@cmssy/next 0.1.8 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.cjs +873 -8
  2. package/dist/index.d.cts +62 -1
  3. package/dist/index.d.ts +62 -1
  4. package/dist/index.js +859 -7
  5. package/package.json +6 -3
package/dist/index.js CHANGED
@@ -1,8 +1,10 @@
1
- import { draftMode, headers } from 'next/headers';
1
+ import { draftMode, headers, cookies } from 'next/headers';
2
2
  import { notFound, redirect } from 'next/navigation';
3
- import { resolveSiteLocales, splitLocaleFromPath, fetchPage, resolveForms, CmssyServerPage } from '@cmssy/react';
3
+ import { resolveSiteLocales, splitLocaleFromPath, fetchPage, resolveForms, CmssyServerPage, resolveWorkspaceId, graphqlRequest } from '@cmssy/react';
4
4
  import { jsx } from 'react/jsx-runtime';
5
5
  import { createHash, timingSafeEqual } from 'crypto';
6
+ import { EncryptJWT, jwtDecrypt } from 'jose';
7
+ import { NextResponse } from 'next/server';
6
8
 
7
9
  // src/create-cmssy-page.tsx
8
10
 
@@ -177,14 +179,14 @@ function createDraftRoute(config) {
177
179
  "cmssy: defaultRedirect must be a same-origin path starting with '/'"
178
180
  );
179
181
  }
180
- return async function GET(request) {
182
+ return async function GET(request2) {
181
183
  if (config.draftSecret.length < MIN_SECRET_LENGTH) {
182
184
  return new Response(
183
185
  `cmssy: draftSecret must be at least ${MIN_SECRET_LENGTH} characters`,
184
186
  { status: 500 }
185
187
  );
186
188
  }
187
- const url = new URL(request.url);
189
+ const url = new URL(request2.url);
188
190
  const secret = url.searchParams.get("secret");
189
191
  if (!secret || !secretsMatch(secret, config.draftSecret)) {
190
192
  return new Response("Invalid draft secret", { status: 401 });
@@ -199,8 +201,8 @@ function createDraftRoute(config) {
199
201
  };
200
202
  }
201
203
  var CMSSY_EDIT_HEADER = "x-cmssy-edit";
202
- function isCmssyEditRequest(request) {
203
- return request.cookies.has("__prerender_bypass") || request.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
204
+ function isCmssyEditRequest(request2) {
205
+ return request2.cookies.has("__prerender_bypass") || request2.nextUrl.searchParams.getAll("cmssyEdit").includes("1");
204
206
  }
205
207
  async function isCmssyEditMode() {
206
208
  const h = await headers();
@@ -224,5 +226,855 @@ async function getCmssyLocale(config) {
224
226
  const { defaultLocale } = await resolveSiteLocales(config);
225
227
  return defaultLocale;
226
228
  }
229
+ var CMSSY_SESSION_COOKIE = "cmssy_session";
230
+ var SESSION_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
231
+ var MIN_SESSION_SECRET_LENGTH = 32;
232
+ var ACCESS_EXPIRY_SKEW_MS = 3e4;
233
+ async function deriveSessionKey(secret) {
234
+ if (typeof secret !== "string" || secret.length < MIN_SESSION_SECRET_LENGTH) {
235
+ throw new Error(
236
+ `cmssy auth sessionSecret must be at least ${MIN_SESSION_SECRET_LENGTH} characters`
237
+ );
238
+ }
239
+ const digest = await crypto.subtle.digest(
240
+ "SHA-256",
241
+ new TextEncoder().encode(secret)
242
+ );
243
+ return new Uint8Array(digest);
244
+ }
245
+ async function sealSession(payload, secret, audience) {
246
+ const key = await deriveSessionKey(secret);
247
+ const jwt = new EncryptJWT({ ...payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${SESSION_MAX_AGE_SECONDS}s`);
248
+ if (audience) jwt.setAudience(audience);
249
+ return jwt.encrypt(key);
250
+ }
251
+ async function openSession(token, secret, audience) {
252
+ const key = await deriveSessionKey(secret);
253
+ try {
254
+ const { payload } = await jwtDecrypt(token, key, {
255
+ keyManagementAlgorithms: ["dir"],
256
+ contentEncryptionAlgorithms: ["A256GCM"],
257
+ ...audience ? { audience } : {}
258
+ });
259
+ const { accessToken, refreshToken, accessExpiresAt, user } = payload;
260
+ if (typeof accessToken !== "string" || typeof refreshToken !== "string" || !Number.isFinite(accessExpiresAt) || !user || typeof user !== "object" || typeof user.recordId !== "string" || typeof user.email !== "string") {
261
+ return null;
262
+ }
263
+ return {
264
+ accessToken,
265
+ refreshToken,
266
+ accessExpiresAt,
267
+ user: {
268
+ recordId: user.recordId,
269
+ email: user.email
270
+ }
271
+ };
272
+ } catch {
273
+ return null;
274
+ }
275
+ }
276
+ function isAccessExpired(payload, now = Date.now()) {
277
+ return payload.accessExpiresAt <= now + ACCESS_EXPIRY_SKEW_MS;
278
+ }
279
+ function sessionCookieOptions() {
280
+ return {
281
+ httpOnly: true,
282
+ secure: process.env.NODE_ENV !== "development",
283
+ sameSite: "lax",
284
+ path: "/",
285
+ maxAge: SESSION_MAX_AGE_SECONDS
286
+ };
287
+ }
288
+
289
+ // src/config.ts
290
+ function assertAuthConfig(config) {
291
+ const auth = config.auth;
292
+ if (!auth || typeof auth.modelSlug !== "string" || !auth.modelSlug) {
293
+ throw new Error("cmssy: config.auth.modelSlug is required for auth routes");
294
+ }
295
+ if (typeof auth.sessionSecret !== "string" || auth.sessionSecret.length < MIN_SESSION_SECRET_LENGTH) {
296
+ throw new Error(
297
+ `cmssy: config.auth.sessionSecret must be at least ${MIN_SESSION_SECRET_LENGTH} characters`
298
+ );
299
+ }
300
+ return auth;
301
+ }
302
+ var LOGIN_MUTATION = `mutation SiteMemberLogin($input: SiteMemberLoginInput!) {
303
+ siteMemberLogin(input: $input) {
304
+ success message accessToken refreshToken accessTokenExpiresIn
305
+ }
306
+ }`;
307
+ var REGISTER_MUTATION = `mutation SiteMemberRegister($input: SiteMemberRegisterInput!) {
308
+ siteMemberRegister(input: $input) { success message }
309
+ }`;
310
+ var REFRESH_MUTATION = `mutation SiteMemberRefresh($refreshToken: String!) {
311
+ siteMemberRefresh(refreshToken: $refreshToken) {
312
+ success message accessToken refreshToken accessTokenExpiresIn
313
+ }
314
+ }`;
315
+ var LOGOUT_MUTATION = `mutation SiteMemberLogout($refreshToken: String!) {
316
+ siteMemberLogout(refreshToken: $refreshToken) { success message }
317
+ }`;
318
+ var LOGOUT_EVERYWHERE_MUTATION = `mutation SiteMemberLogoutEverywhere {
319
+ siteMemberLogoutEverywhere { success message }
320
+ }`;
321
+ var FORGOT_MUTATION = `mutation SiteMemberForgotPassword($modelSlug: String!, $identity: String!) {
322
+ siteMemberForgotPassword(modelSlug: $modelSlug, identity: $identity) { success message }
323
+ }`;
324
+ var RESET_MUTATION = `mutation SiteMemberResetPassword($token: String!, $newPassword: String!) {
325
+ siteMemberResetPassword(token: $token, newPassword: $newPassword) { success message }
326
+ }`;
327
+ var VERIFY_MUTATION = `mutation SiteMemberVerifyEmail($token: String!) {
328
+ siteMemberVerifyEmail(token: $token) { success message }
329
+ }`;
330
+ var workspaceIdCache = /* @__PURE__ */ new Map();
331
+ function workspaceIdFor(config) {
332
+ const key = `${config.apiUrl}::${config.workspaceSlug}`;
333
+ const existing = workspaceIdCache.get(key);
334
+ if (existing) return existing;
335
+ const fresh = resolveWorkspaceId(config).catch((err) => {
336
+ workspaceIdCache.delete(key);
337
+ throw err;
338
+ });
339
+ workspaceIdCache.set(key, fresh);
340
+ return fresh;
341
+ }
342
+ async function authRequest(config, query, variables, label, accessToken) {
343
+ const workspaceId = await workspaceIdFor(config);
344
+ return graphqlRequest(
345
+ config,
346
+ query,
347
+ variables,
348
+ {
349
+ headers: {
350
+ "x-workspace-id": workspaceId,
351
+ ...accessToken ? { authorization: `Bearer ${accessToken}` } : {}
352
+ }
353
+ },
354
+ label
355
+ );
356
+ }
357
+ function decodeAccessClaims(accessToken) {
358
+ const parts = accessToken.split(".");
359
+ if (parts.length !== 3) return null;
360
+ try {
361
+ const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
362
+ const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
363
+ const json3 = JSON.parse(new TextDecoder().decode(bytes));
364
+ if (typeof json3.recordId !== "string" || typeof json3.email !== "string" || json3.type !== "site_member") {
365
+ return null;
366
+ }
367
+ return { recordId: json3.recordId, email: json3.email };
368
+ } catch {
369
+ return null;
370
+ }
371
+ }
372
+ function toSessionPayload(result) {
373
+ if (!result.success || !result.accessToken || !result.refreshToken || !result.accessTokenExpiresIn) {
374
+ return null;
375
+ }
376
+ const user = decodeAccessClaims(result.accessToken);
377
+ if (!user) return null;
378
+ return {
379
+ accessToken: result.accessToken,
380
+ refreshToken: result.refreshToken,
381
+ accessExpiresAt: Date.now() + result.accessTokenExpiresIn * 1e3,
382
+ user
383
+ };
384
+ }
385
+ async function backendSignIn(config, modelSlug, identity, password) {
386
+ const data = await authRequest(
387
+ config,
388
+ LOGIN_MUTATION,
389
+ {
390
+ input: { modelSlug, identity, password }
391
+ },
392
+ "site member login"
393
+ );
394
+ return data.siteMemberLogin;
395
+ }
396
+ async function backendRegister(config, modelSlug, identity, password, fields) {
397
+ const data = await authRequest(
398
+ config,
399
+ REGISTER_MUTATION,
400
+ {
401
+ input: { modelSlug, identity, password, fields }
402
+ },
403
+ "site member register"
404
+ );
405
+ return data.siteMemberRegister;
406
+ }
407
+ async function backendRefresh(config, refreshToken) {
408
+ const data = await authRequest(
409
+ config,
410
+ REFRESH_MUTATION,
411
+ { refreshToken },
412
+ "site member refresh"
413
+ );
414
+ return data.siteMemberRefresh;
415
+ }
416
+ async function backendSignOut(config, refreshToken) {
417
+ try {
418
+ await authRequest(
419
+ config,
420
+ LOGOUT_MUTATION,
421
+ { refreshToken },
422
+ "site member logout"
423
+ );
424
+ } catch {
425
+ return;
426
+ }
427
+ }
428
+ async function backendSignOutEverywhere(config, accessToken) {
429
+ try {
430
+ await authRequest(
431
+ config,
432
+ LOGOUT_EVERYWHERE_MUTATION,
433
+ {},
434
+ "site member logout everywhere",
435
+ accessToken
436
+ );
437
+ } catch {
438
+ return;
439
+ }
440
+ }
441
+ async function backendForgotPassword(config, modelSlug, identity) {
442
+ const data = await authRequest(
443
+ config,
444
+ FORGOT_MUTATION,
445
+ { modelSlug, identity },
446
+ "site member forgot password"
447
+ );
448
+ return data.siteMemberForgotPassword;
449
+ }
450
+ async function backendResetPassword(config, token, newPassword) {
451
+ const data = await authRequest(
452
+ config,
453
+ RESET_MUTATION,
454
+ { token, newPassword },
455
+ "site member reset password"
456
+ );
457
+ return data.siteMemberResetPassword;
458
+ }
459
+ async function backendVerifyEmail(config, token) {
460
+ const data = await authRequest(
461
+ config,
462
+ VERIFY_MUTATION,
463
+ { token },
464
+ "site member verify email"
465
+ );
466
+ return data.siteMemberVerifyEmail;
467
+ }
468
+
469
+ // src/create-auth-route.ts
470
+ var MAX_BODY_CHARS = 16 * 1024;
471
+ function json(body, status = 200) {
472
+ return new Response(JSON.stringify(body), {
473
+ status,
474
+ headers: {
475
+ "content-type": "application/json",
476
+ "cache-control": "no-store"
477
+ }
478
+ });
479
+ }
480
+ async function readBody(request2) {
481
+ const contentType = request2.headers.get("content-type") ?? "";
482
+ if (!contentType.toLowerCase().includes("application/json")) {
483
+ throw new Error("content-type must be application/json");
484
+ }
485
+ const text = await request2.text();
486
+ if (text.length > MAX_BODY_CHARS) {
487
+ throw new Error("body too large");
488
+ }
489
+ if (!text) return {};
490
+ const parsed = JSON.parse(text);
491
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
492
+ throw new Error("body must be a JSON object");
493
+ }
494
+ return parsed;
495
+ }
496
+ function str(value) {
497
+ return typeof value === "string" ? value : "";
498
+ }
499
+ function plainObject(value) {
500
+ if (!value || typeof value !== "object" || Array.isArray(value)) return {};
501
+ return value;
502
+ }
503
+ async function readSession(config, auth) {
504
+ const jar = await cookies();
505
+ const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
506
+ if (!raw) return null;
507
+ return openSession(raw, auth.sessionSecret, config.workspaceSlug);
508
+ }
509
+ async function writeSession(config, auth, payload) {
510
+ const sealed = await sealSession(
511
+ payload,
512
+ auth.sessionSecret,
513
+ config.workspaceSlug
514
+ );
515
+ const jar = await cookies();
516
+ jar.set(CMSSY_SESSION_COOKIE, sealed, sessionCookieOptions());
517
+ }
518
+ async function clearSession() {
519
+ const jar = await cookies();
520
+ jar.set(CMSSY_SESSION_COOKIE, "", {
521
+ ...sessionCookieOptions(),
522
+ maxAge: 0
523
+ });
524
+ }
525
+ async function refreshSession(config, auth, session) {
526
+ const result = await backendRefresh(config, session.refreshToken);
527
+ const payload = toSessionPayload(result);
528
+ if (!payload) {
529
+ await clearSession();
530
+ return null;
531
+ }
532
+ await writeSession(config, auth, payload);
533
+ return payload;
534
+ }
535
+ function createCmssyAuthRoute(config) {
536
+ const auth = assertAuthConfig(config);
537
+ async function handleSignIn(body) {
538
+ const identity = str(body.identity);
539
+ const password = str(body.password);
540
+ if (!identity || !password) {
541
+ return json({ ok: false, message: "Invalid credentials." }, 400);
542
+ }
543
+ const result = await backendSignIn(
544
+ config,
545
+ auth.modelSlug,
546
+ identity,
547
+ password
548
+ );
549
+ const payload = toSessionPayload(result);
550
+ if (!payload) {
551
+ return json({ ok: false, message: result.message }, 401);
552
+ }
553
+ await writeSession(config, auth, payload);
554
+ return json({ ok: true, user: payload.user });
555
+ }
556
+ async function handleRegister(body) {
557
+ const identity = str(body.identity);
558
+ const password = str(body.password);
559
+ if (!identity || !password) {
560
+ return json({ ok: false, message: "Invalid input." }, 400);
561
+ }
562
+ const result = await backendRegister(
563
+ config,
564
+ auth.modelSlug,
565
+ identity,
566
+ password,
567
+ plainObject(body.fields)
568
+ );
569
+ return json({ ok: result.success, message: result.message });
570
+ }
571
+ async function handleSignOut() {
572
+ const session = await readSession(config, auth);
573
+ if (session) {
574
+ await backendSignOut(config, session.refreshToken);
575
+ }
576
+ await clearSession();
577
+ return json({ ok: true });
578
+ }
579
+ async function handleSignOutEverywhere() {
580
+ let session = await readSession(config, auth);
581
+ if (session && isAccessExpired(session)) {
582
+ session = await refreshSession(config, auth, session);
583
+ }
584
+ if (session) {
585
+ await backendSignOutEverywhere(config, session.accessToken);
586
+ }
587
+ await clearSession();
588
+ return json({ ok: true });
589
+ }
590
+ async function handleRefresh() {
591
+ const session = await readSession(config, auth);
592
+ if (!session) {
593
+ return json({ ok: false, user: null }, 401);
594
+ }
595
+ const refreshed = await refreshSession(config, auth, session);
596
+ if (!refreshed) {
597
+ return json({ ok: false, user: null }, 401);
598
+ }
599
+ return json({ ok: true, user: refreshed.user });
600
+ }
601
+ async function handleMe() {
602
+ let session = await readSession(config, auth);
603
+ if (session && isAccessExpired(session)) {
604
+ session = await refreshSession(config, auth, session);
605
+ }
606
+ return json({ user: session?.user ?? null });
607
+ }
608
+ async function handleForgotPassword(body) {
609
+ const identity = str(body.identity);
610
+ if (!identity) {
611
+ return json({ ok: false, message: "Invalid input." }, 400);
612
+ }
613
+ const result = await backendForgotPassword(
614
+ config,
615
+ auth.modelSlug,
616
+ identity
617
+ );
618
+ return json({ ok: result.success, message: result.message });
619
+ }
620
+ async function handleResetPassword(body) {
621
+ const token = str(body.token);
622
+ const newPassword = str(body.newPassword);
623
+ if (!token || !newPassword) {
624
+ return json({ ok: false, message: "Invalid input." }, 400);
625
+ }
626
+ const result = await backendResetPassword(config, token, newPassword);
627
+ return json({ ok: result.success, message: result.message });
628
+ }
629
+ async function handleVerifyEmail(body) {
630
+ const token = str(body.token);
631
+ if (!token) {
632
+ return json({ ok: false, message: "Invalid input." }, 400);
633
+ }
634
+ const result = await backendVerifyEmail(config, token);
635
+ return json({ ok: result.success, message: result.message });
636
+ }
637
+ return {
638
+ async POST(request2, context) {
639
+ const { action } = await context.params;
640
+ let body;
641
+ try {
642
+ body = await readBody(request2);
643
+ } catch {
644
+ return json({ ok: false, message: "Invalid request body." }, 400);
645
+ }
646
+ try {
647
+ switch (action) {
648
+ case "sign-in":
649
+ return await handleSignIn(body);
650
+ case "register":
651
+ return await handleRegister(body);
652
+ case "sign-out":
653
+ return await handleSignOut();
654
+ case "sign-out-everywhere":
655
+ return await handleSignOutEverywhere();
656
+ case "refresh":
657
+ return await handleRefresh();
658
+ case "forgot-password":
659
+ return await handleForgotPassword(body);
660
+ case "reset-password":
661
+ return await handleResetPassword(body);
662
+ case "verify-email":
663
+ return await handleVerifyEmail(body);
664
+ default:
665
+ return json({ ok: false, message: "Not found." }, 404);
666
+ }
667
+ } catch {
668
+ return json({ ok: false, message: "Something went wrong." }, 500);
669
+ }
670
+ },
671
+ async GET(_request, context) {
672
+ const { action } = await context.params;
673
+ if (action !== "me") {
674
+ return json({ ok: false, message: "Not found." }, 404);
675
+ }
676
+ try {
677
+ return await handleMe();
678
+ } catch {
679
+ return json({ user: null });
680
+ }
681
+ }
682
+ };
683
+ }
684
+ var CART_FIELDS = `
685
+ id
686
+ status
687
+ itemCount
688
+ subtotal
689
+ currency
690
+ discountedTotal
691
+ appliedDiscount { code type value computedAmount }
692
+ items {
693
+ id
694
+ recordId
695
+ quantity
696
+ variantSelections
697
+ currentPrice
698
+ priceMismatch
699
+ snapshot { name price currency imageUrl sku }
700
+ }
701
+ `;
702
+ var CART_QUERY = `query Cart($workspaceId: ID!) { cart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
703
+ var ADD_TO_CART = `mutation AddToCart($input: AddToCartInput!) { addToCart(input: $input) { ${CART_FIELDS} } }`;
704
+ var UPDATE_ITEM = `mutation UpdateCartItem($input: UpdateCartItemInput!) { updateCartItem(input: $input) { ${CART_FIELDS} } }`;
705
+ var REMOVE_ITEM = `mutation RemoveCartItem($workspaceId: ID!, $itemId: ID!) { removeCartItem(workspaceId: $workspaceId, itemId: $itemId) { ${CART_FIELDS} } }`;
706
+ var CLEAR_CART = `mutation ClearCart($workspaceId: ID!) { clearCart(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
707
+ var APPLY_DISCOUNT = `mutation ApplyDiscount($workspaceId: ID!, $code: String!) { applyDiscount(workspaceId: $workspaceId, code: $code) { ${CART_FIELDS} } }`;
708
+ var REMOVE_DISCOUNT = `mutation RemoveDiscount($workspaceId: ID!) { removeDiscount(workspaceId: $workspaceId) { ${CART_FIELDS} } }`;
709
+ var CHECKOUT = `mutation Checkout($input: CheckoutInput!) {
710
+ checkout(input: $input) { id status subtotal total currency customerEmail }
711
+ }`;
712
+ var PRODUCT = `query Product($workspaceId: String!, $modelSlug: String!, $filter: JSON) {
713
+ publicModelRecords(workspaceId: $workspaceId, modelSlug: $modelSlug, filter: $filter, limit: 1) {
714
+ items { id data variants { id sku price inventory selectedOptions { name value } } }
715
+ }
716
+ }`;
717
+ var workspaceIdCache2 = /* @__PURE__ */ new Map();
718
+ function workspaceIdFor2(config) {
719
+ const key = `${config.apiUrl}::${config.workspaceSlug}`;
720
+ const existing = workspaceIdCache2.get(key);
721
+ if (existing) return existing;
722
+ const fresh = resolveWorkspaceId(config).catch((err) => {
723
+ workspaceIdCache2.delete(key);
724
+ throw err;
725
+ });
726
+ workspaceIdCache2.set(key, fresh);
727
+ return fresh;
728
+ }
729
+ async function request(config, ctx, workspaceId, query, variables, label) {
730
+ return graphqlRequest(
731
+ config,
732
+ query,
733
+ variables,
734
+ {
735
+ headers: {
736
+ "x-workspace-id": workspaceId,
737
+ "x-cart-session": ctx.cartToken,
738
+ ...ctx.accessToken ? { authorization: `Bearer ${ctx.accessToken}` } : {}
739
+ }
740
+ },
741
+ label
742
+ );
743
+ }
744
+ async function backendGetCart(config, ctx) {
745
+ const workspaceId = await workspaceIdFor2(config);
746
+ const data = await request(
747
+ config,
748
+ ctx,
749
+ workspaceId,
750
+ CART_QUERY,
751
+ { workspaceId },
752
+ "cart query"
753
+ );
754
+ return data.cart;
755
+ }
756
+ async function backendAddToCart(config, ctx, input) {
757
+ const workspaceId = await workspaceIdFor2(config);
758
+ const data = await request(
759
+ config,
760
+ ctx,
761
+ workspaceId,
762
+ ADD_TO_CART,
763
+ { input: { workspaceId, ...input } },
764
+ "add to cart"
765
+ );
766
+ return data.addToCart;
767
+ }
768
+ async function backendUpdateItem(config, ctx, input) {
769
+ const workspaceId = await workspaceIdFor2(config);
770
+ const data = await request(
771
+ config,
772
+ ctx,
773
+ workspaceId,
774
+ UPDATE_ITEM,
775
+ { input: { workspaceId, ...input } },
776
+ "update cart item"
777
+ );
778
+ return data.updateCartItem;
779
+ }
780
+ async function backendRemoveItem(config, ctx, itemId) {
781
+ const workspaceId = await workspaceIdFor2(config);
782
+ const data = await request(
783
+ config,
784
+ ctx,
785
+ workspaceId,
786
+ REMOVE_ITEM,
787
+ { workspaceId, itemId },
788
+ "remove cart item"
789
+ );
790
+ return data.removeCartItem;
791
+ }
792
+ async function backendClearCart(config, ctx) {
793
+ const workspaceId = await workspaceIdFor2(config);
794
+ const data = await request(
795
+ config,
796
+ ctx,
797
+ workspaceId,
798
+ CLEAR_CART,
799
+ { workspaceId },
800
+ "clear cart"
801
+ );
802
+ return data.clearCart;
803
+ }
804
+ async function backendApplyDiscount(config, ctx, code) {
805
+ const workspaceId = await workspaceIdFor2(config);
806
+ const data = await request(
807
+ config,
808
+ ctx,
809
+ workspaceId,
810
+ APPLY_DISCOUNT,
811
+ { workspaceId, code },
812
+ "apply discount"
813
+ );
814
+ return data.applyDiscount;
815
+ }
816
+ async function backendRemoveDiscount(config, ctx) {
817
+ const workspaceId = await workspaceIdFor2(config);
818
+ const data = await request(
819
+ config,
820
+ ctx,
821
+ workspaceId,
822
+ REMOVE_DISCOUNT,
823
+ { workspaceId },
824
+ "remove discount"
825
+ );
826
+ return data.removeDiscount;
827
+ }
828
+ async function backendCheckout(config, ctx, customerEmail) {
829
+ const workspaceId = await workspaceIdFor2(config);
830
+ const data = await request(
831
+ config,
832
+ ctx,
833
+ workspaceId,
834
+ CHECKOUT,
835
+ { input: { workspaceId, customerEmail } },
836
+ "checkout"
837
+ );
838
+ return data.checkout;
839
+ }
840
+ async function backendProduct(config, ctx, modelSlug, filter) {
841
+ const workspaceId = await workspaceIdFor2(config);
842
+ const data = await request(
843
+ config,
844
+ ctx,
845
+ workspaceId,
846
+ PRODUCT,
847
+ { workspaceId, modelSlug, filter },
848
+ "product query"
849
+ );
850
+ return data.publicModelRecords.items[0] ?? null;
851
+ }
852
+
853
+ // src/create-cart-route.ts
854
+ var CMSSY_CART_COOKIE = "cmssy_cart";
855
+ var CART_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
856
+ var CART_TOKEN_BYTES = 32;
857
+ var MAX_BODY_CHARS2 = 16 * 1024;
858
+ function json2(body, status = 200) {
859
+ return new Response(JSON.stringify(body), {
860
+ status,
861
+ headers: {
862
+ "content-type": "application/json",
863
+ "cache-control": "no-store"
864
+ }
865
+ });
866
+ }
867
+ function cartCookieOptions() {
868
+ return {
869
+ httpOnly: true,
870
+ secure: process.env.NODE_ENV !== "development",
871
+ sameSite: "lax",
872
+ path: "/",
873
+ maxAge: CART_MAX_AGE_SECONDS
874
+ };
875
+ }
876
+ function mintToken() {
877
+ const bytes = new Uint8Array(CART_TOKEN_BYTES);
878
+ crypto.getRandomValues(bytes);
879
+ let binary = "";
880
+ for (const byte of bytes) binary += String.fromCharCode(byte);
881
+ return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
882
+ }
883
+ async function readBody2(request2) {
884
+ const contentType = request2.headers.get("content-type") ?? "";
885
+ if (!contentType.toLowerCase().includes("application/json")) {
886
+ throw new Error("content-type must be application/json");
887
+ }
888
+ const text = await request2.text();
889
+ if (text.length > MAX_BODY_CHARS2) throw new Error("body too large");
890
+ if (!text) return {};
891
+ const parsed = JSON.parse(text);
892
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
893
+ throw new Error("body must be a JSON object");
894
+ }
895
+ return parsed;
896
+ }
897
+ function str2(value) {
898
+ return typeof value === "string" ? value : "";
899
+ }
900
+ function plainObject2(value) {
901
+ if (!value || typeof value !== "object" || Array.isArray(value)) return {};
902
+ return value;
903
+ }
904
+ function createCmssyCartRoute(config) {
905
+ async function ensureCartToken() {
906
+ const jar = await cookies();
907
+ const existing = jar.get(CMSSY_CART_COOKIE)?.value;
908
+ if (existing) return existing;
909
+ const token = mintToken();
910
+ jar.set(CMSSY_CART_COOKIE, token, cartCookieOptions());
911
+ return token;
912
+ }
913
+ async function clearCartToken() {
914
+ const jar = await cookies();
915
+ jar.set(CMSSY_CART_COOKIE, "", { ...cartCookieOptions(), maxAge: 0 });
916
+ }
917
+ async function memberAccessToken() {
918
+ if (!config.auth) return void 0;
919
+ const jar = await cookies();
920
+ const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
921
+ if (!raw) return void 0;
922
+ const session = await openSession(
923
+ raw,
924
+ config.auth.sessionSecret,
925
+ config.workspaceSlug
926
+ );
927
+ if (!session || isAccessExpired(session)) return void 0;
928
+ return session.accessToken;
929
+ }
930
+ async function buildContext() {
931
+ const cartToken = await ensureCartToken();
932
+ const accessToken = await memberAccessToken();
933
+ return accessToken ? { cartToken, accessToken } : { cartToken };
934
+ }
935
+ return {
936
+ async POST(request2, context) {
937
+ const { action } = await context.params;
938
+ let body;
939
+ try {
940
+ body = await readBody2(request2);
941
+ } catch {
942
+ return json2({ message: "Invalid request body." }, 400);
943
+ }
944
+ try {
945
+ const ctx = await buildContext();
946
+ switch (action) {
947
+ case "cart":
948
+ return json2({ cart: await backendGetCart(config, ctx) });
949
+ case "add":
950
+ return json2({
951
+ cart: await backendAddToCart(config, ctx, {
952
+ recordId: str2(body.recordId),
953
+ quantity: typeof body.quantity === "number" ? body.quantity : 1,
954
+ variantSelections: body.variantSelections,
955
+ notes: typeof body.notes === "string" ? body.notes : void 0
956
+ })
957
+ });
958
+ case "update":
959
+ return json2({
960
+ cart: await backendUpdateItem(config, ctx, {
961
+ itemId: str2(body.itemId),
962
+ quantity: typeof body.quantity === "number" ? body.quantity : 0
963
+ })
964
+ });
965
+ case "remove":
966
+ return json2({
967
+ cart: await backendRemoveItem(config, ctx, str2(body.itemId))
968
+ });
969
+ case "clear":
970
+ return json2({ cart: await backendClearCart(config, ctx) });
971
+ case "apply-discount":
972
+ return json2({
973
+ cart: await backendApplyDiscount(config, ctx, str2(body.code))
974
+ });
975
+ case "remove-discount":
976
+ return json2({ cart: await backendRemoveDiscount(config, ctx) });
977
+ case "checkout": {
978
+ const order = await backendCheckout(
979
+ config,
980
+ ctx,
981
+ str2(body.customerEmail)
982
+ );
983
+ await clearCartToken();
984
+ return json2({ order });
985
+ }
986
+ case "product":
987
+ return json2({
988
+ product: await backendProduct(
989
+ config,
990
+ ctx,
991
+ str2(body.modelSlug),
992
+ plainObject2(body.filter)
993
+ )
994
+ });
995
+ default:
996
+ return json2({ message: "Not found." }, 404);
997
+ }
998
+ } catch (err) {
999
+ return json2(
1000
+ {
1001
+ message: err instanceof Error ? err.message : "Commerce request failed"
1002
+ },
1003
+ 502
1004
+ );
1005
+ }
1006
+ }
1007
+ };
1008
+ }
1009
+ async function readValidSession(config) {
1010
+ const auth = assertAuthConfig(config);
1011
+ const jar = await cookies();
1012
+ const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
1013
+ if (!raw) return null;
1014
+ const session = await openSession(
1015
+ raw,
1016
+ auth.sessionSecret,
1017
+ config.workspaceSlug
1018
+ );
1019
+ if (!session || isAccessExpired(session)) return null;
1020
+ return session;
1021
+ }
1022
+ async function getCmssyUser(config) {
1023
+ const session = await readValidSession(config);
1024
+ return session?.user ?? null;
1025
+ }
1026
+ async function getCmssyAccessToken(config) {
1027
+ const session = await readValidSession(config);
1028
+ return session?.accessToken ?? null;
1029
+ }
1030
+ function isPrefetch(request2) {
1031
+ return request2.headers.get("next-router-prefetch") !== null || request2.headers.get("purpose") === "prefetch" || (request2.headers.get("sec-purpose") ?? "").includes("prefetch");
1032
+ }
1033
+ function createCmssyAuthMiddleware(config) {
1034
+ const auth = assertAuthConfig(config);
1035
+ return async function cmssyAuthMiddleware(request2) {
1036
+ const raw = request2.cookies.get(CMSSY_SESSION_COOKIE)?.value;
1037
+ if (!raw) return NextResponse.next();
1038
+ const session = await openSession(
1039
+ raw,
1040
+ auth.sessionSecret,
1041
+ config.workspaceSlug
1042
+ );
1043
+ if (!session) {
1044
+ const response = NextResponse.next();
1045
+ response.cookies.set(CMSSY_SESSION_COOKIE, "", {
1046
+ ...sessionCookieOptions(),
1047
+ maxAge: 0
1048
+ });
1049
+ return response;
1050
+ }
1051
+ if (!isAccessExpired(session)) return NextResponse.next();
1052
+ if (isPrefetch(request2)) return NextResponse.next();
1053
+ let payload = null;
1054
+ try {
1055
+ const result = await backendRefresh(config, session.refreshToken);
1056
+ payload = toSessionPayload(result);
1057
+ } catch {
1058
+ return NextResponse.next();
1059
+ }
1060
+ if (!payload) {
1061
+ const cleared = NextResponse.next();
1062
+ cleared.cookies.set(CMSSY_SESSION_COOKIE, "", {
1063
+ ...sessionCookieOptions(),
1064
+ maxAge: 0
1065
+ });
1066
+ return cleared;
1067
+ }
1068
+ const sealed = await sealSession(
1069
+ payload,
1070
+ auth.sessionSecret,
1071
+ config.workspaceSlug
1072
+ );
1073
+ request2.cookies.set(CMSSY_SESSION_COOKIE, sealed);
1074
+ const refreshed = NextResponse.next({ request: request2 });
1075
+ refreshed.cookies.set(CMSSY_SESSION_COOKIE, sealed, sessionCookieOptions());
1076
+ return refreshed;
1077
+ };
1078
+ }
227
1079
 
228
- export { CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, applyCmssyCsp, cmssyCspHeaders, createCmssyPage, createDraftRoute, getCmssyLocale, isCmssyEditMode, isCmssyEditRequest, localeForPathname, splitCmssyLocale };
1080
+ export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, SESSION_MAX_AGE_SECONDS, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };