Core Plugins Reference
CatCMS includes several essential core plugins that provide fundamental functionality for your CMS. These plugins are automatically installed and configured when you set up CatCMS. [object Object]
Overview
Core plugins extend CatCMS with critical features like authentication, media management, caching, and database administration. They follow the same plugin architecture as custom plugins, making them excellent examples for plugin development.
Available Core Plugins
Authentication
JWT-based authentication with session management and token refresh
Transactional email sending via Resend with pre-built templates
Magic Link Auth
Passwordless authentication using secure email magic links
Media
Media file management with R2 storage and image processing
Cache
Three-tier caching system with memory, KV, and database layers
Database Tools
Database administration, migrations, and query tools
Seed Data
Sample data generation for development and testing
Authentication Plugin
The authentication plugin provides comprehensive user authentication and session management functionality.
Features
- JWT Token Authentication - Secure token-based authentication
- Session Management - Track and manage active user sessions
- Token Refresh - Automatic token renewal without re-authentication
- Rate Limiting - Protect authentication endpoints from abuse
- User Context - Inject authenticated user data into request context
Configuration
{
name: 'core-auth',
version: '1.0.0-beta.1',
settings: {
tokenExpiration: 3600, // Token TTL in seconds (1 hour)
refreshExpiration: 604800, // Refresh token TTL (7 days)
sessionTracking: true, // Enable session tracking
rateLimitWindow: 900, // Rate limit window (15 minutes)
rateLimitMaxAttempts: 5 // Max login attempts per window
}
}Plugin Configuration
API Endpoints
POST /api/auth/login Authenticate a user and receive JWT tokens
curl -X POST http://localhost:8787/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123"
}'const response = await fetch('http://localhost:8787/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: 'user@example.com',
password: 'password123',
}),
})
const { token, refreshToken, user } = await response.json()Login Request
POST /api/auth/logout Invalidate current session
GET /api/auth/me Get current authenticated user information
POST /api/auth/refresh Refresh an expired access token
Services
// Available auth service methods
const authService = {
// Validate JWT token
validateToken(token: string): { valid: boolean; userId: number }
// Generate new JWT token
generateToken(userId: number): string
// Hash password for storage
hashPassword(password: string): string
// Verify password against hash
verifyPassword(password: string, hash: string): boolean
}Auth Service
Hooks
auth:login- Triggered when user attempts loginauth:logout- Triggered when user logs outrequest:start- Injects authentication status into requests
Admin Pages
- /admin/auth/sessions - View and manage active sessions
- /admin/auth/tokens - Manage API tokens and access keys
Email Plugin
The email plugin provides transactional email functionality using Resend, with pre-built templates for common authentication and notification scenarios.
Features
- Resend Integration - Send emails via the Resend API
- Email Templates - Pre-built templates for registration, verification, password reset, and one-time codes
- Template Customization - Code-based templates that can be customized
- Logo Support - Add your company logo to email templates
- Settings Management - Admin UI for configuring email settings
- Test Email - Send test emails to verify configuration
Configuration
{
name: 'email',
version: '1.0.0-beta.1',
settings: {
apiKey: 're_...', // Resend API key
fromEmail: 'noreply@yourdomain.com', // From email address
fromName: 'Your App Name', // From name
replyTo: 'support@yourdomain.com', // Reply-to address (optional)
logoUrl: 'https://yourdomain.com/logo.png' // Logo URL (optional)
}
}Plugin Configuration
Setup
- Sign up for Resend and get your API key
- Navigate to
/admin/plugins/email/settingsin your CatCMS admin - Configure your Resend API key and email settings
- Send a test email to verify configuration
Included Email Templates
Registration Confirmation Sent when a new user registers an account
Email Verification Sent to verify user email addresses
Password Reset Sent when users request to reset their password
One-Time Code (2FA) Sent for two-factor authentication codes
API Usage
// Get email plugin instance
const emailPlugin = context.plugins.get('email')
// Send a custom email
await emailPlugin.sendEmail({
to: 'user@example.com',
subject: 'Welcome to CatCMS',
html: '<h1>Welcome!</h1><p>Thanks for signing up.</p>',
})
// Send using built-in templates
await emailPlugin.sendVerificationEmail({
to: 'user@example.com',
verificationUrl: 'https://yoursite.com/verify?token=...',
})
await emailPlugin.sendPasswordResetEmail({
to: 'user@example.com',
resetUrl: 'https://yoursite.com/reset?token=...',
})
await emailPlugin.sendOneTimeCodeEmail({
to: 'user@example.com',
code: '123456',
expiryMinutes: 10,
})Sending Emails
Admin Pages
- /admin/plugins/email/settings - Configure Resend API and email settings
The email plugin requires a Resend API key. You must verify your domain in Resend before sending emails from it.
Magic Link Auth
The magic link auth plugin provides passwordless authentication via secure, one-time email links. Users can sign in without remembering passwords.
Features
- Passwordless Authentication - No passwords required
- Secure One-Time Links - Links expire after 15 minutes and can only be used once
- Rate Limiting - Prevent abuse with configurable rate limits
- Email Integration - Works with the Email plugin for sending magic links
- Auto User Creation - Optionally create new users when they request a magic link
- Security Tracking - Logs IP addresses and user agents for security auditing
How It Works
- User enters their email address
- System generates a secure, random token
- Email is sent with a magic link containing the token
- User clicks the link to authenticate
- Token is validated and marked as used
- User is signed in with a JWT session
Configuration
{
name: 'magic-link-auth',
version: '1.0.0',
dependencies: ['email'],
settings: {
linkExpiryMinutes: 15, // Magic link expiry time
rateLimitPerHour: 5, // Max requests per hour per email
allowNewUsers: false, // Auto-create users who don't exist
requireEmailVerification: true // Require verified emails
}
}Plugin Configuration
API Endpoints
POST /auth/magic-link/request Request a magic link to be sent via email
curl -X POST http://localhost:8787/auth/magic-link/request \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com"
}'const response = await fetch('http://localhost:8787/auth/magic-link/request', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: 'user@example.com',
}),
})
const result = await response.json()
// result: { message: 'If an account exists...' }{
"message": "If an account exists for this email, you will receive a magic link shortly."
}Request Magic Link
GET /auth/magic-link/verify?token=β¦ Verify magic link token and sign in the user
Database Schema
CREATE TABLE magic_links (
id TEXT PRIMARY KEY,
user_email TEXT NOT NULL,
token TEXT NOT NULL UNIQUE,
expires_at INTEGER NOT NULL,
used INTEGER DEFAULT 0,
used_at INTEGER,
created_at INTEGER NOT NULL,
ip_address TEXT,
user_agent TEXT
)Magic Links Table
Security Features
Token Generation Tokens are generated using crypto.randomUUID() twice and concatenated for maximum entropy
Rate Limiting Limits users to 5 magic link requests per hour to prevent abuse
Expiration Links automatically expire after 15 minutes
One-Time Use Each link can only be used once - itβs marked as used immediately after verification
IP Tracking IP addresses and user agents are logged for security auditing
Usage Example
<form id="magicLinkForm">
<label>Email Address</label>
<input type="email" name="email" required />
<button type="submit">Send Magic Link</button>
</form>
<script>
document.getElementById('magicLinkForm').addEventListener('submit', async (e) => {
e.preventDefault()
const email = new FormData(e.target).get('email')
const response = await fetch('/auth/magic-link/request', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email }),
})
if (response.ok) {
alert('Check your email for a magic link!')
}
})
</script>Adding Magic Link to Login Page
Email Template
The magic link email includes:
- A prominent βSign Inβ button with the magic link
- Expiration time warning
- Security notice if the user didnβt request it
- Modern, responsive design
The Magic Link Auth plugin requires the Email plugin to be installed and configured. Make sure to set up Resend before enabling magic link authentication.
Media Plugin
The media plugin provides comprehensive media file management with cloud storage integration.
Features
- File Upload - Upload images, videos, and documents to R2 storage
- Media Library - Browse and search uploaded media files
- Image Processing - Resize, compress, and transform images
- Folder Organization - Organize files into folders
- Metadata Extraction - Automatic extraction of file metadata
- Thumbnail Generation - Auto-generate thumbnails for images
- Bulk Operations - Move, delete, and process multiple files
Configuration
{
name: 'core-media',
version: '1.0.0-beta.1',
settings: {
maxFileSize: 10485760, // Max file size (10MB)
allowedTypes: [ // Allowed MIME types
'image/jpeg',
'image/png',
'image/gif',
'image/webp',
'video/mp4',
'application/pdf'
],
thumbnailSize: { width: 300, height: 300 },
storageProvider: 'r2', // Storage backend
autoGenerateThumbnails: true
}
}Plugin Configuration
API Endpoints
GET /api/media List media files with pagination and filtering
curl "http://localhost:8787/api/media?page=1&limit=20&type=image"const response = await fetch('http://localhost:8787/api/media?page=1&limit=20&type=image')
const { data, pagination } = await response.json()List Media
POST /api/media/upload Upload a new media file
const formData = new FormData()
formData.append('file', fileInput.files[0])
formData.append('folder', 'images')
const response = await fetch('http://localhost:8787/api/media/upload', {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
},
body: formData,
})
const { data } = await response.json()
// data: { id, filename, url, size, type }Upload File
GET /api/media/:id Get media file information and metadata
DELETE /api/media/:id Delete a media file
POST /api/media/process Process media (resize, compress, transform)
POST /api/media/create-folder Create a new folder for organization
POST /api/media/bulk-move Move multiple files to a folder
Services
const mediaService = {
// Upload file to storage
uploadFile(file: File, options?: UploadOptions): Promise<MediaFile>
// Delete file from storage
deleteFile(id: string): Promise<boolean>
// Process image with operations
processImage(id: string, operations: Operation[]): Promise<Job>
// Extract file metadata
getMetadata(id: string): Promise<Metadata>
}Media Service
Database Schema
CREATE TABLE media_files (
id INTEGER PRIMARY KEY,
filename TEXT NOT NULL,
original_name TEXT NOT NULL,
mime_type TEXT NOT NULL,
size INTEGER NOT NULL,
url TEXT NOT NULL,
thumbnail_url TEXT,
metadata TEXT,
uploaded_by INTEGER,
tags TEXT,
created_at INTEGER NOT NULL,
updated_at INTEGER
)Media Files Table
Hooks
media:upload- Triggered when file is uploaded (auto-generates thumbnails)media:delete- Triggered when file is deleted (cleanup related files)content:save- Tracks media references in content
Admin Pages
- /admin/media - Media library browser
- /admin/media/upload - File upload interface
- /admin/media/settings - Media processing configuration
Cache Plugin
The cache plugin implements a sophisticated three-tier caching system for optimal performance.
Features
- Three-Tier Caching - Memory, Cloudflare KV, and D1 database
- Automatic Invalidation - Event-based cache invalidation
- Cache Namespaces - Separate caches for different data types
- Performance Metrics - Hit rates, latency, and usage statistics
- Cache Warming - Pre-populate cache with frequently accessed data
- Pattern Invalidation - Invalidate by wildcard patterns
- TTL Management - Configurable time-to-live per namespace
Architecture
Request
β
Memory Cache? ββYesβββ Return (< 1ms)
β No
KV Cache? ββYesβββ Populate Memory β Return (10-50ms)
β No
Database βββ Populate KV β Populate Memory β Return (100-200ms)Configuration
{
name: 'cache',
version: '1.0.0-alpha.1',
settings: {
memoryEnabled: true, // Enable in-memory cache
kvEnabled: false, // Enable KV cache
defaultTTL: 3600, // Default TTL (1 hour)
maxMemorySize: 50, // Max memory cache size (MB)
namespaces: {
content: { ttl: 3600 }, // Content cache (1 hour)
user: { ttl: 900 }, // User cache (15 minutes)
api: { ttl: 300 } // API response cache (5 minutes)
}
}
}Cache Configuration
API Endpoints
GET /admin/cache/stats Get detailed cache statistics for all namespaces
curl http://localhost:8787/admin/cache/stats{
"success": true,
"data": {
"global": {
"totalRequests": 15234,
"memoryHits": 12450,
"kvHits": 1892,
"dbHits": 892,
"hitRate": 94.1
},
"byNamespace": {
"content": {
"memoryHits": 8234,
"kvHits": 892,
"hitRate": 96.2
},
"user": {
"memoryHits": 2891,
"kvHits": 567,
"hitRate": 92.8
}
}
}
}Cache Stats
POST /admin/cache/clear Clear all cache entries across all tiers
POST /admin/cache/invalidate Invalidate cache entries matching a pattern
curl -X POST http://localhost:8787/admin/cache/invalidate \
-H "Content-Type: application/json" \
-d '{
"pattern": "content:*",
"namespace": "content"
}'Invalidate Cache
GET /admin/cache/browser Browse and inspect individual cache entries
POST /admin/cache/warm Pre-populate cache with frequently accessed data
Usage in Code
import { getCacheService } from 'catcms-core'
// Get cache service for your namespace
const cache = getCacheService({
namespace: 'my-plugin',
ttl: 600,
memoryEnabled: true,
kvEnabled: false,
invalidateOn: ['my-plugin:update'],
version: 'v1',
})
// Get value from cache
const data = await cache.get('key')
// Set value in cache
await cache.set('key', data)
// Get or set pattern
const result = await cache.getOrSet('key', async () => {
return await fetchExpensiveData()
})
// Invalidate by pattern
await cache.invalidate('user:*')
// Get statistics
const stats = cache.getStats()Using Cache Service
Cache Namespaces
content - Content and pages (TTL: 1 hour) user - User data and profiles (TTL: 15 minutes) api - API response data (TTL: 5 minutes) media - Media file metadata (TTL: 1 hour) auth - Authentication tokens (TTL: 5 minutes)
Hooks
content:update- Invalidates content cachecontent:delete- Invalidates content cacheuser:update- Invalidates user cacheauth:login- Invalidates user cache
Database Tools
The database tools plugin provides administrative utilities for database management and development.
Features
- Migration Runner - Execute database migrations
- Schema Browser - View tables, columns, and indexes
- Query Console - Execute SQL queries directly
- Table Inspector - View table data and statistics
- Backup and Restore - Database backup utilities
- Performance Metrics - Query performance analysis
Configuration
{
name: 'database-tools-plugin',
version: '1.0.0',
settings: {
enableQueryConsole: true, // Enable SQL query console
maxQueryRows: 1000, // Max rows returned
enableBackups: true, // Enable backup functionality
autoMigration: true // Auto-run migrations on startup
}
}Plugin Configuration
API Endpoints
GET /admin/database/tables List all database tables
GET /admin/database/tables/:name View table schema and data
POST /admin/database/query Execute a SQL query
curl -X POST http://localhost:8787/admin/database/query \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${token}" \
-d '{
"query": "SELECT * FROM content LIMIT 10"
}'Execute Query
POST /admin/database/migrations/run Run pending migrations
GET /admin/database/migrations/status Check migration status
Services
const databaseService = {
// List all tables
getTables(): Promise<Table[]>
// Get table schema
getTableSchema(tableName: string): Promise<Schema>
// Execute query
executeQuery(sql: string, params?: any[]): Promise<Result>
// Run migrations
runMigrations(): Promise<MigrationResult[]>
// Create backup
createBackup(): Promise<Backup>
}Database Service
Admin Pages
- /admin/database - Database dashboard
- /admin/database/tables - Table browser
- /admin/database/query - Query console
- /admin/database/migrations - Migration manager
The database tools plugin is restricted to admin users only for security. Never expose database query capabilities to untrusted users.
Seed Data Plugin
The seed data plugin generates sample data for development and testing purposes.
Features
- Sample Content - Generate blog posts, pages, and articles
- Test Users - Create user accounts with various roles
- Media Files - Generate placeholder images and files
- Collections - Populate custom collections with data
- Relationships - Create related data (users, posts, comments)
- Customizable - Configure data generation parameters
Configuration
{
name: 'seed-data-plugin',
version: '1.0.0',
settings: {
enabled: false, // Disable in production
autoSeed: false, // Auto-seed on first run
contentCount: 50, // Number of content items
userCount: 10, // Number of test users
mediaCount: 20 // Number of media files
}
}Plugin Configuration
API Endpoints
POST /admin/seed-data/generate Generate seed data
curl -X POST http://localhost:8787/admin/seed-data/generate \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${token}" \
-d '{
"contentCount": 50,
"userCount": 10,
"mediaCount": 20,
"clearExisting": false
}'Generate Seed Data
POST /admin/seed-data/clear Clear all seed data
GET /admin/seed-data/status Check seed data status
Usage
import { generateSeedData } from 'catcms-core'
// Generate seed data programmatically
await generateSeedData({
content: {
count: 50,
collections: ['blog_posts', 'pages'],
},
users: {
count: 10,
roles: ['admin', 'editor', 'author'],
},
media: {
count: 20,
types: ['image', 'video', 'document'],
},
})Seed Data Generation
Admin Pages
- /admin/seed-data - Seed data generator interface
The seed data plugin should be disabled in production environments. Itβs designed for development and testing only.