diff options
Diffstat (limited to 'internal/server/adminserver.go')
| -rw-r--r-- | internal/server/adminserver.go | 664 |
1 files changed, 664 insertions, 0 deletions
diff --git a/internal/server/adminserver.go b/internal/server/adminserver.go new file mode 100644 index 0000000..6b46bf3 --- /dev/null +++ b/internal/server/adminserver.go @@ -0,0 +1,664 @@ +// Package admin provides an HTTP server for managing posts via a web UI. +// Admin pages are served dynamically and are never written to the static +// output directory — they are intentionally excluded from the site generator. +package server + +import ( + "bytes" + "encoding/json" + "fmt" + "html/template" + "io" + "io/fs" + "net/http" + "os" + "path/filepath" + "regexp" + "strings" + "sync/atomic" + "time" + + "github.com/gin-gonic/gin" + "github.com/gosimple/slug" + + auth "iblog/internal" + "iblog/internal/db" +) + +// Server is an http.Handler that serves the admin post-management UI. +type Server struct { + // AuthFile is the path to the htpasswd-compatible passwords file. + AuthFile string + // DB provides access to all post records and search indexing + DB *db.DB + // PublicDir is the directory where cache files are stored + PublicDir string + // DataDir is the writable data directory (parent of AuthFile) + DataDir string + + adminAssets fs.FS + siteAssets fs.FS + configured atomic.Bool + + engine *gin.Engine +} + +// Post holds the metadata and content for form display and submission. +type Post struct { + Slug string + Id string + Title string + Date string + Tags []string + Draft bool + Blocks string // raw EditorJS JSON +} + +// NewAdminServer creates a new admin server with Gin routing and auth middleware. +// tmpl must be provided before any routes are registered so SetHTMLTemplate is +// called at the right time (Gin requires this to be thread-safe). +func NewAdminServer(authFile string, database *db.DB, publicDir string, adminAssets, siteAssets fs.FS, tmpl *template.Template) *Server { + s := &Server{ + AuthFile: authFile, + DB: database, + PublicDir: publicDir, + DataDir: filepath.Dir(authFile), + adminAssets: adminAssets, + siteAssets: siteAssets, + } + s.configured.Store(auth.NewAuth(authFile).IsConfigured()) + + s.engine = gin.Default() + s.engine.SetTrustedProxies(nil) + s.engine.SetHTMLTemplate(tmpl) + + // Redirect to /setup when the site has not been configured yet. + // Skip the setup route itself and all asset paths so the form loads properly. + s.engine.Use(func(c *gin.Context) { + if !s.configured.Load() { + p := c.Request.URL.Path + if p != "/setup" && !strings.HasPrefix(p, "/assets/") { + c.Redirect(http.StatusFound, "/setup") + c.Abort() + return + } + } + c.Next() + }) + + // Setup routes — no auth, only accessible before the site is configured. + s.engine.GET("/setup", s.handleSetupGet) + s.engine.POST("/setup", s.handleSetupPost) + + // Silent auth probe: returns 200 if authenticated, 403 if not. + // Must not send WWW-Authenticate so the browser never shows a login dialog. + s.engine.GET("/admin/ping", func(c *gin.Context) { + if s.AuthFile == "" { + c.AbortWithStatus(http.StatusForbidden) + return + } + username, password, ok := c.Request.BasicAuth() + if !ok { + c.AbortWithStatus(http.StatusForbidden) + return + } + a := auth.NewAuth(s.AuthFile) + valid, err := a.Verify(username, password) + if err != nil || !valid { + c.AbortWithStatus(http.StatusForbidden) + return + } + c.Status(http.StatusOK) + }) + + // Admin post routes (protected) + admin := s.engine.Group("/admin") + admin.Use(s.authMiddleware()) + { + admin.GET("/", s.handleList) + admin.GET("/settings", s.handleSettingsGet) + admin.POST("/settings", s.handleSettingsPost) + admin.GET("/new", s.handleNew) + admin.POST("/", s.handleNewPost) + admin.GET("/:slug", s.handleEdit) + admin.POST("/:slug", s.handleEdit) + admin.DELETE("/:slug", s.handleDelete) + } + + // Asset serving: /assets/admin/* requires auth and is served from embedded adminAssets. + // All other /assets/* are public and served from embedded siteAssets. + { + adminMW := s.authMiddleware() + adminHandler := EmbedHandler(s.adminAssets, "assets") + siteHandler := EmbedHandler(s.siteAssets, "assets") + s.engine.GET("/assets/*filepath", func(c *gin.Context) { + fp := c.Param("filepath") + if strings.HasPrefix(fp, "/admin") { + adminMW(c) + if c.IsAborted() { + return + } + adminHandler(c) + return + } + // Logo override: serve user-uploaded logo before falling back to embedded. + if fp == "/static/image.png" { + s.handleLogo(c) + return + } + siteHandler(c) + }) + } + + return s +} + +func (s *Server) Engine() *gin.Engine { + return s.engine +} + +// RegisterUploadRoute registers handler under POST /admin/upload/image +// behind the admin Basic Auth middleware. +func (s *Server) RegisterUploadRoute(handler gin.HandlerFunc) { + admin := s.engine.Group("/admin") + admin.Use(s.authMiddleware()) + admin.POST("/upload/image", handler) +} + +func (s *Server) authMiddleware() gin.HandlerFunc { + return func(c *gin.Context) { + if s.AuthFile == "" { + c.AbortWithStatus(http.StatusUnauthorized) + return + } + + if _, err := os.Stat(s.AuthFile); os.IsNotExist(err) { + c.AbortWithStatus(http.StatusUnauthorized) + return + } + + username, password, ok := c.Request.BasicAuth() + if !ok { + c.Header("WWW-Authenticate", `Basic realm="Admin"`) + c.AbortWithStatus(http.StatusUnauthorized) + return + } + + a := auth.NewAuth(s.AuthFile) + valid, err := a.Verify(username, password) + + if err != nil || !valid { + c.Header("WWW-Authenticate", `Basic realm="Admin"`) + c.AbortWithStatus(http.StatusUnauthorized) + return + } + + c.Next() + } +} + +func (s *Server) handleList(c *gin.Context) { + posts, err := s.DB.ListPosts(true) // includeDrafts=true for admin view + if err != nil { + c.HTML(http.StatusInternalServerError, "base", gin.H{ + "Title": "Error", + "ContentTemplate": "error-content", + "Message": "Failed to list posts: " + err.Error(), + }) + return + } + + // Convert PostRecord to Post for template + var formPosts []Post + for _, p := range posts { + formPosts = append(formPosts, Post{ + Slug: p.Slug, + Title: p.Title, + Date: p.Date, + Tags: p.Tags, + Draft: p.Draft, + Blocks: p.Blocks, + }) + } + + c.HTML(http.StatusOK, "base", gin.H{ + "Title": "Posts", + "ContentTemplate": "list-content", + "Posts": formPosts, + }) +} + +func (s *Server) handleNew(c *gin.Context) { + c.HTML(http.StatusOK, "base", gin.H{ + "Title": "New Post", + "ContentTemplate": "form-content", + "Action": "/admin/", + "Post": Post{ + Date: time.Now().Format("2006-01-02"), + Blocks: "[]", + }, + "IsNew": true, + }) +} + +func (s *Server) handleNewPost(c *gin.Context) { + p := postFromForm(c) + if p.Title == "" { + s.renderError(c, "Title is required") + return + } + + if p.Slug == "" { + p.Slug = slugify(p.Title) + } + if !validSlug.MatchString(p.Slug) { + s.renderError(c, fmt.Sprintf("Invalid slug %q: use lowercase letters, numbers, and hyphens only", p.Slug)) + return + } + + // Check if post already exists + existing, err := s.DB.GetPostBySlug(p.Slug) + if err == nil && existing != nil { + s.renderError(c, fmt.Sprintf("Post %q already exists", p.Slug)) + return + } + + // Prepare post record with current timestamp + record := db.PostRecord{ + Slug: p.Slug, + Title: p.Title, + Date: p.Date, + Tags: p.Tags, + Draft: p.Draft, + Blocks: p.Blocks, + UpdatedAt: time.Now().UnixMicro(), + } + + // Upsert post + if err := s.DB.UpsertPost(record); err != nil { + c.HTML(http.StatusInternalServerError, "base", gin.H{ + "Title": "Error", + "ContentTemplate": "error-content", + "Message": err.Error(), + }) + return + } + + // Index in search database + plainText := extractPlainTextFromEditorJS(p.Blocks) + _ = s.DB.IndexPage(db.SearchPage{ + Path: "/" + p.Slug, + Title: p.Title, + Content: plainText, + }) + + c.Redirect(http.StatusSeeOther, "/admin/") +} + +func (s *Server) handleEdit(c *gin.Context) { + slug := c.Param("slug") + rec, err := s.DB.GetPostBySlug(slug) + if err != nil { + c.HTML(http.StatusNotFound, "base", gin.H{ + "Title": "Not Found", + "ContentTemplate": "error-content", + "Message": "Post not found", + }) + return + } + + p := Post{ + Slug: rec.Slug, + Title: rec.Title, + Date: rec.Date, + Tags: rec.Tags, + Draft: rec.Draft, + Blocks: rec.Blocks, + } + + if c.Request.Method == http.MethodPost { + updated := postFromForm(c) + if updated.Title == "" { + s.renderError(c, "Title is required") + return + } + + targetSlug := slug // default: slug unchanged + + record := db.PostRecord{ + Slug: targetSlug, + Title: updated.Title, + Date: updated.Date, + Tags: updated.Tags, + Draft: updated.Draft, + Blocks: updated.Blocks, + UpdatedAt: time.Now().UnixMicro(), + } + + if updated.Slug != "" && updated.Slug != slug { + // Slug rename requested + if !validSlug.MatchString(updated.Slug) { + s.renderError(c, fmt.Sprintf("Invalid slug %q: use lowercase letters, numbers, and hyphens only", updated.Slug)) + return + } + // Check target slug is not already taken + if existing, err := s.DB.GetPostBySlug(updated.Slug); err == nil && existing != nil { + s.renderError(c, fmt.Sprintf("Post %q already exists", updated.Slug)) + return + } + // Atomically rename and update content in one transaction + record.Slug = updated.Slug + if err := s.DB.RenameAndUpsertPost(slug, record); err != nil { + s.renderError(c, "Failed to rename post: "+err.Error()) + return + } + // Invalidate old cache and remove old search entry + s.invalidatePostCache(slug) + _ = s.DB.UnindexPage("/" + slug) + targetSlug = updated.Slug + } else { + if err := s.DB.UpsertPost(record); err != nil { + c.HTML(http.StatusInternalServerError, "base", gin.H{ + "Title": "Error", + "ContentTemplate": "error-content", + "Message": err.Error(), + }) + return + } + } + + // Invalidate cache for the target slug + s.invalidatePostCache(targetSlug) + + // Re-index with target slug + plainText := extractPlainTextFromEditorJS(updated.Blocks) + _ = s.DB.IndexPage(db.SearchPage{ + Path: "/" + targetSlug, + Title: updated.Title, + Content: plainText, + }) + + c.Redirect(http.StatusSeeOther, "/admin/") + return + } + + // GET: render form + c.HTML(http.StatusOK, "base", gin.H{ + "Title": "Edit Post", + "ContentTemplate": "form-content", + "Action": "/admin/" + slug, + "Post": p, + "IsNew": false, + }) +} + +func (s *Server) handleDelete(c *gin.Context) { + slug := c.Param("slug") + if err := s.DB.DeletePostBySlug(slug); err != nil { + c.HTML(http.StatusInternalServerError, "base", gin.H{ + "Title": "Error", + "ContentTemplate": "error-content", + "Message": err.Error(), + }) + return + } + + // Invalidate cache files + s.invalidatePostCache(slug) + + // Remove from search index + _ = s.DB.UnindexPage("/" + slug) + + c.Redirect(http.StatusSeeOther, "/admin/") +} + +func (s *Server) handleSetupGet(c *gin.Context) { + if s.configured.Load() { + c.Redirect(http.StatusFound, "/admin/") + return + } + c.HTML(http.StatusOK, "setup.html", gin.H{}) +} + +func (s *Server) handleSetupPost(c *gin.Context) { + if s.configured.Load() { + c.Redirect(http.StatusFound, "/admin/") + return + } + + username := strings.TrimSpace(c.PostForm("username")) + password := c.PostForm("password") + confirm := c.PostForm("confirm") + siteTitle := strings.TrimSpace(c.PostForm("site_title")) + siteDesc := strings.TrimSpace(c.PostForm("site_description")) + + redisplay := func(msg string) { + c.HTML(http.StatusBadRequest, "setup.html", gin.H{ + "Error": msg, + "Username": username, + "SiteTitle": siteTitle, + "SiteDescription": siteDesc, + }) + } + + if username == "" { + redisplay("Username is required") + return + } + if password == "" { + redisplay("Password is required") + return + } + if password != confirm { + redisplay("Passwords do not match") + return + } + + // Create admin user + a := auth.NewAuth(s.AuthFile) + if err := a.AddUserWithPassword(username, password); err != nil { + redisplay("Failed to create user: " + err.Error()) + return + } + + // Save optional site settings + if siteTitle != "" { + _ = s.DB.SetSetting("site_title", siteTitle) + } + if siteDesc != "" { + _ = s.DB.SetSetting("site_description", siteDesc) + } + + // Save optional logo (ignore errors — setup can proceed without it) + _ = s.saveLogoUpload(c) + + s.configured.Store(true) + c.Redirect(http.StatusSeeOther, "/admin/") +} + +func (s *Server) handleSettingsGet(c *gin.Context) { + title, _ := s.DB.GetSetting("site_title") + desc, _ := s.DB.GetSetting("site_description") + c.HTML(http.StatusOK, "base", gin.H{ + "Title": "Settings", + "ContentTemplate": "settings-content", + "SiteTitle": title, + "SiteDescription": desc, + }) +} + +func (s *Server) handleSettingsPost(c *gin.Context) { + siteTitle := strings.TrimSpace(c.PostForm("site_title")) + siteDesc := strings.TrimSpace(c.PostForm("site_description")) + + _ = s.DB.SetSetting("site_title", siteTitle) + _ = s.DB.SetSetting("site_description", siteDesc) + + if err := s.saveLogoUpload(c); err != nil { + title, _ := s.DB.GetSetting("site_title") + desc, _ := s.DB.GetSetting("site_description") + c.HTML(http.StatusBadRequest, "base", gin.H{ + "Title": "Settings", + "ContentTemplate": "settings-content", + "Error": err.Error(), + "SiteTitle": title, + "SiteDescription": desc, + }) + return + } + + title, _ := s.DB.GetSetting("site_title") + desc, _ := s.DB.GetSetting("site_description") + c.HTML(http.StatusOK, "base", gin.H{ + "Title": "Settings", + "ContentTemplate": "settings-content", + "Success": true, + "SiteTitle": title, + "SiteDescription": desc, + }) +} + +// saveLogoUpload saves an uploaded logo file to DataDir if one was provided. +// Returns nil if no file was uploaded (blank is not an error). +func (s *Server) saveLogoUpload(c *gin.Context) error { + file, _, err := c.Request.FormFile("logo") + if err != nil { + return nil // no file — not an error + } + defer file.Close() + + sniff := make([]byte, 512) + n, _ := file.Read(sniff) + mimeType := http.DetectContentType(sniff[:n]) + extMap := map[string]string{ + "image/jpeg": ".jpg", + "image/png": ".png", + "image/webp": ".webp", + } + ext, ok := extMap[mimeType] + if !ok { + return fmt.Errorf("unsupported image type: %s", mimeType) + } + + logoPath := filepath.Join(s.DataDir, "logo"+ext) + out, err := os.Create(logoPath) + if err != nil { + return fmt.Errorf("could not save logo: %w", err) + } + defer out.Close() + _, err = io.Copy(out, io.MultiReader(bytes.NewReader(sniff[:n]), file)) + return err +} + +func (s *Server) handleLogo(c *gin.Context) { + extTypes := map[string]string{ + ".png": "image/png", + ".jpg": "image/jpeg", + ".webp": "image/webp", + } + for ext, ct := range extTypes { + p := filepath.Join(s.DataDir, "logo"+ext) + if f, err := os.Open(p); err == nil { + defer f.Close() + info, _ := f.Stat() + c.Header("Content-Type", ct) + http.ServeContent(c.Writer, c.Request, "image"+ext, info.ModTime(), f) + return + } + } + // Fall back to embedded default + data, err := fs.ReadFile(s.siteAssets, "assets/static/image.png") + if err != nil { + c.AbortWithStatus(http.StatusNotFound) + return + } + c.Data(http.StatusOK, "image/png", data) +} + +// invalidatePostCache removes cache files for a post to force regeneration. +func (s *Server) invalidatePostCache(slug string) { + htmlCache := filepath.Join(s.PublicDir, slug+".html") + jsonCache := filepath.Join(s.PublicDir, slug+".json") + _ = os.Remove(htmlCache) + _ = os.Remove(jsonCache) +} + +func (s *Server) renderError(c *gin.Context, msg string) { + c.HTML(http.StatusBadRequest, "base", gin.H{ + "Title": "Error", + "ContentTemplate": "error-content", + "Message": msg, + }) +} + +func postFromForm(c *gin.Context) Post { + tagsStr := strings.TrimSpace(c.PostForm("tags")) + var tags []string + if tagsStr != "" { + for _, t := range strings.Split(tagsStr, ",") { + t = strings.TrimSpace(t) + if t != "" { + tags = append(tags, t) + } + } + } + + draft := c.PostForm("draft") != "" + + return Post{ + Slug: strings.TrimSpace(c.PostForm("slug")), + Title: strings.TrimSpace(c.PostForm("title")), + Date: strings.TrimSpace(c.PostForm("date")), + Tags: tags, + Blocks: c.PostForm("blocks"), + Draft: draft, + } +} + +// slugify converts a title to a URL-safe slug. +var validSlug = regexp.MustCompile(`^[a-z0-9]+(?:-[a-z0-9]+)*$`) + +func slugify(title string) string { + s := slug.Make(title) + if s == "" { + s = fmt.Sprintf("post-%d", time.Now().Unix()) + } + return s +} + +// extractPlainTextFromEditorJS extracts plain text from EditorJS blocks for indexing. +// It's a simple extraction that pulls text from paragraph and header blocks. +func extractPlainTextFromEditorJS(blocksJSON string) string { + if blocksJSON == "" || blocksJSON == "[]" { + return "" + } + + type block struct { + Type string `json:"type"` + Data json.RawMessage `json:"data"` + } + + type doc struct { + Blocks []block `json:"blocks"` + } + + var d doc + if err := json.Unmarshal([]byte(blocksJSON), &d); err != nil { + return "" + } + + var texts []string + for _, b := range d.Blocks { + switch b.Type { + case "paragraph", "header": + var data struct { + Text string `json:"text"` + } + if err := json.Unmarshal(b.Data, &data); err == nil && data.Text != "" { + texts = append(texts, data.Text) + } + } + } + + return strings.Join(texts, " ") +} |