npm - @akinon/next - Versions diffs - 2.0.0-beta.20 → 2.0.0-beta.22 - Mend

@akinon/next 2.0.0-beta.20 → 2.0.0-beta.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # @akinon/next
+## 2.0.0-beta.22
+## 2.0.0-beta.21
+### Patch Changes
+- 5d44ff77: ZERO-4312: Extract ThemePlaceholder system into new @akinon/pz-theme package and strip native widget code
+  Introduce a dedicated `@akinon/pz-theme` package that contains the ThemePlaceholder system (CMS-driven sections/blocks, designer features, utilities). Remove native widget registration infrastructure from both `@akinon/pz-theme` and `projectzeronext` so the beta branch can be merged to main with only stable ThemePlaceholder functionality. Native widget integrations will be reintroduced via `@akinon/pz-theme` once they stabilize on the `theme-editor` branch.
+  Consumers should update imports:
+  - `@akinon/next/components/theme-editor/*` -> `@akinon/pz-theme/src/*`
+  - Add `@akinon/pz-theme` to package.json dependencies (matching `@akinon/next` version)
 ## 2.0.0-beta.20
 ### Minor Changes
@@ -10,6 +25,16 @@
 - 1d10dde2: ZERO-3553: Add alignment style for image components
 - 74c6a237: ZERO-3060: Drag and drop functionality on the site implemented
+## 1.126.0
+## 1.125.2
+## 1.125.1
+### Patch Changes
+- 06da9a95: ZERO-4241: Upgrade Next.js from 14.2.25 to 14.2.35 to fix security vulnerabilities (CVE-2025-55184, CVE-2025-67779)
 ## 1.125.0
 ### Minor Changes

package/api/auth.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import NextAuth, { Session, CredentialsSignin } from 'next-auth';
+import NextAuth, { Session } from 'next-auth';
 import Credentials from 'next-auth/providers/credentials';
 import { ROUTES } from 'routes';
 import { URLS, user } from '../data/urls';
@@ -10,16 +10,7 @@ import getRootHostname from '../utils/get-root-hostname';
 import { LocaleUrlStrategy } from '../localization';
 import { cookies, headers } from 'next/headers';
-import type { NextAuthConfig } from 'next-auth';
-class PzCredentialsError extends CredentialsSignin {
-  code = 'credentials';
-  constructor(errors: AuthError[]) {
-    super();
-    this.code = JSON.stringify(errors);
-  }
-}
+// Shared helper
 async function getCurrentUser(sessionId: string, currency = '') {
   const reqHeaders = {
     'Content-Type': 'application/json',
@@ -52,16 +43,56 @@ async function getCurrentUser(sessionId: string, currency = '') {
   };
 }
-type CustomNextAuthOptions = () => Partial<NextAuthConfig>;
+// Runtime-detected error throwing: uses CredentialsSignin on v5, plain Error on v4
+function throwAuthError(errors: AuthError[]): never {
+  const nextAuthModule = require('next-auth');
+  if (nextAuthModule.CredentialsSignin) {
+    class PzCredentialsError extends nextAuthModule.CredentialsSignin {
+      code = 'credentials';
+      constructor(errs: AuthError[]) {
+        super();
+        this.code = JSON.stringify(errs);
+      }
+    }
+    throw new PzCredentialsError(errors);
+  }
+  throw new Error(JSON.stringify(errors));
+}
+// Shared credential config used by both v4 and v5 error handling
+function buildFieldErrors(response: any) {
+  const errors = [] as AuthError[];
+  const fieldErrors = Object.keys(response ?? {})
+    .filter((key) => key !== 'non_field_errors')
+    .map((key) => ({
+      name: key,
+      value: response[key]
+    }));
+  if (response.redirect_url?.includes('captcha')) {
+    errors.push({ type: 'captcha' });
+  } else if (fieldErrors.length) {
+    errors.push({ type: 'field_errors', data: fieldErrors });
+  } else if (response.non_field_errors) {
+    errors.push({ type: 'non_field_errors', data: response.non_field_errors });
+  }
+  return errors;
+}
-const getDefaultAuthConfig = (): NextAuthConfig => {
+// ============================================================
+// v5 (App Router / next-auth v5) — named export for new brands
+// ============================================================
+const getDefaultAuthConfig = () => {
   return {
     providers: [
       Credentials({
         id: 'oauth',
         name: 'credentials',
         credentials: {},
-        authorize: async (credentials) => {
+        authorize: async (credentials: any) => {
           const cookieStore = await cookies();
           const sessionId = cookieStore.get('osessionid')?.value;
@@ -90,13 +121,13 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
           locale: {},
           captchaValidated: {}
         },
-        authorize: async (credentials) => {
+        authorize: async (credentials: any) => {
           const cookieStore = await cookies();
           const headerStore = await headers();
           const reqHeaders: HeadersInit = new Headers();
           const language = Settings.localization.locales.find(
-            (item) => item.value === (credentials as any).locale
+            (item: any) => item.value === credentials.locale
           ).apiValue;
           const userIp = headerStore.get('x-forwarded-for') ?? '';
@@ -119,7 +150,7 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
           );
           logger.debug('Trying to login/register', {
-            formType: (credentials as any).formType,
+            formType: credentials.formType,
             userIp
           });
@@ -139,7 +170,7 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
           }
           const apiRequest = await fetch(
-            `${Settings.commerceUrl}${user[(credentials as any).formType]}`,
+            `${Settings.commerceUrl}${user[credentials.formType]}`,
             {
               method: 'POST',
               headers: reqHeaders,
@@ -173,7 +204,7 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
           }
           if (sessionId) {
-            const maxAge = 30 * 24 * 60 * 60; // 30 days in seconds
+            const maxAge = 30 * 24 * 60 * 60;
             const { localeUrlStrategy } = Settings.localization;
             const fallbackHost =
@@ -199,44 +230,14 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
           }
           if (!response.key) {
-            const errors = [] as AuthError[];
-            const fieldErrors = Object.keys(response ?? {})
-              .filter((key) => key !== 'non_field_errors')
-              .map((key) => {
-                return {
-                  name: key,
-                  value: response[key]
-                };
-              });
-            if (response.redirect_url?.includes('captcha')) {
-              errors.push({
-                type: 'captcha'
-              });
-              logger.debug('Captcha required', {
-                email: (credentials as any).email,
-                formType: (credentials as any).formType
-              });
-            } else if (apiRequest.status === 202) {
-              errors.push({
-                type: 'otp'
-              });
-            } else if (fieldErrors.length) {
-              errors.push({
-                type: 'field_errors',
-                data: fieldErrors
-              });
-            } else if (response.non_field_errors) {
-              errors.push({
-                type: 'non_field_errors',
-                data: response.non_field_errors
-              });
+            const errors = buildFieldErrors(response);
+            if (apiRequest.status === 202) {
+              errors.push({ type: 'otp' });
             }
             if (errors.length) {
-              throw new PzCredentialsError(errors);
+              throwAuthError(errors);
             }
           }
@@ -249,14 +250,14 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
       })
     ],
     callbacks: {
-      jwt: async ({ token, user }) => {
+      jwt: async ({ token, user }: any) => {
         if (user) {
           token.user = user;
         }
         return token;
       },
-      async session({ session, token }) {
+      async session({ session, token }: any) {
         session.user = token.user as any;
         return session;
       },
@@ -300,11 +301,11 @@ const getDefaultAuthConfig = (): NextAuthConfig => {
   };
 };
-export const createAuth = (customOptions?: CustomNextAuthOptions) => {
+export const createAuth = (customOptions?: () => Partial<any>) => {
   const baseConfig = getDefaultAuthConfig();
   const customConfig = customOptions ? customOptions() : {};
-  const mergedConfig: NextAuthConfig = {
+  const mergedConfig = {
     trustHost: true,
     ...baseConfig,
     ...customConfig,
@@ -326,7 +327,238 @@ export const createAuth = (customOptions?: CustomNextAuthOptions) => {
     }
   };
-  return NextAuth(mergedConfig);
+  return (NextAuth as any)(mergedConfig);
+};
+// ============================================================
+// v4 (Pages Router / next-auth v4) — default export for backward compat
+// ============================================================
+const defaultNextAuthOptionsV4 = (req: any, res: any) => {
+  return {
+    providers: [
+      Credentials({
+        id: 'oauth',
+        name: 'credentials',
+        credentials: {},
+        authorize: async () => {
+          const sessionId = req.cookies['osessionid'];
+          if (!sessionId) {
+            return null;
+          }
+          const currentUser = await getCurrentUser(
+            sessionId,
+            req.cookies['pz-currency'] ?? ''
+          );
+          return currentUser;
+        }
+      }),
+      Credentials({
+        id: 'default',
+        name: 'credentials',
+        credentials: {
+          email: { label: 'Email', type: 'email', placeholder: 'Email' },
+          password: {
+            label: 'Password',
+            type: 'password',
+            placeholder: 'Password'
+          },
+          formType: {},
+          locale: {},
+          captchaValidated: {}
+        },
+        authorize: async (credentials: any) => {
+          const reqHeaders: HeadersInit = new Headers();
+          const language = Settings.localization.locales.find(
+            (item: any) => item.value === credentials.locale
+          ).apiValue;
+          const userIp = req.headers['x-forwarded-for']?.toString() ?? '';
+          reqHeaders.set('Content-Type', 'application/json');
+          reqHeaders.set('cookie', `${req.headers.cookie}`);
+          reqHeaders.set('Accept-Language', `${language}`);
+          reqHeaders.set('x-currency', req.cookies['pz-currency'] ?? '');
+          reqHeaders.set('x-forwarded-for', userIp);
+          reqHeaders.set(
+            'x-app-device',
+            req.headers['x-app-device']?.toString() ?? ''
+          );
+          reqHeaders.set('x-frontend-id', req.cookies['pz-frontend-id'] || '');
+          logger.debug('Trying to login/register', {
+            formType: credentials.formType,
+            userIp
+          });
+          const checkCurrentUser = await getCurrentUser(
+            req.cookies['osessionid'] ?? '',
+            req.cookies['pz-currency'] ?? ''
+          );
+          if (checkCurrentUser?.pk) {
+            const sessionCookie = reqHeaders
+              .get('cookie')
+              ?.match(/osessionid=\w+/)?.[0]
+              .replace(/osessionid=/, '');
+            if (sessionCookie) {
+              reqHeaders.set('cookie', sessionCookie);
+            }
+          }
+          const apiRequest = await fetch(
+            `${Settings.commerceUrl}${user[credentials.formType]}`,
+            {
+              method: 'POST',
+              headers: reqHeaders,
+              body: JSON.stringify(credentials)
+            }
+          );
+          logger.info(`Login/Register request result: ${apiRequest.status}`, {
+            userIp
+          });
+          const response = (await apiRequest.json()) as {
+            key: string;
+            non_field_errors: string[];
+            redirect_url: string;
+          };
+          logger.debug(`Login/Register response: ${JSON.stringify(response)}`);
+          let sessionId = '';
+          const setCookieHeader = apiRequest.headers.get('set-cookie');
+          if (setCookieHeader) {
+            sessionId =
+              setCookieHeader
+                .match(/osessionid=\w+/)?.[0]
+                .replace(/osessionid=/, '') || '';
+            logger.debug(`Login/Register session id: ${sessionId}`);
+          } else {
+            logger.warn('No set-cookie header found in response');
+          }
+          if (sessionId) {
+            const maxAge = 30 * 24 * 60 * 60;
+            const { localeUrlStrategy } = Settings.localization;
+            const fallbackHost =
+              req.headers['x-forwarded-host']?.toString() ||
+              req.headers.host?.toString();
+            const hostname =
+              process.env.NEXT_PUBLIC_URL || `https://${fallbackHost}`;
+            const rootHostname =
+              localeUrlStrategy === LocaleUrlStrategy.Subdomain
+                ? getRootHostname(hostname)
+                : null;
+            const domainOption = rootHostname ? `Domain=${rootHostname};` : '';
+            const cookieOptions = `Path=/; HttpOnly; Secure; Max-Age=${maxAge}; ${domainOption}`;
+            res.setHeader('Set-Cookie', [
+              `osessionid=${sessionId}; ${cookieOptions}`,
+              `sessionid=${sessionId}; ${cookieOptions}`
+            ]);
+          }
+          if (!response.key) {
+            const errors = buildFieldErrors(response);
+            if (apiRequest.status === 202) {
+              errors.push({ type: 'otp' });
+            }
+            if (errors.length) {
+              throwAuthError(errors);
+            }
+          }
+          const currentUser = await getCurrentUser(
+            sessionId,
+            req.cookies['pz-currency'] ?? ''
+          );
+          return currentUser;
+        }
+      })
+    ],
+    callbacks: {
+      jwt: async ({ token, user }: any) => {
+        if (user) {
+          token.user = user;
+        }
+        return token;
+      },
+      async session({ session, user, token }: any) {
+        session.user = token.user as Session['user'];
+        return session;
+      },
+      async redirect({ url, baseUrl }: { url: string; baseUrl: string }) {
+        const pathname = url.startsWith('/') ? url : url.replace(baseUrl, '');
+        const pathnameWithoutLocale = pathname.replace(
+          urlLocaleMatcherRegex,
+          ''
+        );
+        const localeResults = req.headers.referer
+          ?.replace(baseUrl, '')
+          ?.match(urlLocaleMatcherRegex);
+        return `${baseUrl}${localeResults?.[0] || ''}${pathnameWithoutLocale}`;
+      }
+    },
+    events: {
+      signIn: () => {
+        logger.debug('Successfully signed in');
+      },
+      signOut: () => {
+        res.setHeader('Set-Cookie', [
+          `osessionid=; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`,
+          `sessionid=; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`
+        ]);
+        logger.debug('Successfully signed out');
+      }
+    },
+    pages: {
+      signIn: ROUTES.AUTH,
+      error: ROUTES.AUTH
+    }
+  };
+};
+const Auth = (
+  req: any,
+  res: any,
+  customOptions?: (req: any, res: any) => Partial<any>
+) => {
+  const baseOptions = defaultNextAuthOptionsV4(req, res);
+  const customOptionsResult = customOptions ? customOptions(req, res) : {};
+  const mergedOptions = {
+    ...baseOptions,
+    ...customOptionsResult,
+    providers: [
+      ...baseOptions.providers,
+      ...(customOptionsResult.providers || [])
+    ],
+    callbacks: {
+      ...baseOptions.callbacks,
+      ...customOptionsResult.callbacks
+    },
+    events: {
+      ...baseOptions.events,
+      ...customOptionsResult.events
+    },
+    pages: {
+      ...baseOptions.pages,
+      ...customOptionsResult.pages
+    }
+  };
+  return (NextAuth as any)(req, res, mergedOptions);
 };
-export default createAuth;
+export default Auth;

package/bin/pz-install-plugins.js CHANGED Viewed

@@ -26,7 +26,7 @@ try {
   process.exit(1);
 }
-const protectedPackages = ['@akinon/next', 'next'];
+const protectedPackages = ['@akinon/next', '@akinon/pz-theme', 'next'];
 const pluginsToRemove = Object.keys(packageJson.dependencies || {}).filter(
   (dep) =>

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@akinon/next",
   "description": "Core package for Project Zero Next",
-  "version": "2.0.0-beta.20",
+  "version": "2.0.0-beta.22",
   "private": false,
   "license": "MIT",
   "bin": {
@@ -24,7 +24,7 @@
     "@opentelemetry/sdk-node": "0.46.0",
     "@opentelemetry/sdk-trace-node": "1.19.0",
     "@opentelemetry/semantic-conventions": "1.19.0",
-    "@reduxjs/toolkit": "2.11.2",
+    "@reduxjs/toolkit": "1.9.7",
     "@sentry/nextjs": "10.39.0",
     "cross-spawn": "7.0.3",
     "generic-pool": "3.9.0",
@@ -37,7 +37,7 @@
     "set-cookie-parser": "2.6.0"
   },
   "devDependencies": {
-    "@akinon/eslint-plugin-projectzero": "2.0.0-beta.20",
+    "@akinon/eslint-plugin-projectzero": "2.0.0-beta.22",
     "@babel/core": "7.26.10",
     "@babel/preset-env": "7.26.9",
     "@babel/preset-typescript": "7.27.0",

package/types/index.ts CHANGED Viewed

@@ -275,17 +275,20 @@ export interface PzSegmentsConfig {
   segments: PzSegmentDefinition[];
 }
-// Next.js 16 async page/layout props (for exported page components and generateMetadata)
+// Search params type compatible with both Next.js resolved searchParams and URLSearchParams
+export type SearchParams = Record<string, string | string[] | undefined> | URLSearchParams;
+// Page/Layout props — sync params for backward compatibility with v1 brands
 export interface PageProps<T = any> {
-  params: Promise<T & {
+  params: T & {
     pz?: string;
     commerce?: string;
     locale?: string;
     currency?: string;
     url?: string;
     [key: string]: any;
-  }>;
-  searchParams: Promise<{ [key: string]: string | string[] | undefined }>;
+  };
+  searchParams: SearchParams;
 }
 export interface LayoutProps<T = any> extends PageProps<T> {
@@ -299,8 +302,18 @@ export interface RootLayoutProps<T = any> extends LayoutProps<T> {
   };
 }
-// Search params type compatible with both Next.js resolved searchParams and URLSearchParams
-export type SearchParams = Record<string, string | string[] | undefined> | URLSearchParams;
+// Async versions for Next.js 16 generateMetadata and internal use
+export interface AsyncPageProps<T = any> {
+  params: Promise<T & {
+    pz?: string;
+    commerce?: string;
+    locale?: string;
+    currency?: string;
+    url?: string;
+    [key: string]: any;
+  }>;
+  searchParams: Promise<{ [key: string]: string | string[] | undefined }>;
+}
 // Resolved (sync) versions for inner components after withSegmentDefaults resolves props
 export interface ResolvedPageProps<T = any> {

package/types/next-auth.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import 'next-auth';
 declare module 'next-auth' {
   interface User {
-    id?: string;
+    id?: number | string;
     pk: number;
     firstName: string;
     lastName: string;

package/with-pz-config.js CHANGED Viewed

@@ -5,7 +5,7 @@ const deepMerge = require('./utils/deep-merge');
 /** @type {import('next').NextConfig} */
 const defaultConfig = {
   reactStrictMode: true,
-  transpilePackages: ['@akinon/next', ...pzPlugins.map((p) => `@akinon/${p}`)],
+  transpilePackages: ['@akinon/next', '@akinon/pz-theme', ...pzPlugins.map((p) => `@akinon/${p}`)],
   skipTrailingSlashRedirect: true,
   poweredByHeader: false,
   cacheMaxMemorySize: 0,
@@ -70,6 +70,13 @@ const defaultConfig = {
       }, {}),
       translations: false
     };
+    // Ensure webpack can resolve deps from the app's node_modules when
+    // compiling transpiled packages (e.g. @akinon/next) whose imports
+    // may not be hoisted to the monorepo root.
+    const appNodeModules = path.resolve(process.cwd(), 'node_modules');
+    if (!config.resolve.modules.includes(appNodeModules)) {
+      config.resolve.modules.push(appNodeModules);
+    }
     return config;
   }
 };