@djangocfg/nextjs 2.1.427 → 2.1.428

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@djangocfg/nextjs",
-  "version": "2.1.427",
+  "version": "2.1.428",
   "description": "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
   "keywords": [
     "nextjs",
@@ -143,9 +143,9 @@
     "ai-docs": "tsx src/ai/cli.ts"
   },
   "peerDependencies": {
-    "@djangocfg/i18n": "^2.1.427",
-    "@djangocfg/monitor": "^2.1.427",
-    "@djangocfg/ui-core": "^2.1.427",
+    "@djangocfg/i18n": "^2.1.428",
+    "@djangocfg/monitor": "^2.1.428",
+    "@djangocfg/ui-core": "^2.1.428",
     "next": "^16.2.2"
   },
   "peerDependenciesMeta": {
@@ -167,11 +167,11 @@
     "serwist": "^9.2.3"
   },
   "devDependencies": {
-    "@djangocfg/i18n": "^2.1.427",
-    "@djangocfg/monitor": "^2.1.427",
-    "@djangocfg/ui-core": "^2.1.427",
-    "@djangocfg/layouts": "^2.1.427",
-    "@djangocfg/typescript-config": "^2.1.427",
+    "@djangocfg/i18n": "^2.1.428",
+    "@djangocfg/monitor": "^2.1.428",
+    "@djangocfg/ui-core": "^2.1.428",
+    "@djangocfg/layouts": "^2.1.428",
+    "@djangocfg/typescript-config": "^2.1.428",
     "@types/node": "^25.2.3",
     "@types/react": "^19.2.15",
     "@types/react-dom": "^19.2.3",

package/src/config/constants.ts

@@ -21,7 +21,6 @@ export const DJANGO_CFG_BANNER = `
 // All @djangocfg packages that can be updated together
 export const DJANGOCFG_PACKAGES = [
   '@djangocfg/ui-core',
-  '@djangocfg/ui-nextjs',
   '@djangocfg/layouts',
   '@djangocfg/nextjs',
   '@djangocfg/api',
@@ -35,22 +34,17 @@ export const DJANGOCFG_PACKAGES = [
 export const DEFAULT_TRANSPILE_PACKAGES = [
   '@djangocfg/i18n',
   '@djangocfg/ui-core',
-  '@djangocfg/ui-nextjs',
   '@djangocfg/layouts',
   '@djangocfg/ui-tools',
   '@djangocfg/api',
   '@djangocfg/centrifugo',
   '@djangocfg/debuger',
   '@djangocfg/monitor',
-  // Extensions (for source imports without build)
-  '@djangocfg/ext-support',
-  '@djangocfg/ext-payments',
 ] as const;
 
 // Default packages to optimize imports
 export const DEFAULT_OPTIMIZE_PACKAGES = [
   '@djangocfg/ui-core',
-  '@djangocfg/ui-nextjs',
   '@djangocfg/layouts',
   'lucide-react',
   'recharts',

package/src/config/createNextConfig.ts

@@ -58,6 +58,15 @@ export interface BaseNextConfigOptions {
    * Set to ['*'] to allow all origins, or specify domains like ['https://djangocfg.com']
    */
   allowIframeFrom?: string[];
+  /**
+   * Enable DPoP (RFC 9449) sender-constrained tokens on the generated API
+   * client. When true, the client holds a non-extractable key and signs a
+   * per-request `DPoP` proof so a stolen token is useless. Must be paired with
+   * `jwt = JWTConfig(dpop_enabled=True)` on the Django backend. Default: false.
+   *
+   * Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
+   */
+  dpop?: boolean;
   /**
    * PWA configuration options
    * Set to false to disable PWA, or provide custom options
@@ -121,6 +130,11 @@ export function createBaseNextConfig(
     reactStrictMode: true,
     trailingSlash: true,
 
+    // Dev indicator position — set explicitly so it's managed from one place
+    // across every @djangocfg app. Apps can override via `devIndicators` in
+    // their options (deep-merged over this). Kept bottom-left for now.
+    devIndicators: { position: 'bottom-left' },
+
     // Static export configuration
     ...(isStaticBuild && {
       output: 'export' as const,
@@ -142,6 +156,9 @@ export function createBaseNextConfig(
       NEXT_PUBLIC_BASE_PATH: basePath,
       NEXT_PUBLIC_API_URL: apiUrl,
       NEXT_PUBLIC_SITE_URL: siteUrl,
+      // DPoP toggle for the generated auth client (RFC 9449). Only inlined when
+      // explicitly enabled, so non-DPoP apps stay on the plain Bearer path.
+      ...(options.dpop ? { NEXT_PUBLIC_DPOP_ENABLED: 'true' } : {}),
       // Disable Next.js telemetry (Next.js 15+ uses env var instead of config option)
       NEXT_TELEMETRY_DISABLED: '1',
       ...options.env,
@@ -165,26 +182,60 @@ export function createBaseNextConfig(
         },
       ];
 
-      // Add iframe embedding headers if allowIframeFrom is specified
-      if (options.allowIframeFrom && options.allowIframeFrom.length > 0) {
-        const frameAncestors = options.allowIframeFrom.includes('*')
-          ? '*'
-          : `'self' ${options.allowIframeFrom.join(' ')}`;
+      // ── Baseline security headers on every route ──────────────────────────
+      // First line of defence against XSS/clickjacking/sniffing. The CSP here is
+      // a PRAGMATIC baseline: it kills the high-value injection vectors
+      // (plugins/objects, <base> hijacking, form-action exfiltration, iframe
+      // embedding) while still allowing the inline/eval scripts a Next.js app
+      // needs in dev. A fully strict nonce-based `script-src` is a follow-up
+      // (needs middleware + per-request nonce wiring) — tracked in the
+      // auth-hardening plan. `allowIframeFrom` (below) overrides frame-ancestors.
+      const hasIframeAllowlist =
+        !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
+      const frameAncestors = hasIframeAllowlist
+        ? (options.allowIframeFrom!.includes('*')
+            ? '*'
+            : `'self' ${options.allowIframeFrom!.join(' ')}`)
+        : "'none'";
+
+      // In dev the backend (Django, Centrifugo) is plain http/ws on localhost,
+      // so connect/img must allow http:/ws:. Production stays strict (https/wss
+      // only) to forbid downgrade/cleartext exfiltration.
+      const connectSrc = isDev
+        ? "connect-src 'self' http: https: ws: wss:"
+        : "connect-src 'self' https: wss:";
+      const imgSrc = isDev
+        ? "img-src 'self' data: blob: http: https:"
+        : "img-src 'self' data: blob: https:";
+
+      const cspDirectives = [
+        "default-src 'self'",
+        // Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+        "style-src 'self' 'unsafe-inline'",
+        imgSrc,
+        "font-src 'self' data:",
+        // API/websocket calls go cross-origin to Django/Centrifugo.
+        connectSrc,
+        "object-src 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+        `frame-ancestors ${frameAncestors}`,
+      ];
 
-        headers.push({
-          source: '/:path*',
-          headers: [
-            // Content-Security-Policy frame-ancestors directive
-            { key: 'Content-Security-Policy', value: `frame-ancestors ${frameAncestors}` },
-            // X-Frame-Options for older browsers (ALLOW-FROM is deprecated, use CSP instead)
-            // Only set SAMEORIGIN if allowing all, otherwise browsers will use CSP
-            ...(options.allowIframeFrom.includes('*')
-              ? []
-              : [{ key: 'X-Frame-Options', value: 'SAMEORIGIN' }]
-            ),
-          ],
-        });
-      }
+      headers.push({
+        source: '/:path*',
+        headers: [
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          { key: 'Content-Security-Policy', value: cspDirectives.join('; ') },
+          // X-Frame-Options for older browsers. Omitted when a wildcard iframe
+          // allowlist is set (browsers then rely on CSP frame-ancestors).
+          ...(hasIframeAllowlist && options.allowIframeFrom!.includes('*')
+            ? []
+            : [{ key: 'X-Frame-Options', value: hasIframeAllowlist ? 'SAMEORIGIN' : 'DENY' }]),
+        ],
+      });
 
       // Merge with user-provided headers
       const userHeaders = options.headers ? await options.headers() : [];
@@ -308,6 +359,7 @@ export function createBaseNextConfig(
     checkPackages,
     autoInstall,
     allowIframeFrom,
+    dpop,
     ...nextConfigOptions
   } = options;
 

package/src/i18n/request.ts

@@ -8,11 +8,9 @@
  * // i18n/request.ts in your app
  * import { createRequestConfig } from '@djangocfg/nextjs/i18n';
  * import { en, ru, ko } from '@djangocfg/i18n';
- * import { leadsI18n } from '@djangocfg/ext-leads';
  *
  * export default createRequestConfig({
  *   locales: { en, ru, ko },
- *   extensions: [leadsI18n],
  * });
  * ```
  */
@@ -101,11 +99,11 @@ function loadMessages(
  * ```ts
  * // i18n/request.ts
  * import { createRequestConfig } from '@djangocfg/nextjs/i18n';
- * import { leadsI18n } from '@djangocfg/ext-leads';
- * import { paymentsI18n } from '@djangocfg/ext-payments';
  *
+ * // `extensions` merges extra namespaced translation bundles, each shaped
+ * // as `{ namespace: string, locales: Record<LocaleCode, Messages> }`.
  * export default createRequestConfig({
- *   extensions: [leadsI18n, paymentsI18n],
+ *   extensions: [myFeatureI18n],
  * });
  * ```
  */