@01.software/init 0.9.1 → 0.10.0

package/dist/create-app-templates/ecommerce/lib/customer/client.server.ts

@@ -0,0 +1,109 @@
+import "../server-only-guard.ts";
+import type { CartSyncCommerce } from "./cart-sync.ts";
+
+/**
+ * Per-request customer SDK client.
+ *
+ * Customer auth uses the **browser** SDK client (`createClient`, root export),
+ * not the server client — there is **no secret key** involved. The customer JWT
+ * is the only credential; the publishable key routes the tenant. The browser
+ * client is server-safe with `customer: { persist: false, token }`: `window` is
+ * `typeof`-guarded and the `localStorage` path is skipped when `persist` is
+ * false, so it runs inside a Next.js route handler without throwing.
+ *
+ * A fresh client is built per request because the JWT comes from the request
+ * cookie — clients are not shared across requests. The SDK is imported
+ * dynamically so this module stays importable under `node --test` (mirrors the
+ * commerce adapter's `await import('@01.software/sdk/server')`).
+ */
+
+export interface CustomerClientConfig {
+  publishableKey: string;
+  apiUrl: string | undefined;
+}
+
+/** Minimal shape of the SDK customer-auth surface this template uses. */
+export interface CustomerAuthClient {
+  customer: {
+    auth: {
+      login(data: { email: string; password: string }): Promise<{
+        token: string;
+        customer: unknown;
+      }>;
+      register(data: {
+        name: string;
+        email: string;
+        password: string;
+        phone?: string;
+      }): Promise<{ customer: unknown }>;
+      me(): Promise<unknown | null>;
+    };
+  };
+}
+
+/**
+ * Minimal shape of the customer-JWT commerce client the login cart-sync uses;
+ * its `commerce` namespace is the {@link CartSyncCommerce} merge/mine surface.
+ */
+export interface CustomerCommerceClient {
+  commerce: CartSyncCommerce;
+}
+
+/**
+ * Resolve customer-client config from the environment, or `null` when 01.software
+ * credentials are not configured (e.g. the zero-backend mock demo). Only the
+ * publishable key is required — customer auth never uses the secret key.
+ */
+export function getCustomerClientConfig(
+  env: NodeJS.ProcessEnv = process.env,
+): CustomerClientConfig | null {
+  const publishableKey = env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY?.trim();
+  if (!publishableKey) return null;
+  const apiUrl =
+    env.SOFTWARE_API_URL?.trim() || env.NEXT_PUBLIC_SOFTWARE_API_URL?.trim();
+  return { publishableKey, apiUrl: apiUrl || undefined };
+}
+
+/** Whether customer auth is available in this deployment. */
+export function isCustomerAuthEnabled(
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  return getCustomerClientConfig(env) !== null;
+}
+
+/**
+ * Build a per-request customer SDK client bound to `token` (the JWT from the
+ * session cookie, or `null` for an anonymous client used only for login/
+ * register). Returns `null` when credentials are not configured.
+ */
+export async function createCustomerClient(
+  token: string | null,
+  config: CustomerClientConfig | null = getCustomerClientConfig(),
+): Promise<CustomerAuthClient | null> {
+  if (!config) return null;
+  const { createClient } = await import("@01.software/sdk");
+  return createClient({
+    publishableKey: config.publishableKey,
+    apiUrl: config.apiUrl,
+    customer: { persist: false, token: token ?? undefined },
+  }) as unknown as CustomerAuthClient;
+}
+
+/**
+ * Build a per-request customer-JWT commerce client for the login cart-sync
+ * (merge/mine). Same browser SDK client family as {@link createCustomerClient}
+ * (publishable key + JWT, no secret); returns `null` when credentials are not
+ * configured.
+ */
+export async function createCustomerCommerceClient(
+  token: string,
+  config: CustomerClientConfig | null = getCustomerClientConfig(),
+): Promise<CustomerCommerceClient | null> {
+  if (!config) return null;
+  const { createClient } = await import("@01.software/sdk");
+  return createClient({
+    publishableKey: config.publishableKey,
+    apiUrl: config.apiUrl,
+    customer: { persist: false, token },
+  }) as unknown as CustomerCommerceClient;
+}

package/dist/create-app-templates/ecommerce/lib/customer/current-customer.ts

@@ -0,0 +1,15 @@
+import "../server-only-guard.ts";
+import type { CustomerSummary } from "./auth-actions.ts";
+import { loadCustomer } from "./auth-actions.ts";
+import { getSessionToken } from "./session.ts";
+
+/**
+ * Resolve the current customer for render paths (Server Components). Read-only
+ * and crash-proof: an expired/invalid token or a backend error resolves to
+ * `null` (guest), and the cookie is **not** mutated here (cookies are not
+ * writable during RSC render). Returns `null` with no network call when customer
+ * auth is not configured.
+ */
+export async function getCurrentCustomer(): Promise<CustomerSummary | null> {
+  return loadCustomer(await getSessionToken());
+}

package/dist/create-app-templates/ecommerce/lib/customer/route-guard.ts

@@ -0,0 +1,58 @@
+/**
+ * CSRF guard for the customer auth mutation routes.
+ *
+ * The session JWT lives in a SameSite=lax cookie, so a cross-site form POST
+ * could otherwise ride the cookie. Two cheap, layered checks defeat that without
+ * a token round-trip:
+ *
+ * 1. **`application/json` content-type, rejected hard.** A cross-site HTML form
+ *    can only send `application/x-www-form-urlencoded`, `multipart/form-data`, or
+ *    `text/plain` — never `application/json` (that would require a CORS preflight
+ *    the server never allows). Same-origin `fetch` sets it freely.
+ * 2. **Same-origin `Origin`.** When the browser sends an `Origin` header it must
+ *    match the request host; a mismatch is a cross-site request and is rejected.
+ *
+ * Both checks are pure over the `Request`, so they unit-test without a server.
+ */
+
+export class CsrfError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "CsrfError";
+  }
+}
+
+function requestHost(request: Request): string | null {
+  // `x-forwarded-host` is the deployed host behind Vercel/most proxies. It is a
+  // forbidden header for browser `fetch`, so a real cross-site request cannot
+  // set it; the JSON content-type check above is the primary defense regardless.
+  // If you self-host without a trusted proxy that sets this, compare `host`.
+  const forwarded = request.headers.get("x-forwarded-host");
+  if (forwarded) return forwarded.split(",")[0]!.trim();
+  return request.headers.get("host");
+}
+
+/**
+ * Throw `CsrfError` unless the request is a same-origin JSON request. Call at the
+ * top of every state-changing auth route handler.
+ */
+export function assertSameOriginJson(request: Request): void {
+  const contentType = request.headers.get("content-type") ?? "";
+  if (!contentType.toLowerCase().includes("application/json")) {
+    throw new CsrfError("Request must be application/json");
+  }
+
+  const origin = request.headers.get("origin");
+  if (origin) {
+    let originHost: string;
+    try {
+      originHost = new URL(origin).host;
+    } catch {
+      throw new CsrfError("Invalid Origin header");
+    }
+    const host = requestHost(request);
+    if (!host || originHost !== host) {
+      throw new CsrfError("Cross-origin request rejected");
+    }
+  }
+}

package/dist/create-app-templates/ecommerce/lib/customer/route-helpers.ts

@@ -0,0 +1,75 @@
+import { CsrfError } from "./route-guard.ts";
+
+/** Map an auth-route error to a public JSON response with a sensible status. */
+export function authErrorResponse(error: unknown): Response {
+  if (error instanceof CsrfError) {
+    return Response.json(
+      { code: "forbidden", message: error.message },
+      { status: 403 },
+    );
+  }
+  if (error instanceof SyntaxError) {
+    // request.json() on a non-JSON / malformed body.
+    return Response.json(
+      { code: "invalid_request", message: "Request body must be JSON" },
+      { status: 400 },
+    );
+  }
+  // Validation errors from the `parse*` helpers carry safe, caller-facing
+  // messages; anything else is internal and must not leak verbatim.
+  const message = error instanceof Error ? error.message : "Request failed";
+  if (/required|must be/.test(message)) {
+    return Response.json({ code: "invalid_request", message }, { status: 400 });
+  }
+  return Response.json(
+    { code: "auth_failed", message: "Request failed" },
+    { status: 500 },
+  );
+}
+
+function asRecord(input: unknown): Record<string, unknown> {
+  if (!input || typeof input !== "object" || Array.isArray(input)) {
+    throw new Error("Request body must be an object");
+  }
+  return input as Record<string, unknown>;
+}
+
+function requiredString(input: unknown, field: string): string {
+  if (typeof input !== "string" || input.trim() === "") {
+    throw new Error(`${field} is required`);
+  }
+  return input.trim();
+}
+
+function optionalString(input: unknown): string | undefined {
+  if (input === undefined || input === null || input === "") return undefined;
+  if (typeof input !== "string") return undefined;
+  return input.trim() || undefined;
+}
+
+export function parseLogin(input: unknown): {
+  email: string;
+  password: string;
+} {
+  const body = asRecord(input);
+  return {
+    email: requiredString(body.email, "email"),
+    password: requiredString(body.password, "password"),
+  };
+}
+
+export function parseRegister(input: unknown): {
+  name: string;
+  email: string;
+  password: string;
+  phone?: string;
+} {
+  const body = asRecord(input);
+  const phone = optionalString(body.phone);
+  return {
+    name: requiredString(body.name, "name"),
+    email: requiredString(body.email, "email"),
+    password: requiredString(body.password, "password"),
+    ...(phone ? { phone } : {}),
+  };
+}

package/dist/create-app-templates/ecommerce/lib/customer/session.ts

@@ -0,0 +1,108 @@
+import "../server-only-guard.ts";
+// Relative (not the `@/` alias) so the pure cookie helpers stay importable under
+// `node --test`, which does not resolve tsconfig path aliases.
+import { appConfig } from "../../app-config.ts";
+
+/**
+ * Customer session cookie. It holds the customer JWT issued by
+ * `client.customer.auth.*` and is **HttpOnly + Secure (prod) + SameSite=lax** so
+ * it is invisible to client JS (XSS) and only travels on same-site requests. The
+ * JWT is the session credential the server attaches to per-request SDK calls
+ * (`lib/customer/client.server.ts`); the browser never sees it.
+ *
+ * `.set`/`.delete` are only valid in Route Handlers / Server Functions, never
+ * during Server Component render — keep cookie writes in the `app/api/auth/*`
+ * routes. Render paths read this cookie but must not mutate it.
+ *
+ * The cookie read/write/clear logic is split into pure functions over a minimal
+ * cookie-store shape so it stays unit-testable; `next/headers` is imported
+ * dynamically inside the async wrappers (the `server-only` npm package is
+ * avoided — its default export throws under `node --test`).
+ */
+
+const COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days — matches a typical JWT lifetime
+
+/** The subset of the Next.js cookie store this module needs. */
+export interface SessionCookieStore {
+  get(name: string): { value: string } | undefined;
+  set(name: string, value: string, options: SessionCookieOptions): void;
+  delete(name: string): void;
+}
+
+export interface SessionCookieOptions {
+  httpOnly: boolean;
+  secure: boolean;
+  sameSite: "lax";
+  path: string;
+  maxAge: number;
+}
+
+/** Build the hardened cookie options for the customer session JWT. */
+export function sessionCookieOptions(): SessionCookieOptions {
+  return {
+    httpOnly: true,
+    // Secure cookies are dropped by browsers over plain http, so allow http in
+    // local dev and enforce Secure in production.
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: COOKIE_MAX_AGE_SECONDS,
+  };
+}
+
+/** Read the customer JWT from a cookie store, or `null` when none is set. */
+export function readSessionToken(store: SessionCookieStore): string | null {
+  return store.get(appConfig.customerKey)?.value ?? null;
+}
+
+/** Write the customer JWT to a cookie store with hardened options. */
+export function writeSessionToken(
+  store: SessionCookieStore,
+  token: string,
+): void {
+  store.set(appConfig.customerKey, token, sessionCookieOptions());
+}
+
+/** Remove the customer JWT from a cookie store. */
+export function clearSessionToken(store: SessionCookieStore): void {
+  store.delete(appConfig.customerKey);
+}
+
+/**
+ * Clear both the customer session JWT and the active-cart cookie on a store. The
+ * single cart-token handle is slaved to the session, so logout drops both
+ * atomically — otherwise the next anonymous (or different) session would inherit
+ * the prior identity's customer-cart handle.
+ */
+export function clearSessionAndCartTokens(store: SessionCookieStore): void {
+  store.delete(appConfig.customerKey);
+  store.delete(appConfig.cartKey);
+}
+
+async function cookieStore(): Promise<SessionCookieStore> {
+  const { cookies } = await import("next/headers");
+  return (await cookies()) as unknown as SessionCookieStore;
+}
+
+/** Read the current customer JWT from the request cookies (Route Handler / RSC). */
+export async function getSessionToken(): Promise<string | null> {
+  return readSessionToken(await cookieStore());
+}
+
+/** Set the customer JWT cookie. Route Handlers / Server Functions only. */
+export async function setSessionToken(token: string): Promise<void> {
+  writeSessionToken(await cookieStore(), token);
+}
+
+/** Clear the customer JWT cookie. Route Handlers / Server Functions only. */
+export async function clearSession(): Promise<void> {
+  clearSessionToken(await cookieStore());
+}
+
+/**
+ * Clear the customer JWT cookie and the active-cart cookie together (logout).
+ * Route Handlers / Server Functions only.
+ */
+export async function clearSessionAndCart(): Promise<void> {
+  clearSessionAndCartTokens(await cookieStore());
+}

package/dist/create-app-templates/ecommerce/lib/format.ts

@@ -0,0 +1,7 @@
+export function formatMoney(amount: number, currency = "KRW"): string {
+  return new Intl.NumberFormat("ko-KR", {
+    style: "currency",
+    currency,
+    maximumFractionDigits: 0,
+  }).format(amount);
+}

package/dist/create-app-templates/ecommerce/lib/payment/adapters/mock.ts

@@ -0,0 +1,84 @@
+import '../../server-only-guard.ts'
+import { existsSync, readFileSync, writeFileSync } from 'node:fs'
+import { join } from 'node:path'
+import type { PaymentProvider } from '../provider.ts'
+import type { ProviderPayment } from '../types.ts'
+
+const paymentStorePath = join(process.cwd(), '.mock-payments.json')
+
+export function createMockPaymentProvider(): PaymentProvider {
+  return {
+    provider: 'mock',
+
+    async requestPayment(input) {
+      writeMockPayment({
+        paymentId: input.paymentId,
+        status: 'paid',
+        amount: input.amount,
+        provider: 'mock',
+        orderNumber: input.orderNumber,
+      })
+
+      const params = new URLSearchParams({
+        paymentId: input.paymentId,
+        orderNumber: input.orderNumber,
+      })
+
+      return {
+        ok: true,
+        paymentId: input.paymentId,
+        redirectUrl: `/api/checkout/payment-return?${params.toString()}`,
+      }
+    },
+
+    async getPayment(paymentId) {
+      return readMockPayment(paymentId)
+    },
+
+    async confirmPayment(input) {
+      const payment = await this.getPayment(input.paymentId)
+      if (!payment) throw new Error('Payment not found')
+      return payment
+    },
+
+    async verifyWebhook(request) {
+      const body = (await request.json()) as {
+        paymentId?: string
+        eventId?: string
+      }
+
+      if (!body.paymentId || !body.eventId) {
+        throw new Error('Invalid mock webhook')
+      }
+
+      return {
+        type: 'payment.updated',
+        paymentId: body.paymentId,
+        eventId: body.eventId,
+      }
+    },
+  }
+}
+
+function readMockPayment(paymentId: string): ProviderPayment | null {
+  return readMockPayments()[paymentId] ?? null
+}
+
+function writeMockPayment(payment: ProviderPayment): void {
+  const payments = readMockPayments()
+  payments[payment.paymentId] = payment
+  writeFileSync(paymentStorePath, JSON.stringify(payments, null, 2))
+}
+
+function readMockPayments(): Record<string, ProviderPayment> {
+  if (!existsSync(paymentStorePath)) return {}
+
+  try {
+    return JSON.parse(readFileSync(paymentStorePath, 'utf8')) as Record<
+      string,
+      ProviderPayment
+    >
+  } catch {
+    return {}
+  }
+}