feat: draft mode API routes + review follow-ups (#678)

Completes Visual Editing end-to-end:\n\nDraft mode routes:\n- /api/draft-mode/enable — validates SANITY_PREVIEW_SECRET (fail-closed: 503 if missing, 401 if invalid), sets httpOnly cookie, redirects\n- /api/draft-mode/disable — clears cookie, redirects\n\nPer-request draft mode:\n- loadQuery() accepts draftMode param (from Astro.cookies)\n- isDraftMode() checks site-wide env var OR per-request cookie\n- All 12 content pages pass cookie state to loadQuery\n- BaseLayout checks cookie OR env var for VisualEditing component\n\nReview follow-ups:\n- escapeXml extracted to src/utils/xml.ts (was duplicated in both RSS files)\n- Sitemap static page lastmod uses latest content _updatedAt (not new Date())"

Author: codercatdev

apps/web/src/layouts/BaseLayout.astro

@@ -10,7 +10,8 @@ interface Props {
 const { title, description = "CodingCat.dev — Purrfect Web Tutorials" } = Astro.props;
 
 const visualEditingEnabled =
-  import.meta.env.PUBLIC_SANITY_VISUAL_EDITING_ENABLED === "true";
+  import.meta.env.PUBLIC_SANITY_VISUAL_EDITING_ENABLED === "true" ||
+  Astro.cookies.has("__sanity_preview");
 ---
 
 <!doctype html>

apps/web/src/pages/[slug].astro

@@ -14,7 +14,8 @@ if (reservedSlugs.includes(slug!)) {
   return Astro.redirect(`/${slug}`);
 }
 
-const { data: page } = await loadQuery<any>({ query: pageQuery, params: { slug } });
+const draftMode = Astro.cookies.has("__sanity_preview");
+const { data: page } = await loadQuery<any>({ query: pageQuery, params: { slug }, draftMode });
 
 if (!page) {
   return new Response(null, { status: 404 });

apps/web/src/pages/api/draft-mode/disable.ts

@@ -0,0 +1,20 @@
+/**
+ * Disable draft mode for Sanity Visual Editing.
+ *
+ * Clears the preview cookie and redirects back to the page.
+ *
+ * Usage: /api/draft-mode/disable?slug=/post/my-post
+ */
+import type { APIRoute } from "astro";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, cookies, redirect }) => {
+  const slug = url.searchParams.get("slug") || "/";
+
+  // Delete the preview cookie
+  cookies.delete("__sanity_preview", { path: "/" });
+
+  // Redirect back to the page (now showing published content)
+  return redirect(slug, 307);
+};

apps/web/src/pages/api/draft-mode/enable.ts

@@ -0,0 +1,44 @@
+/**
+ * Enable draft mode for Sanity Visual Editing.
+ *
+ * Called by the Studio's Presentation Tool when loading the preview iframe.
+ * Validates SANITY_PREVIEW_SECRET, sets a __sanity_preview cookie, and
+ * redirects to the requested page.
+ *
+ * Usage: /api/draft-mode/enable?secret=<value>&slug=/post/my-post
+ */
+import type { APIRoute } from "astro";
+import { env } from "cloudflare:workers";
+
+export const prerender = false;
+
+export const GET: APIRoute = async ({ url, cookies, redirect }) => {
+  const secret = url.searchParams.get("secret");
+  const slug = url.searchParams.get("slug") || "/";
+
+  // Fail-closed: require SANITY_PREVIEW_SECRET to be configured
+  const expectedSecret = (env as Record<string, string>).SANITY_PREVIEW_SECRET;
+  if (!expectedSecret) {
+    return new Response("Draft mode not configured — SANITY_PREVIEW_SECRET is missing", {
+      status: 503,
+    });
+  }
+
+  // Validate the secret
+  if (!secret || secret !== expectedSecret) {
+    return new Response("Invalid preview secret", { status: 401 });
+  }
+
+  // Set the preview cookie — httpOnly so client JS can't tamper with it
+  cookies.set("__sanity_preview", "1", {
+    path: "/",
+    httpOnly: true,
+    sameSite: "none",
+    secure: true,
+    // 1 hour — long enough for an editing session
+    maxAge: 60 * 60,
+  });
+
+  // Redirect to the requested page
+  return redirect(slug, 307);
+};

apps/web/src/pages/author/[slug].astro

@@ -7,7 +7,8 @@ import { authorQuery } from "@/lib/queries";
 export const prerender = false;
 
 const { slug } = Astro.params;
-const { data: author } = await loadQuery<any>({ query: authorQuery, params: { slug } });
+const draftMode = Astro.cookies.has("__sanity_preview");
+const { data: author } = await loadQuery<any>({ query: authorQuery, params: { slug }, draftMode });
 
 if (!author) {
   return Astro.redirect("/404");

apps/web/src/pages/authors.astro

@@ -12,8 +12,9 @@ const page = Number.isNaN(rawPage) || rawPage < 1 ? 1 : Math.floor(rawPage);
 const perPage = 12;
 const offset = (page - 1) * perPage;
 
+const draftMode = Astro.cookies.has("__sanity_preview");
 const [itemsResult, totalCount] = await Promise.all([
-  loadQuery<any[]>({ query: authorListQuery, params: { offset, end: offset + perPage } }),
+  loadQuery<any[]>({ query: authorListQuery, params: { offset, end: offset + perPage }, draftMode }),
   sanityFetch<number>(authorCountQuery),
 ]);
 const items = itemsResult.data;

apps/web/src/pages/blog.astro

@@ -13,8 +13,9 @@ const page = Number.isNaN(rawPage) || rawPage < 1 ? 1 : Math.floor(rawPage);
 const perPage = 12;
 const offset = (page - 1) * perPage;
 
+const draftMode = Astro.cookies.has("__sanity_preview");
 const [postsResult, totalCount] = await Promise.all([
-  loadQuery<any[]>({ query: postListQuery, params: { offset, end: offset + perPage } }),
+  loadQuery<any[]>({ query: postListQuery, params: { offset, end: offset + perPage }, draftMode }),
   sanityFetch<number>(postCountQuery),
 ]);
 const posts = postsResult.data;

apps/web/src/pages/guest/[slug].astro

@@ -7,7 +7,8 @@ import { guestQuery } from "@/lib/queries";
 export const prerender = false;
 
 const { slug } = Astro.params;
-const { data: guest } = await loadQuery<any>({ query: guestQuery, params: { slug } });
+const draftMode = Astro.cookies.has("__sanity_preview");
+const { data: guest } = await loadQuery<any>({ query: guestQuery, params: { slug }, draftMode });
 
 if (!guest) {
   return Astro.redirect("/404");

apps/web/src/pages/guests.astro

@@ -12,8 +12,9 @@ const page = Number.isNaN(rawPage) || rawPage < 1 ? 1 : Math.floor(rawPage);
 const perPage = 12;
 const offset = (page - 1) * perPage;
 
+const draftMode = Astro.cookies.has("__sanity_preview");
 const [itemsResult, totalCount] = await Promise.all([
-  loadQuery<any[]>({ query: guestListQuery, params: { offset, end: offset + perPage } }),
+  loadQuery<any[]>({ query: guestListQuery, params: { offset, end: offset + perPage }, draftMode }),
   sanityFetch<number>(guestCountQuery),
 ]);
 const items = itemsResult.data;

apps/web/src/pages/index.astro

@@ -6,7 +6,8 @@ import { homePageQuery } from "@/lib/queries";
 
 export const prerender = false;
 
-const { data: homePage } = await loadQuery<any>({ query: homePageQuery });
+const draftMode = Astro.cookies.has("__sanity_preview");
+const { data: homePage } = await loadQuery<any>({ query: homePageQuery, draftMode });
 ---
 
 <BaseLayout title="CodingCat.dev — Purrfect Web Tutorials">