VitPress-CMS/server/settings.mjs

import { db, setSetting } from "./db.mjs";
import { requireCmsUser } from "./auth.mjs";
import { json, readBody } from "./http.mjs";

function requireAdmin(request, response) {
  const user = requireCmsUser(request, response);

  if (!user) return undefined;

  if (user.role !== "system_admin") {
    json(response, 403, { error: "System admin permission is required" });
    return undefined;
  }

  return user;
}

function publicSetting(row) {
  return {
    key: row.key,
    value: row.encrypted ? "" : row.value,
    encrypted: Boolean(row.encrypted),
    updatedAt: row.updated_at,
  };
}

async function handleGetSettings(request, response) {
  if (!requireAdmin(request, response)) return;

  const rows = db
    .prepare("SELECT key, value, encrypted, updated_at FROM system_settings ORDER BY key")
    .all();

  json(response, 200, { settings: rows.map(publicSetting) });
}

async function handleSaveSettings(request, response) {
  if (!requireAdmin(request, response)) return;

  const body = JSON.parse(await readBody(request) || "{}");
  const settings = Array.isArray(body.settings) ? body.settings : [];

  settings.forEach((setting) => {
    if (!setting.key) return;
    setSetting(String(setting.key), String(setting.value ?? ""), Boolean(setting.encrypted));
  });

  json(response, 200, { ok: true });
}

export async function handleSettingsApi(request, response, url) {
  try {
    if (url.pathname === "/api/admin/settings" && request.method === "GET") {
      await handleGetSettings(request, response);
      return true;
    }

    if (url.pathname === "/api/admin/settings" && request.method === "PUT") {
      await handleSaveSettings(request, response);
      return true;
    }

    return false;
  } catch (error) {
    json(response, 500, {
      error: error instanceof Error ? error.message : "Unknown settings API error",
    });
    return true;
  }
}