@alphasquad/saleor-template-advance 0.1.0

package/src/app/api/affirm/process-payment/route.ts

@@ -0,0 +1,244 @@
+import { NextRequest, NextResponse } from "next/server";
+
+const TRANSACTION_PROCESS = `
+  mutation TransactionProcess(
+    $id: ID!
+    $data: JSON
+  ) {
+    transactionProcess(
+      id: $id
+      data: $data
+    ) {
+      transaction {
+        id
+        actions
+        chargedAmount {
+          amount
+          currency
+        }
+        checkout {
+          id
+        }
+        order {
+          id
+          number
+          total {
+            gross {
+              amount
+              currency
+            }
+          }
+        }
+      }
+      transactionEvent {
+        pspReference
+        message
+        type
+      }
+      data
+      errors {
+        field
+        message
+        code
+      }
+    }
+  }
+`;
+
+const CHECKOUT_COMPLETE = `
+  mutation CheckoutComplete($checkoutId: ID!) {
+    checkoutComplete(checkoutId: $checkoutId) {
+      order {
+        id
+        number
+        total {
+          gross {
+            amount
+            currency
+          }
+        }
+      }
+      errors {
+        field
+        message
+        code
+      }
+    }
+  }
+`;
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+    const { transactionId, affirmTransactionId, checkoutId } = body;
+
+    // Use transactionId if provided, otherwise fall back to checkoutId
+    const saleorTransactionId = transactionId || checkoutId;
+
+    if (!saleorTransactionId || !affirmTransactionId) {
+      return NextResponse.json(
+        { error: "Missing required fields: transactionId/checkoutId, affirmTransactionId" },
+        { status: 400 }
+      );
+    }
+
+    // Get Saleor API URL
+    const apiUrl = process.env.NEXT_PUBLIC_API_URL;
+    if (!apiUrl) {
+      throw new Error("NEXT_PUBLIC_API_URL is not configured");
+    }
+
+    // Get auth token from request cookies
+    const token = request.cookies.get("token")?.value;
+
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+
+    if (token) {
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+
+    // Call Saleor's transaction process mutation
+    const response = await fetch(apiUrl, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        query: TRANSACTION_PROCESS,
+        variables: {
+          id: saleorTransactionId, // Use the correct transaction ID
+          data: {
+            affirmTransactionId: affirmTransactionId, // Send as object like PayPal
+          },
+        },
+      }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      console.error("❌ Saleor request failed:", response.status, errorText);
+      throw new Error(`Saleor request failed: ${response.status} - ${errorText}`);
+    }
+
+    const result = await response.json();
+
+    const data = result.data;
+    const graphqlErrors = result.errors;
+
+    if (graphqlErrors || data?.transactionProcess?.errors?.length > 0) {
+      const errorMessage =
+        data?.transactionProcess?.errors?.[0]?.message ||
+        graphqlErrors?.[0]?.message ||
+        "Failed to process transaction";
+
+      console.error("❌ Transaction process error:", errorMessage);
+      return NextResponse.json({ error: errorMessage }, { status: 400 });
+    }
+
+    const transaction = data?.transactionProcess?.transaction;
+    const transactionEvent = data?.transactionProcess?.transactionEvent;
+    const order = transaction?.order;
+
+    // Avoid noisy logs (and accidental sensitive output) in templates/production.
+
+    // Check if payment was successful
+    if (transactionEvent?.type && !transactionEvent.type.includes("SUCCESS")) {
+      if (transactionEvent.type.includes("FAILURE")) {
+        return NextResponse.json(
+          { error: `Payment failed: ${transactionEvent?.message || "Unknown error"}` },
+          { status: 400 }
+        );
+      }
+    }
+
+    if (order) {
+      return NextResponse.json({
+        success: true,
+        order: {
+          id: order.id,
+          number: order.number,
+          total: order.total.gross.amount,
+          currency: order.total.gross.currency,
+        },
+        transactionId: transaction.id,
+      });
+    } else {
+      console.warn("⚠️ No order created by transactionProcess, attempting checkoutComplete...");
+
+      // Try to complete the checkout manually
+      const completeResponse = await fetch(apiUrl, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          query: CHECKOUT_COMPLETE,
+          variables: {
+            checkoutId: checkoutId || transaction.checkout?.id,
+          },
+        }),
+      });
+
+      if (!completeResponse.ok) {
+        console.error("❌ checkoutComplete request failed:", completeResponse.status);
+        return NextResponse.json(
+          {
+            success: false,
+            message: "Payment processed but order creation failed",
+            transactionId: transaction?.id,
+          },
+          { status: 202 }
+        );
+      }
+
+      const completeResult = await completeResponse.json();
+      const completeData = completeResult.data;
+      const completeErrors = completeResult.errors || completeData?.checkoutComplete?.errors;
+
+      if (completeErrors && completeErrors.length > 0) {
+        console.error("❌ checkoutComplete errors:", completeErrors);
+        return NextResponse.json(
+          {
+            success: false,
+            message: "Payment processed but order creation failed",
+            transactionId: transaction?.id,
+            details: completeErrors,
+          },
+          { status: 202 }
+        );
+      }
+
+      const completedOrder = completeData?.checkoutComplete?.order;
+
+      if (completedOrder) {
+        return NextResponse.json({
+          success: true,
+          order: {
+            id: completedOrder.id,
+            number: completedOrder.number,
+            total: completedOrder.total.gross.amount,
+            currency: completedOrder.total.gross.currency,
+          },
+          transactionId: transaction.id,
+        });
+      } else {
+        console.warn("⚠️ checkoutComplete did not create order");
+        return NextResponse.json(
+          {
+            success: false,
+            message: "Payment processed but order not created yet",
+            transactionId: transaction?.id,
+          },
+          { status: 202 }
+        );
+      }
+    }
+
+  } catch (error) {
+    console.error("❌ Error in process-payment API:", error);
+    return NextResponse.json(
+      {
+        error: error instanceof Error ? error.message : "Internal server error",
+      },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/affirm/test-connection/route.ts

@@ -0,0 +1,45 @@
+import { NextResponse } from "next/server";
+
+export async function GET() {
+  try {
+    const response = NextResponse.json({
+      status: "success",
+      message: "Storefront connection test successful",
+      timestamp: new Date().toISOString(),
+    });
+
+    // Add CORS headers
+    response.headers.set('Access-Control-Allow-Origin', '*');
+    response.headers.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    response.headers.set('Access-Control-Allow-Headers', 'Content-Type');
+
+    return response;
+  } catch (error) {
+    console.error("Test endpoint error:", error);
+    const errorResponse = NextResponse.json(
+      { 
+        status: "error", 
+        message: "Test endpoint failed" 
+      }, 
+      { status: 500 }
+    );
+
+    // Add CORS headers to error response too
+    errorResponse.headers.set('Access-Control-Allow-Origin', '*');
+    errorResponse.headers.set('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    errorResponse.headers.set('Access-Control-Allow-Headers', 'Content-Type');
+
+    return errorResponse;
+  }
+}
+
+export async function OPTIONS() {
+  return new NextResponse(null, {
+    status: 200,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type',
+    },
+  });
+}

package/src/app/api/auth/clear/route.ts

@@ -0,0 +1,16 @@
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+  const res = NextResponse.json({ success: true }, { headers: { 'Cache-Control': 'no-store' } });
+  const base = {
+    path: '/',
+    expires: new Date(0),
+    httpOnly: true,
+    sameSite: 'lax' as const,
+    secure: process.env.NODE_ENV === 'production',
+  };
+  res.cookies.set('token', '', base);
+  res.cookies.set('refreshToken', '', base);
+  res.cookies.set('isLoggedIn', '', { ...base, httpOnly: false });
+  return res;
+}

package/src/app/api/auth/clear-cookies/route.ts

@@ -0,0 +1,42 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+  const redirectTo = searchParams.get('redirect') || '/';
+  const reason = searchParams.get('reason');
+
+  // Create a response that will clear the HTTP-only cookies
+  const response = NextResponse.redirect(new URL(redirectTo, request.url));
+
+  // Clear the auth cookies by setting them to expire in the past
+  response.cookies.set({
+    name: 'token',
+    value: '',
+    path: '/',
+    expires: new Date(0), // Expire immediately
+    httpOnly: true,
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+  });
+
+  response.cookies.set({
+    name: 'refreshToken',
+    value: '',
+    path: '/',
+    expires: new Date(0), // Expire immediately
+    httpOnly: true,
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+  });
+
+  // Add debug headers in non-production
+  if (process.env.NODE_ENV !== 'production') {
+    response.headers.set('x-clear-cookies', '1');
+    if (reason) {
+      response.headers.set('x-clear-reason', reason);
+    }
+  }
+
+  return response;
+}

package/src/app/api/auth/set/route.ts

@@ -0,0 +1,47 @@
+import { NextResponse } from 'next/server';
+
+export async function POST(request: Request) {
+  try {
+    const { token, refreshToken, maxAgeSeconds = 60 * 60 * 24 * 7 } = await request.json();
+
+    if (!token) {
+      return NextResponse.json({ error: 'Missing token' }, { status: 400 });
+    }
+
+    const res = NextResponse.json({ ok: true });
+    const isProd = process.env.NODE_ENV === 'production';
+
+    // HttpOnly cookie for middleware
+    res.cookies.set('token', token, {
+      httpOnly: true,   // 🔒 must be HttpOnly
+      secure: isProd,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: maxAgeSeconds,
+    });
+
+    // Optional: refresh token
+    if (refreshToken) {
+      res.cookies.set('refreshToken', refreshToken, {
+        httpOnly: true,  // 🔒 secure storage
+        secure: isProd,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: maxAgeSeconds,
+      });
+    }
+
+    // Optional: frontend-friendly flag
+    res.cookies.set('isLoggedIn', '1', {
+      httpOnly: false,
+      secure: isProd,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: maxAgeSeconds,
+    });
+
+    return res;
+  } catch {
+    return NextResponse.json({ error: 'Invalid request' }, { status: 400 });
+  }
+}

package/src/app/api/configuration/route.ts

@@ -0,0 +1,18 @@
+import { NextResponse } from 'next/server';
+
+/**
+ * DEPRECATED: This API route is no longer used.
+ * Configuration is now handled server-side in the layout.tsx to prevent
+ * exposing configuration data to the client side.
+ * 
+ * This endpoint is kept for backward compatibility but will return an error.
+ */
+export async function GET() {
+  return NextResponse.json(
+    { 
+      error: 'This endpoint is deprecated. Configuration is now handled server-side.',
+      message: 'Configuration data is no longer exposed to the client side for security reasons.'
+    },
+    { status: 410 } // 410 Gone - resource is no longer available
+  );
+}

package/src/app/api/dynamic-page/[slug]/route.ts

@@ -0,0 +1,24 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { fetchDynamicPageBySlug } from '@/graphql/queries/getDynamicPageBySlug';
+
+export const dynamic = 'force-dynamic';
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ slug: string }> }
+  ) {
+  try {
+    const { slug } = await params;
+
+    const pageData = await fetchDynamicPageBySlug(slug);
+    
+    if (!pageData) {
+      return NextResponse.json({ error: 'Page not found' }, { status: 404 });
+    }
+    
+    return NextResponse.json(pageData);
+  } catch (error) {
+    console.error('[API] Error fetching dynamic page:', error);
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+  }
+}

package/src/app/api/form-submission/route.ts

@@ -0,0 +1,237 @@
+import { NextRequest, NextResponse } from "next/server";
+import nodemailer from "nodemailer";
+
+export const runtime = "nodejs";
+
+// Allowlist of permitted webhook domains for SSRF protection
+// Add trusted webhook domains in env (e.g., Zapier, your CRM, etc.)
+const ALLOWED_WEBHOOK_DOMAINS =
+  process.env.ALLOWED_WEBHOOK_DOMAINS?.split(",").map((d) => d.trim()) || [];
+
+/**
+ * Validates a webhook URL against the allowlist to prevent SSRF attacks.
+ */
+function isValidWebhookUrl(webhookUrl: string): boolean {
+  if (!webhookUrl || typeof webhookUrl !== "string") return false;
+
+  try {
+    const url = new URL(webhookUrl);
+
+    // Only allow HTTPS for security
+    if (url.protocol !== "https:") return false;
+
+    // Block private/internal hostnames
+    const hostname = url.hostname.toLowerCase();
+    const blockedPatterns = [
+      /^localhost$/i,
+      /^127\./,
+      /^10\./,
+      /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+      /^192\.168\./,
+      /^0\./,
+      /^169\.254\./,
+      /^\[::1\]$/,
+      /^\[fc/i,
+      /^\[fd/i,
+      /^\[fe80:/i,
+    ];
+    if (blockedPatterns.some((pattern) => pattern.test(hostname))) return false;
+
+    // Check against allowlist (if configured)
+    if (ALLOWED_WEBHOOK_DOMAINS.length > 0) {
+      const isAllowed = ALLOWED_WEBHOOK_DOMAINS.some(
+        (allowedDomain) =>
+          hostname === allowedDomain || hostname.endsWith(`.${allowedDomain}`)
+      );
+      if (!isAllowed) return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+type SmtpConfig = {
+  host: string;
+  port: number;
+  secure: boolean;
+  user?: string;
+  pass?: string;
+  from: string;
+  to: string[];
+  replyTo?: string;
+};
+
+function getSmtpConfig(): SmtpConfig | null {
+  const host = process.env.SMTP_HOST?.trim();
+  const portRaw = process.env.SMTP_PORT?.trim();
+  const from = process.env.SMTP_FROM?.trim();
+  const toRaw = process.env.SMTP_TO?.trim();
+
+  if (!host || !portRaw || !from || !toRaw) return null;
+
+  const port = Number(portRaw);
+  if (!Number.isFinite(port) || port <= 0) return null;
+
+  const secure =
+    (process.env.SMTP_SECURE || "").trim().toLowerCase() === "true" || port === 465;
+
+  const user = process.env.SMTP_USER?.trim() || undefined;
+  const pass = process.env.SMTP_PASS?.trim() || undefined;
+  const replyTo = process.env.SMTP_REPLY_TO?.trim() || undefined;
+
+  const to = toRaw
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  if (!to.length) return null;
+
+  return { host, port, secure, user, pass, from, to, replyTo };
+}
+
+function subjectFor(formType: string, pageSlug?: string) {
+  const base = process.env.EMAIL_SUBJECT_PREFIX?.trim() || "";
+  const prefix = base ? `${base} ` : "";
+  const suffix = pageSlug ? ` (${pageSlug})` : "";
+  return `${prefix}New ${formType} submission${suffix}`;
+}
+
+function renderEmailText(params: {
+  formType: string;
+  pageSlug?: string;
+  data: unknown;
+  timestamp?: string;
+  ip?: string | null;
+  ua?: string | null;
+}) {
+  const safeJson = JSON.stringify(params.data ?? {}, null, 2);
+  return [
+    `Form type: ${params.formType}`,
+    params.pageSlug ? `Page slug: ${params.pageSlug}` : null,
+    params.timestamp ? `Timestamp: ${params.timestamp}` : null,
+    params.ip ? `IP: ${params.ip}` : null,
+    params.ua ? `User-Agent: ${params.ua}` : null,
+    "",
+    "Data:",
+    safeJson,
+    "",
+  ]
+    .filter(Boolean)
+    .join("\n");
+}
+
+function escapeHtml(s: string) {
+  return s
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+}
+
+function renderEmailHtml(text: string) {
+  return `<pre style="white-space:pre-wrap;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,'Liberation Mono','Courier New',monospace;">${escapeHtml(
+    text
+  )}</pre>`;
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+    const { formType, pageSlug, data, metadata, timestamp } = body;
+
+    const results: {
+      smtp?: "sent" | "skipped" | "failed";
+      webhook?: "sent" | "skipped" | "failed";
+    } = {};
+
+    // Optional: Send email via SMTP (template-friendly; disabled unless SMTP_* vars provided)
+    const smtp = getSmtpConfig();
+    if (smtp) {
+      try {
+        const transporter = nodemailer.createTransport({
+          host: smtp.host,
+          port: smtp.port,
+          secure: smtp.secure,
+          auth: smtp.user && smtp.pass ? { user: smtp.user, pass: smtp.pass } : undefined,
+        });
+
+        const ip =
+          request.headers.get("x-forwarded-for") ||
+          request.headers.get("x-real-ip");
+        const ua = request.headers.get("user-agent");
+
+        const text = renderEmailText({
+          formType: String(formType || "form"),
+          pageSlug: typeof pageSlug === "string" ? pageSlug : undefined,
+          data,
+          timestamp: typeof timestamp === "string" ? timestamp : undefined,
+          ip,
+          ua,
+        });
+
+        await transporter.sendMail({
+          from: smtp.from,
+          to: smtp.to,
+          replyTo: smtp.replyTo,
+          subject: subjectFor(String(formType || "form"), typeof pageSlug === "string" ? pageSlug : undefined),
+          text,
+          html: renderEmailHtml(text),
+        });
+
+        results.smtp = "sent";
+      } catch (e) {
+        console.error("SMTP send failed:", e);
+        results.smtp = "failed";
+      }
+    } else {
+      results.smtp = "skipped";
+    }
+
+    // Optional: Send to webhook (with SSRF protection)
+    const webhookUrl = metadata?.webhookUrl;
+    if (typeof webhookUrl === "string" && webhookUrl.trim()) {
+      if (isValidWebhookUrl(webhookUrl)) {
+        try {
+          await fetch(webhookUrl, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+              formType,
+              pageSlug,
+              data,
+              timestamp,
+            }),
+          });
+          results.webhook = "sent";
+        } catch (error) {
+          console.error("Webhook error:", error);
+          results.webhook = "failed";
+        }
+      } else {
+        results.webhook = "skipped";
+      }
+    }
+
+    return NextResponse.json({
+      success: true,
+      message: "Form submitted successfully",
+      results,
+    });
+
+  } catch (error) {
+    console.error("Form submission error:", error);
+    
+    return NextResponse.json(
+      {
+        success: false,
+        message: "Failed to submit form",
+      },
+      { status: 500 }
+    );
+  }
+}