Initial commit

.gitignore

@@ -0,0 +1 @@
+*.qcow2

README.md

@@ -0,0 +1 @@
+# archtika

flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1721497942,
+        "narHash": "sha256-EDPL9qJfklXoowl3nEBmjDIqcvXKUZInt5n6CCc1Hn4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d43f0636fc9492e83be8bbb41f9595d7a87106b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,172 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  };
+
+  outputs =
+    { self, nixpkgs, ... }:
+    let
+      allSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
+
+      forAllSystems = nixpkgs.lib.genAttrs allSystems;
+    in
+    {
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        {
+          api = pkgs.mkShell {
+            packages = with pkgs; [
+              dbmate
+              postgrest
+            ];
+          };
+          web = pkgs.mkShell { packages = with pkgs; [ nodejs_22 ]; };
+        }
+      );
+
+      packages = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        {
+          api-setup = pkgs.writeShellScriptBin "api-setup" ''
+            source .env
+
+            ${pkgs.postgresql_16}/bin/psql $DATABASE_URL -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'"
+
+            ${pkgs.dbmate}/bin/dbmate up
+
+            echo "Running command: PGRST_DB_URI=\"$PGRST_DB_URI\" PGRST_JWT_SECRET=\"$JWT_SECRET\" ${pkgs.postgrest}/bin/postgrest postgrest.conf"
+
+            PGRST_DB_URI="$PGRST_DB_URI" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest postgrest.conf
+          '';
+          dev-vm = self.nixosConfigurations.${system}.dev-vm.config.system.build.vm;
+        }
+      );
+
+      nixosConfigurations = forAllSystems (system: {
+        dev-vm = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            self.nixosModules.dev-vm
+            {
+              virtualisation =
+                nixpkgs.lib.optionalAttrs
+                  (nixpkgs.lib.elem system [
+                    "x86_64-darwin"
+                    "aarch64-darwin"
+                  ])
+                  {
+                    vmVariant = {
+                      virtualisation.host.pkgs = nixpkgs.legacyPackages.${system};
+                    };
+                  };
+            }
+          ];
+        };
+      });
+
+      nixosModules.dev-vm =
+        {
+          pkgs,
+          lib,
+          modulesPath,
+          ...
+        }:
+        {
+          imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ];
+
+          networking = {
+            hostName = "archtika";
+            firewall.enable = false;
+          };
+
+          nix.settings.experimental-features = [ "nix-command flakes" ];
+
+          users.users.dev = {
+            isNormalUser = true;
+            extraGroups = [ "wheel" ];
+            password = "dev";
+          };
+
+          systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ];
+
+          virtualisation = {
+            graphics = false;
+            sharedDirectories = {
+              websites = {
+                source = "/var/www/archtika-websites";
+                target = "/var/www/archtika-websites";
+              };
+            };
+            # Alternatively a bridge network for QEMU could be setup, but requires much more effort
+            forwardPorts = [
+              {
+                from = "host";
+                host.port = 15432;
+                guest.port = 5432;
+              }
+              {
+                from = "host";
+                host.port = 18000;
+                guest.port = 80;
+              }
+            ];
+          };
+
+          services = {
+            postgresql = {
+              enable = true;
+              package = pkgs.postgresql_16;
+              ensureDatabases = [ "archtika" ];
+              authentication = lib.mkForce ''
+                local all all trust
+                host all all all trust
+              '';
+              enableTCPIP = true;
+              extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+            };
+            nginx = {
+              enable = true;
+              virtualHosts."_" = {
+                listen = [
+                  {
+                    addr = "0.0.0.0";
+                    port = 80;
+                  }
+                ];
+                locations = {
+                  "/" = {
+                    root = "/var/www/archtika-websites";
+                    index = "index.html";
+                    tryFiles = "$uri $uri/ $uri/index.html =404";
+                    extraConfig = ''
+                      autoindex on;
+                    '';
+                  };
+                };
+              };
+            };
+          };
+
+          system.stateVersion = "24.05";
+        };
+
+      formatter = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        pkgs.nixfmt-rfc-style
+      );
+    };
+}

rest-api/.env

@@ -0,0 +1,3 @@
+DATABASE_URL="postgres://postgres@localhost:15432/archtika?sslmode=disable"
+PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika?sslmode=disable"
+JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA"

rest-api/db/migrations/20240719071602_main_tables.sql

@@ -0,0 +1,125 @@
+-- migrate:up
+CREATE SCHEMA api;
+
+CREATE ROLE anon NOLOGIN NOINHERIT;
+GRANT USAGE ON SCHEMA api TO anon;
+
+CREATE ROLE authenticated_user NOLOGIN NOINHERIT;
+GRANT USAGE ON SCHEMA api TO authenticated_user;
+
+CREATE ROLE authenticator LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER;
+GRANT anon TO authenticator;
+GRANT authenticated_user TO authenticator;
+
+CREATE SCHEMA internal;
+
+CREATE TABLE internal.user (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  username VARCHAR(16) UNIQUE NOT NULL CHECK (length(username) >= 3),
+  password_hash CHAR(60) NOT NULL,
+  role NAME NOT NULL DEFAULT 'authenticated_user'
+);
+
+CREATE TABLE internal.cms_content (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  owner_id UUID REFERENCES internal.user(id) ON DELETE CASCADE NOT NULL DEFAULT (current_setting('request.jwt.claims', true)::JSON->>'user_id')::UUID,
+  content_type VARCHAR(10) CHECK (content_type IN ('Blog', 'Docs')) NOT NULL,
+  project_name VARCHAR(50) NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT CLOCK_TIMESTAMP(),
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_media (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  content_id UUID REFERENCES internal.cms_content(id) ON DELETE CASCADE NOT NULL,
+  user_id UUID REFERENCES internal.user(id) ON DELETE CASCADE NOT NULL DEFAULT (current_setting('request.jwt.claims', true)::JSON->>'user_id')::UUID,
+  original_name TEXT NOT NULL,
+  file_system_path TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT CLOCK_TIMESTAMP()
+);
+
+CREATE TABLE internal.cms_settings (
+  content_id UUID PRIMARY KEY REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  accent_color_light_theme CHAR(7) CHECK (accent_color_light_theme ~ '^#[a-fA-F0-9]{6}$') NOT NULL DEFAULT '#a5d8ff',
+  accent_color_dark_theme CHAR(7) CHECK (accent_color_dark_theme ~ '^#[a-fA-F0-9]{6}$') NOT NULL DEFAULT '#114678',
+  favicon_image UUID REFERENCES internal.cms_media(id) ON DELETE SET NULL,
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_header (
+  content_id UUID PRIMARY KEY REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  logo_type TEXT CHECK (logo_type IN ('text', 'image')) NOT NULL DEFAULT 'text',
+  logo_text VARCHAR(255),
+  logo_image UUID REFERENCES internal.cms_media(id) ON DELETE SET NULL,
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_home (
+  content_id UUID PRIMARY KEY REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  main_content TEXT,
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_article (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  content_id UUID REFERENCES internal.cms_content(id) ON DELETE CASCADE NOT NULL,
+  title VARCHAR(255) NOT NULL,
+  meta_description VARCHAR(500),
+  meta_author VARCHAR(255),
+  cover_image UUID REFERENCES internal.cms_media(id) ON DELETE SET NULL,
+  publication_date DATE NOT NULL DEFAULT CURRENT_DATE,
+  main_content TEXT,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT CLOCK_TIMESTAMP(),
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_footer (
+  content_id UUID PRIMARY KEY REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  additional_text VARCHAR(255),
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL
+);
+
+CREATE TABLE internal.cms_collab (
+  content_id UUID REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES internal.user(id) ON DELETE CASCADE,
+  permission_level INTEGER CHECK (permission_level IN (10, 20, 30)) NOT NULL DEFAULT 10,
+  added_at TIMESTAMPTZ NOT NULL DEFAULT CLOCK_TIMESTAMP(),
+  last_modified_at TIMESTAMPTZ,
+  last_modified_by UUID REFERENCES internal.user(id) ON DELETE SET NULL,
+  PRIMARY KEY (content_id, user_id)
+);
+
+CREATE TABLE internal.cms_change_log (
+  content_id UUID REFERENCES internal.cms_content(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES internal.user(id) ON DELETE CASCADE DEFAULT (current_setting('request.jwt.claims', true)::JSON->>'user_id')::UUID,
+  change_summary VARCHAR(255) NOT NULL,
+  previous_value JSONB,
+  new_value JSONB,
+  timestamp TIMESTAMPTZ NOT NULL DEFAULT CLOCK_TIMESTAMP(),
+  PRIMARY KEY (content_id, user_id, timestamp)
+);
+
+-- migrate:down
+DROP TABLE internal.cms_change_log;
+DROP TABLE internal.cms_collab;
+DROP TABLE internal.cms_footer;
+DROP TABLE internal.cms_article;
+DROP TABLE internal.cms_home;
+DROP TABLE internal.cms_header;
+DROP TABLE internal.cms_settings;
+DROP TABLE internal.cms_media;
+DROP TABLE internal.cms_content;
+DROP SCHEMA api;
+
+DROP TABLE internal.user;
+DROP SCHEMA internal;
+
+DROP ROLE authenticator;
+DROP ROLE anon;
+DROP ROLE authenticated_user;

rest-api/db/migrations/20240720073454_automatic_schema_cache_reloading.sql

@@ -0,0 +1,14 @@
+-- migrate:up
+CREATE FUNCTION pgrst_watch() RETURNS event_trigger AS $$
+BEGIN
+  NOTIFY pgrst, 'reload schema';
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE EVENT TRIGGER pgrst_watch
+ON ddl_command_end
+EXECUTE FUNCTION pgrst_watch();
+
+-- migrate:down
+DROP EVENT TRIGGER pgrst_watch;
+DROP FUNCTION pgrst_watch();

rest-api/db/migrations/20240720074103_user_management_roles_jwt.sql

@@ -0,0 +1,161 @@
+-- migrate:up
+CREATE EXTENSION pgcrypto;
+CREATE EXTENSION pgjwt;
+
+CREATE FUNCTION
+internal.check_role_exists() RETURNS TRIGGER AS $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles AS r WHERE r.rolname = NEW.role) THEN
+    RAISE foreign_key_violation USING MESSAGE =
+      'Unknown database role: ' || NEW.role;
+    RETURN NULL;
+  END IF;
+  RETURN NEW;
+END
+$$ LANGUAGE plpgsql;
+
+CREATE CONSTRAINT TRIGGER ensure_user_role_exists
+AFTER INSERT OR UPDATE ON internal.user
+FOR EACH ROW
+EXECUTE FUNCTION internal.check_role_exists();
+
+
+CREATE FUNCTION
+internal.encrypt_pass() RETURNS TRIGGER AS $$
+BEGIN
+  IF TG_OP = 'INSERT' OR NEW.password_hash <> OLD.password_hash THEN
+    NEW.password_hash = crypt(NEW.password_hash, gen_salt('bf'));
+  END IF;
+  RETURN NEW;
+END
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER encrypt_pass
+BEFORE INSERT OR UPDATE ON internal.user
+FOR EACH ROW
+EXECUTE FUNCTION internal.encrypt_pass();
+
+
+CREATE FUNCTION
+internal.user_role(username TEXT, password TEXT) RETURNS NAME AS $$
+BEGIN
+  RETURN (
+    SELECT role FROM internal.user AS u
+    WHERE u.username = user_role.username
+    AND u.password_hash = crypt(user_role.password, u.password_hash)
+  );
+END;
+$$ LANGUAGE plpgsql;
+
+
+CREATE FUNCTION
+api.register(username TEXT, password TEXT, OUT user_id UUID) AS $$
+DECLARE
+  _username_length_min CONSTANT INT := 3;
+  _username_length_max CONSTANT INT := 16;
+  _password_length_min CONSTANT INT := 12;
+  _password_length_max CONSTANT INT := 128;
+BEGIN
+  IF LENGTH(register.username) NOT BETWEEN _username_length_min AND _username_length_max THEN
+    RAISE string_data_length_mismatch USING MESSAGE = format('Username must be between %s and %s characters long', _username_length_min, _username_length_max);
+  END IF;
+
+  IF EXISTS (SELECT 1 FROM internal.user AS u WHERE u.username = register.username) THEN
+    RAISE unique_violation USING MESSAGE = 'Username is already taken';
+  END IF;
+
+  IF LENGTH(register.password) NOT BETWEEN _password_length_min AND _password_length_max THEN
+    RAISE string_data_length_mismatch USING MESSAGE = format('Password must be between %s and %s characters long', _password_length_min, _password_length_max);
+  END IF;
+
+  IF register.password !~ '[a-z]' THEN
+    RAISE invalid_parameter_value USING MESSAGE = 'Password must contain at least one lowercase letter';
+  END IF;
+
+  IF register.password !~ '[A-Z]' THEN
+    RAISE invalid_parameter_value USING MESSAGE = 'Password must contain at least one uppercase letter';
+  END IF;
+
+  IF register.password !~ '[0-9]' THEN
+    RAISE invalid_parameter_value USING MESSAGE = 'Password must contain at least one number';
+  END IF;
+
+  IF register.password !~ '[!@#$%^&*(),.?":{}|<>]' THEN
+    RAISE invalid_parameter_value USING MESSAGE = 'Password must contain at least one special character';
+  END IF;
+
+  INSERT INTO internal.user (username, password_hash)
+  VALUES (register.username, register.password)
+  RETURNING id INTO user_id;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+
+CREATE FUNCTION
+api.login(username TEXT, password TEXT, OUT token TEXT) AS $$
+DECLARE
+  _role NAME;
+  _user_id UUID;
+  _exp INTEGER;
+BEGIN
+  SELECT internal.user_role(login.username, login.password) INTO _role;
+  IF _role IS NULL THEN
+    RAISE invalid_password USING MESSAGE = 'Invalid username or password';
+  END IF;
+
+  SELECT id INTO _user_id
+  FROM internal.user AS u
+  WHERE u.username = login.username;
+
+  _exp := extract(EPOCH FROM CLOCK_TIMESTAMP())::INTEGER + 86400;
+
+  SELECT sign(
+    json_build_object(
+      'role', _role,
+      'user_id', _user_id,
+      'username', login.username,
+      'exp', _exp
+    ),
+    current_setting('app.jwt_secret')
+  ) INTO token;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+
+CREATE FUNCTION
+api.delete_account(password TEXT, OUT was_deleted BOOLEAN) AS $$
+DECLARE
+  _username TEXT := current_setting('request.jwt.claims', true)::json->>'username';
+  _role NAME;
+BEGIN
+  SELECT internal.user_role(_username, delete_account.password) INTO _role;
+  IF _role IS NULL THEN
+    RAISE invalid_password USING MESSAGE = 'Invalid password';
+  END IF;
+
+  DELETE FROM internal.user AS u
+  WHERE u.username = _username;
+
+  was_deleted := TRUE;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+
+GRANT EXECUTE ON FUNCTION api.register(TEXT, TEXT) TO anon;
+GRANT EXECUTE ON FUNCTION api.login(TEXT, TEXT) TO anon;
+
+-- migrate:down
+DROP FUNCTION api.register(TEXT, TEXT);
+DROP FUNCTION api.login(TEXT, TEXT);
+DROP FUNCTION api.delete_account(TEXT);
+
+DROP FUNCTION internal.user_role(TEXT, TEXT);
+
+DROP TRIGGER encrypt_pass ON internal.user;
+DROP FUNCTION internal.encrypt_pass();
+
+DROP TRIGGER ensure_user_role_exists ON internal.user;
+DROP FUNCTION internal.check_role_exists();
+
+DROP EXTENSION pgjwt;
+DROP EXTENSION pgcrypto;

rest-api/db/migrations/20240720132802_exposed_views_functions.sql

@@ -0,0 +1,140 @@
+-- migrate:up
+CREATE VIEW api.user
+WITH (security_invoker = on)
+AS
+SELECT id, username
+FROM internal.user;
+
+CREATE VIEW api.cms_content
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_content;
+
+CREATE VIEW api.cms_media
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_media;
+
+CREATE VIEW api.cms_settings
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_settings;
+
+CREATE VIEW api.cms_header
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_header;
+
+CREATE view api.cms_home
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_home;
+
+CREATE VIEW api.cms_article
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_article;
+
+CREATE VIEW api.cms_footer
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_footer;
+
+CREATE VIEW api.cms_collab
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_collab;
+
+CREATE VIEW api.cms_change_log
+WITH (security_invoker = on)
+AS
+SELECT *
+FROM internal.cms_change_log;
+
+CREATE FUNCTION
+api.create_project(content_type VARCHAR(10), project_name VARCHAR(50), OUT content_id UUID) AS $$
+DECLARE
+  _content_id UUID;
+BEGIN
+  INSERT INTO internal.cms_content (content_type, project_name)
+  VALUES (create_project.content_type, create_project.project_name)
+  RETURNING id INTO _content_id;
+
+  INSERT INTO internal.cms_settings (content_id)
+  VALUES (_content_id);
+
+  INSERT INTO internal.cms_header (content_id, logo_text)
+  VALUES (_content_id, 'archtika ' || create_project.content_type);
+
+  INSERT INTO internal.cms_home (content_id, main_content)
+  VALUES
+    (_content_id, '## Main content comes in here');
+
+  INSERT INTO internal.cms_article (content_id, title, meta_description, meta_author, main_content)
+  VALUES
+    (_content_id, 'First article', 'This is the first sample article', 'Author Name', '## First article'),
+    (_content_id, 'Second article', 'This is the second sample article', 'Author Name', '## Second article');
+
+  INSERT INTO internal.cms_footer (content_id, additional_text)
+  VALUES (_content_id, 'This website was created with archtika'); 
+
+  content_id := _content_id;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+GRANT EXECUTE ON FUNCTION api.create_project(VARCHAR(10), VARCHAR(50)) TO authenticated_user;
+
+
+-- Security invoker only works on views if the user has access to the underlying table
+GRANT SELECT ON internal.user TO authenticated_user;
+GRANT SELECT ON api.user TO authenticated_user;
+GRANT SELECT, UPDATE, DELETE ON internal.cms_content TO authenticated_user;
+GRANT SELECT, UPDATE, DELETE ON api.cms_content TO authenticated_user;
+GRANT SELECT, INSERT ON internal.cms_media TO authenticated_user;
+GRANT SELECT, INSERT ON api.cms_media TO authenticated_user;
+GRANT SELECT, UPDATE ON internal.cms_settings TO authenticated_user;
+GRANT SELECT, UPDATE ON api.cms_settings TO authenticated_user;
+GRANT SELECT, UPDATE ON internal.cms_header TO authenticated_user;
+GRANT SELECT, UPDATE ON api.cms_header TO authenticated_user;
+GRANT SELECT, UPDATE ON internal.cms_home TO authenticated_user;
+GRANT SELECT, UPDATE ON api.cms_home TO authenticated_user;
+GRANT SELECT, INSERT, UPDATE, DELETE ON internal.cms_article TO authenticated_user;
+GRANT SELECT, INSERT, UPDATE, DELETE ON api.cms_article TO authenticated_user;
+GRANT SELECT, UPDATE ON internal.cms_footer TO authenticated_user;
+GRANT SELECT, UPDATE ON api.cms_footer TO authenticated_user;
+GRANT SELECT, INSERT, UPDATE, DELETE ON internal.cms_collab TO authenticated_user;
+GRANT SELECT, INSERT, UPDATE, DELETE ON api.cms_collab TO authenticated_user;
+GRANT SELECT ON internal.cms_change_log TO authenticated_user;
+GRANT SELECT ON api.cms_change_log TO authenticated_user; 
+
+-- migrate:down
+REVOKE SELECT ON internal.user FROM authenticated_user;
+REVOKE SELECT, UPDATE, DELETE ON internal.cms_content FROM authenticated_user;
+REVOKE SELECT, INSERT ON internal.cms_media FROM authenticated_user;
+REVOKE SELECT, UPDATE ON internal.cms_settings FROM authenticated_user;
+REVOKE SELECT, UPDATE ON internal.cms_header FROM authenticated_user;
+REVOKE SELECT, INSERT, UPDATE, DELETE ON internal.cms_article FROM authenticated_user;
+REVOKE SELECT, UPDATE ON internal.cms_footer FROM authenticated_user;
+REVOKE SELECT, INSERT, UPDATE, DELETE ON internal.cms_collab FROM authenticated_user;
+REVOKE SELECT ON internal.cms_change_log FROM authenticated_user;
+
+DROP FUNCTION api.create_project(VARCHAR(10), VARCHAR(50));
+
+DROP VIEW api.cms_change_log;
+DROP VIEW api.cms_collab;
+DROP VIEW api.cms_footer;
+DROP VIEW api.cms_home;
+DROP VIEW api.cms_article;
+DROP VIEW api.cms_header;
+DROP VIEW api.cms_settings;
+DROP VIEW api.cms_media;
+DROP VIEW api.cms_content;
+DROP VIEW api.user;

rest-api/db/migrations/20240724191017_row_level_security.sql

@@ -0,0 +1,208 @@
+-- migrate:up
+ALTER TABLE internal.user ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_content ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_media ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_header ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_home ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_article ENABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_footer ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY view_own_user ON internal.user
+FOR SELECT
+USING (id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID);
+
+CREATE POLICY view_own_projects ON internal.cms_content
+FOR SELECT
+USING (owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID);
+
+CREATE POLICY update_own_project ON internal.cms_content
+FOR UPDATE
+USING (owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID);
+
+CREATE POLICY delete_own_project ON internal.cms_content
+FOR DELETE
+USING (owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID);
+
+
+CREATE POLICY view_own_media ON internal.cms_media
+FOR SELECT
+USING (user_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID);
+
+CREATE POLICY insert_own_media ON internal.cms_media
+FOR INSERT
+WITH CHECK (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_media.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+CREATE POLICY view_own_settings ON internal.cms_settings
+FOR SELECT
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_settings.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY update_own_settings ON internal.cms_settings
+FOR UPDATE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_settings.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+CREATE POLICY view_own_header ON internal.cms_header
+FOR SELECT
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_header.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY update_own_header ON internal.cms_header
+FOR UPDATE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_header.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+CREATE POLICY view_own_home ON internal.cms_home
+FOR SELECT
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_home.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY update_own_home ON internal.cms_home
+FOR UPDATE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_home.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+CREATE POLICY view_own_articles ON internal.cms_article
+FOR SELECT
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_article.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY update_own_article ON internal.cms_article
+FOR UPDATE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_article.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY delete_own_article ON internal.cms_article
+FOR DELETE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_article.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY insert_own_article ON internal.cms_article
+FOR INSERT
+WITH CHECK (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_article.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+CREATE POLICY view_own_footer ON internal.cms_footer
+FOR SELECT
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_footer.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+CREATE POLICY update_own_footer ON internal.cms_footer
+FOR UPDATE
+USING (
+  EXISTS (
+    SELECT 1
+    FROM internal.cms_content
+    WHERE internal.cms_content.id = internal.cms_footer.content_id
+    AND internal.cms_content.owner_id = (current_setting('request.jwt.claims', true)::json->>'user_id')::UUID
+  )
+);
+
+
+-- migrate:down
+DROP POLICY view_own_user ON internal.user;
+DROP POLICY view_own_projects ON internal.cms_content;
+DROP POLICY delete_own_project ON internal.cms_content;
+DROP POLICY update_own_project ON internal.cms_content;
+DROP POLICY view_own_media ON internal.cms_media;
+DROP POLICY insert_own_media ON internal.cms_media;
+DROP POLICY view_own_settings ON internal.cms_settings;
+DROP POLICY update_own_settings ON internal.cms_settings;
+DROP POLICY view_own_header ON internal.cms_header;
+DROP POLICY update_own_header ON internal.cms_header;
+DROP POLICY view_own_home ON internal.cms_home;
+DROP POLICY update_own_home ON internal.cms_home;
+DROP POLICY view_own_articles ON internal.cms_article;
+DROP POLICY update_own_article ON internal.cms_article;
+DROP POLICY delete_own_article ON internal.cms_article;
+DROP POLICY insert_own_article ON internal.cms_article;
+DROP POLICY view_own_footer ON internal.cms_footer;
+DROP POLICY update_own_footer ON internal.cms_footer;
+
+ALTER TABLE internal.user DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_content DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_media DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_settings DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_header DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_home DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_article DISABLE ROW LEVEL SECURITY;
+ALTER TABLE internal.cms_footer DISABLE ROW LEVEL SECURITY;

rest-api/postgrest.conf

@@ -0,0 +1,3 @@
+db-schemas = "api"
+db-anon-role = "anon"
+openapi-mode = "ignore-privileges"

web-app/.gitignore

@@ -0,0 +1,22 @@
+node_modules
+user-uploads
+
+# Output
+.output
+.vercel
+/.svelte-kit
+/build
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Env
+.env
+.env.*
+!.env.example
+!.env.test
+
+# Vite
+vite.config.js.timestamp-*
+vite.config.ts.timestamp-*

web-app/.npmrc

@@ -0,0 +1 @@
+engine-strict=true

web-app/.prettierignore

@@ -0,0 +1,4 @@
+# Package Managers
+package-lock.json
+pnpm-lock.yaml
+yarn.lock

web-app/.prettierrc

@@ -0,0 +1,12 @@
+{
+  "useTabs": false,
+  "tabWidth": 2,
+  "singleQuote": false,
+  "trailingComma": "none",
+  "printWidth": 100,
+  "plugins": ["prettier-plugin-svelte"],
+  "overrides": [{ "files": "*.svelte", "options": { "parser": "svelte" } }],
+  "svelteSortOrder": "options-scripts-markup-styles",
+  "svelteStrictMode": true,
+  "svelteIndentScriptAndStyle": true
+}

web-app/README.md

@@ -0,0 +1,38 @@
+# create-svelte
+
+Everything you need to build a Svelte project, powered by [`create-svelte`](https://github.com/sveltejs/kit/tree/main/packages/create-svelte).
+
+## Creating a project
+
+If you're seeing this, you've probably already done this step. Congrats!
+
+```bash
+# create a new project in the current directory
+npm create svelte@latest
+
+# create a new project in my-app
+npm create svelte@latest my-app
+```
+
+## Developing
+
+Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
+
+```bash
+npm run dev
+
+# or start the server and open the app in a new browser tab
+npm run dev -- --open
+```
+
+## Building
+
+To create a production version of your app:
+
+```bash
+npm run build
+```
+
+You can preview the production build with `npm run preview`.
+
+> To deploy your app, you may need to install an [adapter](https://kit.svelte.dev/docs/adapters) for your target environment.

web-app/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "web-app",
+  "version": "0.0.1",
+  "private": true,
+  "scripts": {
+    "dev": "vite dev",
+    "build": "vite build",
+    "preview": "vite preview",
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+    "lint": "prettier --check .",
+    "format": "prettier --write ."
+  },
+  "devDependencies": {
+    "@sveltejs/adapter-auto": "^3.0.0",
+    "@sveltejs/adapter-node": "^5.2.0",
+    "@sveltejs/kit": "^2.0.0",
+    "@sveltejs/vite-plugin-svelte": "^3.0.0",
+    "@types/node": "^22.0.0",
+    "prettier": "^3.1.1",
+    "prettier-plugin-svelte": "^3.1.2",
+    "svelte": "^5.0.0-next.1",
+    "svelte-check": "^3.6.0",
+    "typescript": "^5.0.0",
+    "vite": "^5.0.3"
+  },
+  "type": "module"
+}

web-app/src/app.d.ts

@@ -0,0 +1,20 @@
+// See https://kit.svelte.dev/docs/types#app
+// for information about these interfaces
+interface User {
+  id: string;
+  username: string;
+}
+
+declare global {
+  namespace App {
+    // interface Error {}
+    interface Locals {
+      user: User;
+    }
+    // interface PageData {}
+    // interface PageState {}
+    // interface Platform {}
+  }
+}
+
+export type {};

web-app/src/app.html

@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <link rel="icon" href="%sveltekit.assets%/favicon.png" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    %sveltekit.head%
+  </head>
+  <body data-sveltekit-preload-data="hover">
+    <div style="display: contents">%sveltekit.body%</div>
+  </body>
+</html>

web-app/src/hooks.server.ts

@@ -0,0 +1,28 @@
+import { redirect } from "@sveltejs/kit";
+
+export const handle = async ({ event, resolve }) => {
+  const userData = await event.fetch("http://localhost:3000/user", {
+    method: "GET",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${event.cookies.get("session_token")}`,
+      Accept: "application/vnd.pgrst.object+json"
+    }
+  });
+
+  if (!userData.ok && !["/login", "/register"].includes(event.url.pathname)) {
+    throw redirect(303, "/login");
+  }
+
+  if (userData.ok) {
+    if (["/login", "/register"].includes(event.url.pathname)) {
+      throw redirect(303, "/");
+    }
+
+    const user = await userData.json();
+
+    event.locals.user = user;
+  }
+
+  return await resolve(event);
+};

web-app/src/lib/components/DateTime.svelte

@@ -0,0 +1,16 @@
+<script lang="ts">
+  const { date } = $props<{ date: string }>();
+
+  const options: Intl.DateTimeFormatOptions = {
+    year: "numeric",
+    month: "2-digit",
+    day: "2-digit",
+    hour: "2-digit",
+    minute: "2-digit",
+    second: "2-digit"
+  };
+</script>
+
+<time datetime={new Date(date).toLocaleString("sv").replace(" ", "T")}>
+  {new Date(date).toLocaleString("en-us", { ...options })}
+</time>

web-app/src/lib/utils.ts

@@ -0,0 +1,8 @@
+export const sortOptions = [
+  { value: "creation-time", text: "Creation time" },
+  { value: "last-modified", text: "Last modified" },
+  { value: "title-a-to-z", text: "Title - A to Z" },
+  { value: "title-z-to-a", text: "Title - Z to A" }
+];
+
+export const ALLOWED_MIME_TYPES = ["image/jpeg", "image/png", "image/svg+xml", "image/webp"];

web-app/src/routes/(anonymous)/login/+page.server.ts

@@ -0,0 +1,23 @@
+export const actions = {
+  default: async ({ request, cookies, fetch }) => {
+    const data = await request.formData();
+
+    const res = await fetch("http://localhost:3000/rpc/login", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        username: data.get("username"),
+        password: data.get("password")
+      })
+    });
+
+    const response = await res.json();
+
+    if (!res.ok) {
+      return { success: false, message: response.message };
+    }
+
+    cookies.set("session_token", response.token, { path: "/" });
+    return { success: true };
+  }
+};

web-app/src/routes/(anonymous)/login/+page.svelte

@@ -0,0 +1 @@
+<form action=""></form>

web-app/src/routes/(anonymous)/register/+page.server.ts

@@ -0,0 +1,22 @@
+export const actions = {
+  default: async ({ request, fetch }) => {
+    const data = await request.formData();
+
+    const res = await fetch("http://localhost:3000/rpc/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        username: data.get("username"),
+        password: data.get("password")
+      })
+    });
+
+    const response = await res.json();
+
+    if (!res.ok) {
+      return { success: false, message: response.message };
+    }
+
+    return { success: true };
+  }
+};

web-app/src/routes/(anonymous)/register/+page.svelte

@@ -0,0 +1 @@
+<form action=""></form>

web-app/src/routes/(authenticated)/website/[websiteId]/+layout.server.ts

@@ -0,0 +1,16 @@
+export const load = async ({ params, fetch, cookies }) => {
+  const websiteData = await fetch(`http://localhost:3000/cms_content?id=eq.${params.websiteId}`, {
+    method: "GET",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${cookies.get("session_token")}`,
+      Accept: "application/vnd.pgrst.object+json"
+    }
+  });
+
+  const website = await websiteData.json();
+
+  return {
+    website
+  };
+};

web-app/src/routes/(authenticated)/website/[websiteId]/+page.server.ts

@@ -0,0 +1,374 @@
+import { randomUUID } from "node:crypto";
+import { mkdir, writeFile } from "node:fs/promises";
+import { extname, join, relative } from "node:path";
+import { ALLOWED_MIME_TYPES } from "$lib/utils.js";
+
+export const load = async ({ params, fetch, cookies, url }) => {
+  const globalSettingsData = await fetch(
+    `http://localhost:3000/cms_settings?content_id=eq.${params.websiteId}&select=*,cms_media(*)`,
+    {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`,
+        Accept: "application/vnd.pgrst.object+json"
+      }
+    }
+  );
+
+  const headerData = await fetch(
+    `http://localhost:3000/cms_header?content_id=eq.${params.websiteId}&select=*,cms_media(*)`,
+    {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`,
+        Accept: "application/vnd.pgrst.object+json"
+      }
+    }
+  );
+
+  const homeData = await fetch(`http://localhost:3000/cms_home?content_id=eq.${params.websiteId}`, {
+    method: "GET",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${cookies.get("session_token")}`,
+      Accept: "application/vnd.pgrst.object+json"
+    }
+  });
+
+  const footerData = await fetch(
+    `http://localhost:3000/cms_footer?content_id=eq.${params.websiteId}`,
+    {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`,
+        Accept: "application/vnd.pgrst.object+json"
+      }
+    }
+  );
+
+  const searchQuery = url.searchParams.get("article_search_query");
+  const sortBy = url.searchParams.get("article_sort");
+
+  const parameters = new URLSearchParams();
+
+  const baseFetchUrl = `http://localhost:3000/cms_article?content_id=eq.${params.websiteId}&select=*,cms_media(*)`;
+
+  if (searchQuery) {
+    parameters.append("title", `ilike.*${searchQuery}*`);
+  }
+
+  switch (sortBy) {
+    case "creation-time":
+      parameters.append("order", "created_at.desc");
+      break;
+    case "last-modified":
+      parameters.append("order", "last_modified_at.desc");
+      break;
+    case "title-a-to-z":
+      parameters.append("order", "title.asc");
+      break;
+    case "title-z-to-a":
+      parameters.append("order", "title.desc");
+      break;
+  }
+
+  const constructedFetchUrl = `${baseFetchUrl}&${parameters.toString()}`;
+
+  const articlesData = await fetch(constructedFetchUrl, {
+    method: "GET",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${cookies.get("session_token")}`
+    }
+  });
+
+  const globalSettings = await globalSettingsData.json();
+  const header = await headerData.json();
+  const home = await homeData.json();
+  const footer = await footerData.json();
+  const articles = await articlesData.json();
+
+  return {
+    globalSettings,
+    header,
+    home,
+    footer,
+    articles
+  };
+};
+
+export const actions = {
+  updateGlobal: async ({ request, fetch, cookies, params, locals }) => {
+    const data = await request.formData();
+
+    const faviconFile = data.get("favicon") as File;
+    const favicon = await handleFileUpload(
+      faviconFile,
+      params.websiteId,
+      locals.user.id,
+      cookies.get("session_token"),
+      fetch
+    );
+
+    if (favicon?.success === false) {
+      return favicon;
+    }
+
+    const res = await fetch(
+      `http://localhost:3000/cms_settings?content_id=eq.${params.websiteId}`,
+      {
+        method: "PATCH",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${cookies.get("session_token")}`
+        },
+        body: JSON.stringify({
+          accent_color_light_theme: data.get("accent-color-light"),
+          accent_color_dark_theme: data.get("accent-color-dark"),
+          favicon_image: favicon?.content
+        })
+      }
+    );
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return {
+      success: true,
+      operation: "updated",
+      ressource: "global settings"
+    };
+  },
+  updateHeader: async ({ request, fetch, cookies, locals, params }) => {
+    const data = await request.formData();
+
+    const logoFile = data.get("logo-image") as File;
+    const logo = await handleFileUpload(
+      logoFile,
+      params.websiteId,
+      locals.user.id,
+      cookies.get("session_token"),
+      fetch
+    );
+
+    if (logo?.success === false) {
+      return logo;
+    }
+
+    const res = await fetch(`http://localhost:3000/cms_header?content_id=eq.${params.websiteId}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      },
+      body: JSON.stringify({
+        logo_type: data.get("logo-type"),
+        logo_text: data.get("logo-text"),
+        logo_image: logo?.content
+      })
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return {
+      success: true,
+      operation: "updated",
+      ressource: "header settings"
+    };
+  },
+  updateHome: async ({ request, fetch, cookies, params }) => {
+    const data = await request.formData();
+
+    const res = await fetch(`http://localhost:3000/cms_home?content_id=eq.${params.websiteId}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      },
+      body: JSON.stringify({
+        main_content: data.get("main-content")
+      })
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return { success: true, operation: "updated", ressource: "home settings" };
+  },
+  updateFooter: async ({ request, fetch, cookies, params }) => {
+    const data = await request.formData();
+
+    const res = await fetch(`http://localhost:3000/cms_footer?content_id=eq.${params.websiteId}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      },
+      body: JSON.stringify({
+        additional_text: data.get("additional-text")
+      })
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return {
+      success: true,
+      operation: "updated",
+      ressource: "footer settings"
+    };
+  },
+  createArticle: async ({ request, fetch, cookies, params }) => {
+    const data = await request.formData();
+
+    const res = await fetch("http://localhost:3000/cms_article", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      },
+      body: JSON.stringify({
+        content_id: params.websiteId,
+        title: data.get("title")
+      })
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return { success: true, operation: "created", ressource: "article" };
+  },
+  editArticle: async ({ request, fetch, cookies, locals, params }) => {
+    const data = await request.formData();
+
+    const coverFile = data.get("cover-image") as File;
+    const cover = await handleFileUpload(
+      coverFile,
+      params.websiteId,
+      locals.user.id,
+      cookies.get("session_token"),
+      fetch
+    );
+
+    if (cover?.success === false) {
+      return cover;
+    }
+
+    const res = await fetch(`http://localhost:3000/cms_article?id=eq.${data.get("article-id")}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      },
+      body: JSON.stringify({
+        title: data.get("title"),
+        meta_description: data.get("description"),
+        meta_author: data.get("author"),
+        cover_image: cover?.content,
+        publication_date: data.get("publication-date"),
+        main_content: data.get("main-content")
+      })
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return { success: true, operation: "updated", ressource: "article" };
+  },
+  deleteArticle: async ({ request, fetch, cookies }) => {
+    const data = await request.formData();
+
+    const res = await fetch(`http://localhost:3000/cms_article?id=eq.${data.get("article-id")}`, {
+      method: "DELETE",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${cookies.get("session_token")}`
+      }
+    });
+
+    if (!res.ok) {
+      const response = await res.json();
+      return { success: false, message: response.message };
+    }
+
+    return { success: true, operation: "deleted", ressource: "article" };
+  }
+};
+
+const handleFileUpload = async (
+  file: File,
+  contentId: string,
+  userId: string,
+  session_token: string | undefined,
+  customFetch: typeof fetch
+) => {
+  if (file.size === 0) return undefined;
+
+  const MAX_FILE_SIZE = 1024 * 1024;
+
+  if (file.size > MAX_FILE_SIZE) {
+    return {
+      success: false,
+      message: `File size exceeds the maximum limit of ${MAX_FILE_SIZE / 1024 / 1024} MB.`
+    };
+  }
+
+  if (!ALLOWED_MIME_TYPES.includes(file.type)) {
+    return {
+      success: false,
+      message: "Invalid file type. JPEG, PNG, SVG and WEBP are allowed."
+    };
+  }
+
+  const buffer = Buffer.from(await file.arrayBuffer());
+  const uploadDir = join(process.cwd(), "static", "user-uploads", userId);
+  await mkdir(uploadDir, { recursive: true });
+
+  const fileId = randomUUID();
+  const fileExtension = extname(file.name);
+  const filepath = join(uploadDir, `${fileId}${fileExtension}`);
+
+  await writeFile(filepath, buffer);
+
+  const relativePath = relative(join(process.cwd(), "static"), filepath);
+
+  const res = await customFetch("http://localhost:3000/cms_media", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${session_token}`,
+      Prefer: "return=representation",
+      Accept: "application/vnd.pgrst.object+json"
+    },
+    body: JSON.stringify({
+      content_id: contentId,
+      user_id: userId,
+      original_name: file.name,
+      file_system_path: relativePath
+    })
+  });
+
+  const response = await res.json();
+
+  if (!res.ok) {
+    return { success: false, message: response.message };
+  }
+
+  return { success: true, content: response.id };
+};

web-app/src/routes/(authenticated)/website/[websiteId]/+page.svelte

@@ -0,0 +1,15 @@
+<section>
+  <h2>Settings</h2>
+</section>
+
+<section>
+  <h2>Articles</h2>
+</section>
+
+<section>
+  <h2>Collaborators</h2>
+</section>
+
+<section>
+  <h2>Logs</h2>
+</section>

web-app/src/routes/+layout.server.ts

@@ -0,0 +1,5 @@
+export const load = async ({ locals }) => {
+  return {
+    user: locals.user
+  };
+};

web-app/src/routes/+page.svelte

@@ -0,0 +1,11 @@
+<section>
+  <h2>Create website</h2>
+</section>
+
+<section>
+  <h2>Your websites</h2>
+</section>
+
+<section>
+  <h2>Shared with you</h2>
+</section>

web-app/svelte.config.ts

@@ -0,0 +1,18 @@
+import adapter from "@sveltejs/adapter-auto";
+import { vitePreprocess } from "@sveltejs/vite-plugin-svelte";
+
+/** @type {import('@sveltejs/kit').Config} */
+const config = {
+  // Consult https://kit.svelte.dev/docs/integrations#preprocessors
+  // for more information about preprocessors
+  preprocess: vitePreprocess(),
+
+  kit: {
+    // adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list.
+    // If your environment is not supported, or you settled on a specific environment, switch out the adapter.
+    // See https://kit.svelte.dev/docs/adapters for more information about adapters.
+    adapter: adapter()
+  }
+};
+
+export default config;

web-app/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "extends": "./.svelte-kit/tsconfig.json",
+  "compilerOptions": {
+    "allowJs": true,
+    "checkJs": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "skipLibCheck": true,
+    "sourceMap": true,
+    "strict": true,
+    "moduleResolution": "bundler"
+  }
+  // Path aliases are handled by https://kit.svelte.dev/docs/configuration#alias
+  // except $lib which is handled by https://kit.svelte.dev/docs/configuration#files
+  //
+  // If you want to overwrite includes/excludes, make sure to copy over the relevant includes/excludes
+  // from the referenced tsconfig.json - TypeScript does not merge them in
+}

web-app/vite.config.ts

@@ -0,0 +1,6 @@
+import { sveltekit } from "@sveltejs/kit/vite";
+import { defineConfig } from "vite";
+
+export default defineConfig({
+  plugins: [sveltekit()]
+});