npm - @doswiftly/storefront-operations - Versions diffs - 11.4.0 → 11.5.0 - Mend

@doswiftly/storefront-operations 11.4.0 → 11.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/AGENTS.md CHANGED Viewed

@@ -27,7 +27,7 @@ consumer's `codegen.ts` references this package's `.graphql` files as
 live in the consumer's repo.
 <!-- AUTOGEN:STATS:BEGIN — auto-regenerated, do not edit by hand -->
-- **Schema version**: 11.4.0
+- **Schema version**: 11.5.0
 - **Queries**: 49
 - **Mutations**: 40
 - **Fragments**: 100

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,53 @@
 # Changelog
+## 11.5.0
+### Minor Changes
+- 190fd9d: Version sync with `@doswiftly/storefront-sdk` (linked release pair). No operations file changes — `OrderByToken` query and `Order.accessToken` field were shipped in the previous version (11.4.0); this bump keeps the operations package version aligned with the SDK release that now selects `accessToken` in its built-in `Order` fragment for `cartComplete`.
+  If you already use `@doswiftly/storefront-operations` for codegen, no regeneration is required (`queries.graphql` and `fragments.graphql` are unchanged). The companion `@doswiftly/storefront-sdk` upgrade is where the actual behavior change lands (see that changelog entry).
+- e6c80ce: Auth route handlers (`createSetTokenHandler`, `createClearTokenHandler`, `createWhoamiHandler`) now accept an optional `isTrustedOrigin` predicate. This unblocks the BFF auth flow when the storefront runs behind a reverse proxy (DoSwiftly hosting, Vercel, custom edge proxy) that rewrites or strips the `Host` header — since 11.3.0 the strict `Origin host = Host` comparison returned 403 for every login, logout, and page-load hydration in that topology, leaving the auth cookie unset and every auth-gated route redirecting to login.
+  ### Fix
+  Each handler accepts a new `isTrustedOrigin` callback:
+  ```ts
+  type OriginValidator = (ctx: {
+    origin: string;
+    originHost: string;
+    request: Request;
+  }) => boolean | Promise<boolean>;
+  ```
+  When the predicate returns truthy the strict `Origin host = Host header` comparison is bypassed; when it returns falsy (or is not configured) the existing strict check applies. A thrown predicate fails closed — the error is logged and the strict check applies as if the predicate returned `false`.
+  Two pre-built predicates are exported:
+  - `trustedForwardedHostValidator` — passes when `Origin host` equals `X-Forwarded-Host` (falling back to `X-Original-Host`). Use this when a reverse proxy you control sets one of those headers per request. The DoSwiftly hosting platform and Vercel both qualify.
+  - `originAllowlistValidator(['https://shop.example.com', 'other-shop.example'])` — passes when `Origin` matches an entry in a static list. Useful when one storefront is hosted on multiple hostnames (custom apex + platform subdomain) and you do not want to depend on forwarded-host headers.
+  ### Upgrade impact
+  - New storefronts scaffolded via `doswiftly init` ship with `isTrustedOrigin: trustedForwardedHostValidator` configured by default.
+  - Existing storefronts using the SDK behind a reverse proxy need a 3-line change to each route handler under `app/api/auth/`:
+    ```ts
+    import {
+      createSetTokenHandler,
+      trustedForwardedHostValidator,
+    } from "@doswiftly/storefront-sdk";
+    export const POST = createSetTokenHandler({
+      isTrustedOrigin: trustedForwardedHostValidator,
+    });
+    ```
+  - Storefronts deployed without a reverse proxy (single-tier hosting where the Next.js process receives traffic directly) need no changes — the default strict check still works because the Host header arrives intact.
+  ### Security
+  The predicate is invoked AFTER the Origin header is parsed (rejecting malformed origins) and BEFORE the strict Host comparison. Forwarded-host validation is safe because the trusted intermediary overwrites those headers on every inbound request (`headers.set(...)`, not `append`), so an attacker cannot forge them via a browser `fetch()` — browsers cannot set `X-Forwarded-*` from JavaScript (they are forbidden request headers per the fetch spec).
+  Defense-in-depth layers continue to apply: CORS preflight at the backend, `SameSite=Lax` on the auth cookie, `HttpOnly` + `Secure` cookie attributes, and the strict Origin URL parse (still rejects malformed origin and the `?host=trusted` query-string bypass).
 ## 11.4.0
 ### Minor Changes

package/llms-full.txt CHANGED Viewed

@@ -1,6 +1,6 @@
 # DoSwiftly Storefront Operations — Full Reference
-> Schema version: **11.4.0**
+> Schema version: **11.5.0**
 > 49 queries · 40 mutations · 100 fragments
 Auto-generated from `.graphql` source files. Do not edit by hand — this file is

package/operations.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "schemaVersion": "11.4.0",
+  "schemaVersion": "11.5.0",
   "queries": [
     {
       "name": "Shop",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@doswiftly/storefront-operations",
-  "version": "11.4.0",
+  "version": "11.5.0",
   "description": "GraphQL operations for DoSwiftly Storefront - SSOT from backend",
   "homepage": "https://doswiftly.pl",
   "publishConfig": {