@akinon/projectzero 2.0.20-rc.0 → 2.0.21-beta.0

package/codemods/fix-login-form-action/index.js

@@ -0,0 +1,77 @@
+/**
+ * fix-login-form-action
+ *
+ * Rewrites the login form's `action="/api/auth/signin/credentials"` attribute
+ * in src/views/login/index.tsx to `action={() => {}}`.
+ *
+ * Why: under React 19 the form `action` prop is a function-action signal —
+ * passing one tells React itself to call event.preventDefault() before any
+ * listener runs. With the string URL it used to have, a hydration race
+ * (e.g. searchParams CSR bailout) would let the browser perform a native
+ * submit to the auth endpoint before the JS onSubmit listener attached.
+ * On the credentials login form that meant POSTing email and password as
+ * form-encoded body. The no-op function neutralizes that fallback while
+ * keeping the existing JS onSubmit as the real submit path.
+ *
+ * Brands without the attribute (or without src/views/login/index.tsx) are
+ * clean no-ops.
+ *
+ * Usage:
+ *   node codemods/fix-login-form-action/index.js [--dry-run]
+ *   npx @akinon/projectzero codemod --codemod=fix-login-form-action [--dry-run]
+ */
+
+const path = require('path');
+const fs = require('fs');
+const jscodeshift = require('jscodeshift/src/Runner');
+
+function log(msg) {
+  const ts = new Date().toISOString().replace('T', ' ').slice(0, 19);
+  console.log(`[${ts}] ${msg}`);
+}
+
+const transform = () => {
+  const cwd = path.resolve(process.cwd());
+  const dryRun = process.argv.includes('--dry-run');
+  const transformPath = path.join(__dirname, 'transform.js');
+  const target = path.join(cwd, 'src', 'views', 'login', 'index.tsx');
+
+  if (!fs.existsSync(target)) {
+    log(
+      `fix-login-form-action: no src/views/login/index.tsx at ${cwd}, skipping`
+    );
+    return Promise.resolve();
+  }
+
+  log(
+    `fix-login-form-action: scanning ${target}${dryRun ? ' (dry-run)' : ''}`
+  );
+
+  return jscodeshift
+    .run(transformPath, [target], {
+      verbose: 0,
+      dry: dryRun,
+      print: dryRun,
+      extensions: 'tsx',
+      parser: 'tsx',
+      ignorePattern: '**/node_modules/**',
+      silent: true
+    })
+    .then((res) => {
+      log(
+        `fix-login-form-action: ${res.ok} ok, ${res.nochange} unchanged, ${res.skip} skipped, ${res.error} errors`
+      );
+    });
+};
+
+module.exports = { transform };
+
+if (require.main === module) {
+  const result = transform();
+  if (result && typeof result.then === 'function') {
+    result.catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
+  }
+}

package/codemods/fix-login-form-action/transform.js

@@ -0,0 +1,43 @@
+/**
+ * jscodeshift transform for fix-login-form-action.
+ *
+ * Replaces every JSXAttribute named `action` whose value is the string
+ * "/api/auth/signin/credentials" with a no-op arrow function expression
+ * (`action={() => {}}`), and attaches an explanatory leading comment block.
+ *
+ * Returns null (no source change) when no matching attribute is found.
+ */
+module.exports = function transform(fileInfo, api) {
+  const j = api.jscodeshift;
+  const root = j(fileInfo.source);
+  let changed = false;
+
+  root.find(j.JSXAttribute, { name: { name: 'action' } }).forEach((p) => {
+    const v = p.node.value;
+    if (!v) return;
+
+    // String values can show up as either Literal or StringLiteral depending
+    // on the parser version. Match both.
+    const isString = v.type === 'Literal' || v.type === 'StringLiteral';
+    if (!isString || v.value !== '/api/auth/signin/credentials') return;
+
+    const arrow = j.arrowFunctionExpression([], j.blockStatement([]));
+    p.node.value = j.jsxExpressionContainer(arrow);
+
+    // Leading block comment explains why the action is a no-op. Attaching
+    // to the attribute keeps the comment adjacent in the printed output.
+    const comment = j.commentBlock(
+      ' React 19 belt-and-suspenders: passing a function to `action` makes\n' +
+        '         React itself call preventDefault on the native submit before any\n' +
+        '         listener runs, so a hydration race cannot leak credentials into\n' +
+        '         the URL bar. onSubmit still drives the actual signIn flow. ',
+      true,
+      false
+    );
+    p.node.comments = [comment];
+
+    changed = true;
+  });
+
+  return changed ? root.toSource({ quote: 'single' }) : null;
+};

package/codemods/fix-template-currenturl/index.js

@@ -0,0 +1,85 @@
+/**
+ * fix-template-currenturl
+ *
+ * Rewrites the JSON-LD canonical url construction in
+ * src/app/** /template.tsx from
+ *
+ *   const currentUrl = URL + pathname + searchParams;
+ *
+ * to
+ *
+ *   const currentUrl = `${URL}${pathname}`;
+ *
+ * Why: in the Next 16 / React 19 model `searchParams` is a
+ * ReadonlyURLSearchParams that string-coerces differently on the server
+ * and the client. The mismatched output lands inside a JSON-LD
+ * <script dangerouslySetInnerHTML> tag, breaks hydration of the entire
+ * route subtree, and races sibling client component hydration — auth
+ * forms in particular have shipped credentials into the URL as native
+ * GETs because their onSubmit listener was not yet attached when the
+ * user clicked submit.
+ *
+ * Handles both base forms observed across brands:
+ *   const currentUrl = URL + pathname + searchParams;
+ *   const currentUrl = process.env.NEXT_PUBLIC_URL + pathname + searchParams;
+ *
+ * Files outside src/app/** /template.tsx are skipped. Files that already
+ * use the template-literal form are no-ops.
+ *
+ * Usage:
+ *   node codemods/fix-template-currenturl/index.js [--dry-run]
+ *   npx @akinon/projectzero codemod --codemod=fix-template-currenturl [--dry-run]
+ */
+
+const path = require('path');
+const fs = require('fs');
+const jscodeshift = require('jscodeshift/src/Runner');
+
+function log(msg) {
+  const ts = new Date().toISOString().replace('T', ' ').slice(0, 19);
+  console.log(`[${ts}] ${msg}`);
+}
+
+const transform = () => {
+  const cwd = path.resolve(process.cwd());
+  const dryRun = process.argv.includes('--dry-run');
+  const transformPath = path.join(__dirname, 'transform.js');
+  const srcPath = path.join(cwd, 'src', 'app');
+
+  if (!fs.existsSync(srcPath)) {
+    log(`fix-template-currenturl: no src/app at ${cwd}, skipping`);
+    return Promise.resolve();
+  }
+
+  log(
+    `fix-template-currenturl: scanning ${srcPath}${dryRun ? ' (dry-run)' : ''}`
+  );
+
+  return jscodeshift
+    .run(transformPath, [srcPath], {
+      verbose: 0,
+      dry: dryRun,
+      print: dryRun,
+      extensions: 'tsx',
+      parser: 'tsx',
+      ignorePattern: '**/node_modules/**',
+      silent: true
+    })
+    .then((res) => {
+      log(
+        `fix-template-currenturl: ${res.ok} ok, ${res.nochange} unchanged, ${res.skip} skipped, ${res.error} errors`
+      );
+    });
+};
+
+module.exports = { transform };
+
+if (require.main === module) {
+  const result = transform();
+  if (result && typeof result.then === 'function') {
+    result.catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
+  }
+}

package/codemods/fix-template-currenturl/transform.js

@@ -0,0 +1,91 @@
+/**
+ * jscodeshift transform for fix-template-currenturl.
+ *
+ * Matches:
+ *   const currentUrl = (URL | process.env.NEXT_PUBLIC_URL) + pathname + searchParams;
+ *
+ * Replaces the right-hand side with the template literal
+ *   `${X}${pathname}`
+ *
+ * Only runs against files whose path ends in `/app/**\/template.tsx`. Returns
+ * null (no source change) when no match is found in the file or the
+ * declarator already has a non-binary initializer.
+ */
+
+function isUrlBase(node) {
+  if (!node) return false;
+  if (node.type === 'Identifier' && node.name === 'URL') return true;
+  if (
+    node.type === 'MemberExpression' &&
+    node.object &&
+    node.object.type === 'MemberExpression' &&
+    node.object.object &&
+    node.object.object.type === 'Identifier' &&
+    node.object.object.name === 'process' &&
+    node.object.property &&
+    node.object.property.type === 'Identifier' &&
+    node.object.property.name === 'env' &&
+    node.property &&
+    node.property.type === 'Identifier' &&
+    node.property.name === 'NEXT_PUBLIC_URL'
+  ) {
+    return true;
+  }
+  return false;
+}
+
+function flattenAdd(node, out) {
+  if (
+    node &&
+    node.type === 'BinaryExpression' &&
+    node.operator === '+'
+  ) {
+    flattenAdd(node.left, out);
+    flattenAdd(node.right, out);
+  } else {
+    out.push(node);
+  }
+}
+
+module.exports = function transform(fileInfo, api) {
+  // Restrict to template.tsx under any nested app/ segment. Brand routing
+  // depth varies (e.g. [commerce]/[locale]/[currency] vs deeper member-type
+  // splits) but the file name is constant.
+  if (!/[\\/]app[\\/].*template\.tsx$/.test(fileInfo.path)) {
+    return null;
+  }
+
+  const j = api.jscodeshift;
+  const root = j(fileInfo.source);
+  let changed = false;
+
+  root
+    .find(j.VariableDeclarator, { id: { name: 'currentUrl' } })
+    .forEach((p) => {
+      const init = p.node.init;
+      if (
+        !init ||
+        init.type !== 'BinaryExpression' ||
+        init.operator !== '+'
+      ) {
+        return;
+      }
+
+      const parts = [];
+      flattenAdd(init, parts);
+      if (parts.length !== 3) return;
+
+      const [base, mid, tail] = parts;
+      if (mid.type !== 'Identifier' || mid.name !== 'pathname') return;
+      if (tail.type !== 'Identifier' || tail.name !== 'searchParams') return;
+      if (!isUrlBase(base)) return;
+
+      // Build: `${base}${pathname}`
+      const empty = () => j.templateElement({ raw: '', cooked: '' }, false);
+      const tail2 = j.templateElement({ raw: '', cooked: '' }, true);
+      p.node.init = j.templateLiteral([empty(), empty(), tail2], [base, mid]);
+      changed = true;
+    });
+
+  return changed ? root.toSource({ quote: 'single' }) : null;
+};