @@
+export default defineEventHandler(async (event) => {
+  const id = Number(getRouterParam(event, 'id'))
+
+  if (!id || isNaN(id)) {
+    throw createError({ statusCode: 400, statusMessage: 'ID invalide' })
+  }
+
+  const body = await readBody<{ text?: string; published?: boolean; author?: string }>(event)
+  const data = await readYaml<{ messages: any[] }>('messages.yml')
+
+  const message = data.messages.find(m => m.id === id)
+  if (!message) {
+    throw createError({ statusCode: 404, statusMessage: 'Message non trouvé' })
+  }
+
+  if (body.text !== undefined) message.text = body.text
+  if (body.published !== undefined) message.published = body.published
+  if (body.author !== undefined) message.author = body.author
+
+  await writeYaml('messages.yml', data)
+
+  return { ok: true }
+})
--- a/server/api/admin/messages/index.get.ts
+++ b/server/api/admin/messages/index.get.ts
@@ -0,0 +1,4 @@
+export default defineEventHandler(async () => {
+  const data = await readYaml<{ messages: any[] }>('messages.yml')
+  return data.messages.sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime())
+})
--- a/server/api/content/config.get.ts
+++ b/server/api/content/config.get.ts
@@ -0,0 +1,3 @@
+export default defineEventHandler(async () => {
+  return await readYaml('librodrome.config.yml')
+})
--- a/server/api/content/pages/[name].get.ts
+++ b/server/api/content/pages/[name].get.ts
@@ -0,0 +1,14 @@
+export default defineEventHandler(async (event) => {
+  const name = getRouterParam(event, 'name')
+
+  if (!name || !/^[a-z0-9-]+$/.test(name)) {
+    throw createError({ statusCode: 400, statusMessage: 'Invalid page name' })
+  }
+
+  try {
+    return await readYaml(`pages/${name}.yml`)
+  }
+  catch {
+    throw createError({ statusCode: 404, statusMessage: `Page "${name}" not found` })
+  }
+})
--- a/server/api/content/site.get.ts
+++ b/server/api/content/site.get.ts
@@ -0,0 +1,3 @@
+export default defineEventHandler(async () => {
+  return await readYaml('site.yml')
+})
--- a/server/api/health.ts
+++ b/server/api/health.ts
@@ -0,0 +1,6 @@
+export default defineEventHandler(() => {
+  return {
+    status: 'ok',
+    timestamp: new Date().toISOString(),
+  }
+})
--- a/server/api/messages/index.get.ts
+++ b/server/api/messages/index.get.ts
@@ -0,0 +1,7 @@
+export default defineEventHandler(async () => {
+  const data = await readYaml<{ messages: any[] }>('messages.yml')
+  const published = data.messages
+    .filter(m => m.published)
+    .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime())
+  return published
+})
--- a/server/api/messages/index.post.ts
+++ b/server/api/messages/index.post.ts
@@ -0,0 +1,24 @@
+export default defineEventHandler(async (event) => {
+  const body = await readBody<{ author: string; email?: string; text: string }>(event)
+
+  if (!body.author?.trim() || !body.text?.trim()) {
+    throw createError({ statusCode: 400, statusMessage: 'Nom et message requis' })
+  }
+
+  const data = await readYaml<{ messages: any[] }>('messages.yml')
+
+  const maxId = data.messages.reduce((max, m) => Math.max(max, m.id || 0), 0)
+
+  data.messages.push({
+    id: maxId + 1,
+    author: body.author.trim(),
+    email: body.email?.trim() || '',
+    text: body.text.trim(),
+    published: false,
+    createdAt: new Date().toISOString(),
+  })
+
+  await writeYaml('messages.yml', data)
+
+  return { ok: true }
+})
--- a/server/middleware/admin-auth.ts
+++ b/server/middleware/admin-auth.ts
@@ -0,0 +1,24 @@
+export default defineEventHandler((event) => {
+  const path = getRequestURL(event).pathname
+
+  // Only protect /api/admin/* routes, excluding auth endpoints
+  if (!path.startsWith('/api/admin/')) return
+  if (path.startsWith('/api/admin/auth/')) return
+
+  const config = useRuntimeConfig()
+
+  if (!config.adminSecret) {
+    throw createError({ statusCode: 503, statusMessage: 'Admin not configured' })
+  }
+
+  const token = getAdminToken(event)
+  if (!token) {
+    throw createError({ statusCode: 401, statusMessage: 'Not authenticated' })
+  }
+
+  const payload = verifyToken(token, config.adminSecret)
+  if (!payload) {
+    clearAdminCookie(event)
+    throw createError({ statusCode: 401, statusMessage: 'Invalid or expired token' })
+  }
+})
--- a/server/utils/admin-auth.ts
+++ b/server/utils/admin-auth.ts
@@ -0,0 +1,56 @@
+import { createHmac, timingSafeEqual } from 'node:crypto'
+
+const TOKEN_COOKIE = 'admin_token'
+const TOKEN_MAX_AGE = 60 * 60 * 24 // 24h
+
+export function signToken(payload: string, secret: string): string {
+  const hmac = createHmac('sha256', secret)
+  hmac.update(payload)
+  return payload + '.' + hmac.digest('hex')
+}
+
+export function verifyToken(token: string, secret: string): string | null {
+  const dotIndex = token.lastIndexOf('.')
+  if (dotIndex === -1) return null
+
+  const payload = token.slice(0, dotIndex)
+  const expected = signToken(payload, secret)
+
+  const a = Buffer.from(token)
+  const b = Buffer.from(expected)
+
+  if (a.length !== b.length) return null
+  if (!timingSafeEqual(a, b)) return null
+
+  // Check expiry
+  try {
+    const data = JSON.parse(payload)
+    if (data.exp && data.exp < Math.floor(Date.now() / 1000)) return null
+    return payload
+  }
+  catch {
+    return null
+  }
+}
+
+export function setAdminCookie(event: any, secret: string): void {
+  const exp = Math.floor(Date.now() / 1000) + TOKEN_MAX_AGE
+  const payload = JSON.stringify({ role: 'admin', exp })
+  const token = signToken(payload, secret)
+
+  setCookie(event, TOKEN_COOKIE, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: TOKEN_MAX_AGE,
+    path: '/',
+  })
+}
+
+export function clearAdminCookie(event: any): void {
+  deleteCookie(event, TOKEN_COOKIE, { path: '/' })
+}
+
+export function getAdminToken(event: any): string | null {
+  return getCookie(event, TOKEN_COOKIE) ?? null
+}
--- a/server/utils/content.ts
+++ b/server/utils/content.ts
@@ -0,0 +1,37 @@
+import { readFile, writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+import yaml from 'yaml'
+
+const dataDir = join(process.cwd(), 'data')
+
+const cache = new Map<string, { data: unknown; mtime: number }>()
+
+export async function readYaml<T = unknown>(relativePath: string): Promise<T> {
+  const filePath = join(dataDir, relativePath)
+  const cached = cache.get(filePath)
+
+  if (cached && Date.now() - cached.mtime < 5000) {
+    return cached.data as T
+  }
+
+  const raw = await readFile(filePath, 'utf-8')
+  const data = yaml.parse(raw) as T
+  cache.set(filePath, { data, mtime: Date.now() })
+  return data
+}
+
+export async function writeYaml(relativePath: string, data: unknown): Promise<void> {
+  const filePath = join(dataDir, relativePath)
+  const raw = yaml.stringify(data, { lineWidth: 120 })
+  await writeFile(filePath, raw, 'utf-8')
+  cache.delete(filePath)
+}
+
+export function invalidateCache(relativePath?: string): void {
+  if (relativePath) {
+    cache.delete(join(dataDir, relativePath))
+  }
+  else {
+    cache.clear()
+  }
+}