@faststore/core 4.1.2-dev.0 → 4.1.2-dev.1

package/.turbo/turbo-generate.log

@@ -1,9 +1,9 @@
 
-> @faststore/core@4.1.1 generate /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.1.2-dev.0 generate /home/runner/work/faststore/faststore/packages/core
 > pnpm run gen-types && pnpm run cache-graphql 
 
 
-> @faststore/core@4.1.1 gen-types /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.1.2-dev.0 gen-types /home/runner/work/faststore/faststore/packages/core
 > node ../cli/bin/run generate-types .
 
 [STARTED] Parse Configuration
@@ -19,7 +19,7 @@
 [COMPLETED] Generate to /home/runner/work/faststore/faststore/packages/core/@generated/
 [COMPLETED] Generate outputs
 
-> @faststore/core@4.1.1 cache-graphql /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.1.2-dev.0 cache-graphql /home/runner/work/faststore/faststore/packages/core
 > node ../cli/bin/run cache-graphql --config=./discovery.config.default.js --queries=./@generated/persisted-documents.json
 
 [Info] - Config file location: /home/runner/work/faststore/faststore/packages/core/discovery.config.default.js

package/.turbo/turbo-test.log

@@ -1,13 +1,14 @@
 
-> @faststore/core@4.1.1 test /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.1.2-dev.0 test /home/runner/work/faststore/faststore/packages/core
 > vitest run
 
 
  RUN  v4.0.7 /home/runner/work/faststore/faststore/packages/core
 
- ✓  node  test/utils/match-url.test.ts (10 tests) 44ms
- ✓  node  test/utils/localization/bindingPaths.test.ts (71 tests) 98ms
- ✓  node  test/sdk/localization/bindingSelector.test.ts (18 tests) 22ms
+ ✓  node  test/utils/localization/bindingPaths.test.ts (71 tests) 107ms
+ ✓  node  test/utils/match-url.test.ts (10 tests) 20ms
+ ✓  node  test/sdk/localization/bindingSelector.test.ts (18 tests) 30ms
+ ✓  browser  test/utils/isLocalHost.browser.test.ts (3 tests) 18ms
 stderr | test/sdk/localization/store-url.browser.test.ts
 Error in optimistic validation: TypeError: Cannot read properties of undefined (reading 'read')
     at validateCart (/home/runner/work/faststore/faststore/packages/core/src/sdk/cart/index.ts:119:27)
@@ -15,34 +16,35 @@
     at a (/home/runner/work/faststore/faststore/packages/sdk/dist/es/index.mjs:353:23)
     at processTicksAndRejections (node:internal/process/task_queues:103:5)
 
- ✓  node  test/utils/cookieCacheBusting.test.ts (10 tests) 66ms
 stderr | test/sdk/localization/store-url.browser.test.ts
 Error in optimistic validation: ReferenceError: Cannot access '__vite_ssr_import_4__' before initialization
     at getSettings (/home/runner/work/faststore/faststore/packages/core/src/sdk/localization/useLocalizationConfig.tsx:126:45)
-    at validateSession (/home/runner/work/faststore/faststore/packages/core/src/sdk/session/index.ts:144:22)
+    at validateSession (/home/runner/work/faststore/faststore/packages/core/src/sdk/session/index.ts:140:22)
     at onValidate (/home/runner/work/faststore/faststore/packages/core/src/sdk/useStore.ts:18:20)
     at a (/home/runner/work/faststore/faststore/packages/sdk/dist/es/index.mjs:353:23)
     at processTicksAndRejections (node:internal/process/task_queues:103:5)
 
- ✓  browser  test/sdk/localization/store-url.browser.test.ts (3 tests) 23ms
- ✓  node  test/sdk/localization/useBindingSelector.test.tsx (12 tests) 28ms
- ✓  node  test/sdk/search/useSearchHistory.test.ts (13 tests) 168ms
- ✓  node  test/utils/multipleTemplates.test.ts (8 tests) 20ms
- ✓  node  test/utils/clearCookies.test.ts (20 tests) 98ms
- ✓  node  test/server/cms/global.test.ts (3 tests) 22ms
- ✓  node  test/server/content/service.test.ts (5 tests) 19ms
- ✓  node  test/utils/getRequestHostname.test.ts (12 tests) 16ms
- ✓  node  test/sdk/localization/store-url.test.ts (1 test) 13ms
- ✓  node  test/utils/validateSessionRefreshToken.test.ts (6 tests) 13ms
- ✓  node  test/pages/api/preview.test.ts (2 tests) 25ms
- ✓  node  test/server/cms/index.test.ts (2 tests) 15ms
- ✓  node  test/server/index.test.ts (7 tests) 1400ms
-       ✓ should return a valid merged GraphQL schema  377ms
-       ✓ should exist with its plugins  587ms
-       ✓ should handle options and execute  382ms
-
- Test Files  17 passed (17)
-      Tests  203 passed (203)
-   Start at  22:06:03
-   Duration  15.04s (transform 6.91s, setup 0ms, collect 17.26s, tests 2.09s, environment 10.70s, prepare 776ms)
+ ✓  browser  test/sdk/localization/store-url.browser.test.ts (3 tests) 18ms
+ ✓  node  test/sdk/localization/useBindingSelector.test.tsx (12 tests) 25ms
+ ✓  node  test/utils/cookieCacheBusting.test.ts (10 tests) 48ms
+ ✓  node  test/sdk/search/useSearchHistory.test.ts (13 tests) 104ms
+ ✓  node  test/utils/multipleTemplates.test.ts (8 tests) 15ms
+ ✓  node  test/utils/clearCookies.test.ts (20 tests) 101ms
+ ✓  node  test/server/cms/global.test.ts (3 tests) 13ms
+ ✓  node  test/server/content/service.test.ts (5 tests) 17ms
+ ✓  node  test/utils/getRequestHostname.test.ts (12 tests) 24ms
+ ✓  node  test/sdk/localization/store-url.test.ts (1 test) 6ms
+ ✓  node  test/utils/validateSessionRefreshToken.test.ts (6 tests) 11ms
+ ✓  node  test/pages/api/preview.test.ts (2 tests) 16ms
+ ✓  node  test/server/cms/index.test.ts (2 tests) 17ms
+ ✓  node  test/utils/isLocalHost.test.ts (7 tests) 8ms
+ ✓  node  test/server/index.test.ts (7 tests) 1496ms
+       ✓ should return a valid merged GraphQL schema  567ms
+       ✓ should exist with its plugins  503ms
+       ✓ should handle options and execute  400ms
+
+ Test Files  19 passed (19)
+      Tests  213 passed (213)
+   Start at  17:39:14
+   Duration  14.78s (transform 5.74s, setup 0ms, collect 16.26s, tests 2.09s, environment 11.06s, prepare 673ms)
 

package/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## 4.1.2-dev.1 (2026-05-19)
+
+### Bug Fixes
+
+- bypass refresh-token flow on localhost in 403 page and useRefreshToken hook ([#3325](https://github.com/vtex/faststore/issues/3325)) ([d48571a](https://github.com/vtex/faststore/commit/d48571a15176497b019bae1462617c3159459421)), closes [#3285](https://github.com/vtex/faststore/issues/3285) [#3285](https://github.com/vtex/faststore/issues/3285)
+
 ## 4.1.2-dev.0 (2026-05-15)
 
 ### Bug Fixes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@faststore/core",
-  "version": "4.1.2-dev.0",
+  "version": "4.1.2-dev.1",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -70,11 +70,11 @@
     "style-loader": "^3.3.1",
     "swr": "^2.2.5",
     "use-sync-external-store": "^1.6.0",
-    "@faststore/diagnostics": "4.1.2-dev.0",
-    "@faststore/api": "4.1.2-dev.0",
-    "@faststore/lighthouse": "4.1.2-dev.0",
-    "@faststore/sdk": "4.1.2-dev.0",
-    "@faststore/ui": "4.1.2-dev.0"
+    "@faststore/api": "4.1.2-dev.1",
+    "@faststore/diagnostics": "4.1.2-dev.1",
+    "@faststore/lighthouse": "4.1.2-dev.1",
+    "@faststore/sdk": "4.1.2-dev.1",
+    "@faststore/ui": "4.1.2-dev.1"
   },
   "devDependencies": {
     "@cypress/code-coverage": "^3.12.1",

package/src/pages/api/graphql.ts

@@ -10,6 +10,7 @@ import type { NextApiHandler, NextApiRequest } from 'next'
 import discoveryConfig from 'discovery.config'
 import { getJWTAutCookie } from 'src/utils/getCookie'
 import { getRequestHostname } from 'src/utils/getRequestHostname'
+import { isLocalHost } from 'src/utils/isLocalHost'
 import { shouldForceRefreshTokenForValidateSession } from 'src/utils/validateSessionRefreshToken'
 import { execute } from '../../server'
 
@@ -142,8 +143,7 @@ const handler: NextApiHandler = async (request, response) => {
     // value is used to cache bust the request if there is a VtexIdclientAutCookie
     const { operation, variables, query, v: value } = parseRequest(request)
 
-    const hostname = request.headers.host?.split(':')[0]
-    const isLocal = hostname === 'localhost' || hostname === '127.0.0.1'
+    const isLocal = isLocalHost(getRequestHostname(request.headers.host))
 
     if (
       !isLocal &&

package/src/pages/pvt/account/403.tsx

@@ -23,6 +23,8 @@ import { useRefreshToken } from 'src/sdk/account/useRefreshToken'
 import PageProvider from 'src/sdk/overrides/PageProvider'
 import { execute } from 'src/server'
 import { injectGlobalSections } from 'src/server/cms/global'
+import { getRequestHostname } from 'src/utils/getRequestHostname'
+import { isLocalHost } from 'src/utils/isLocalHost'
 import { withLocaleValidationSSR } from 'src/utils/localization/withLocaleValidation'
 import { getMyAccountRedirect } from 'src/utils/myAccountRedirect'
 
@@ -137,10 +139,18 @@ const getServerSidePropsBase: GetServerSideProps<
     const fromPage =
       typeof context.query.from === 'string' ? context.query.from : ''
 
+    // The refresh-token round-trip is unreachable from localhost (cross-origin
+    // POST that drops the `vid_rt` cookie), and forcing it would clear the
+    // manually injected `VtexIdclientAutCookie_<account>`. Render the static
+    // 403 view instead so developers can keep testing logged-in scenarios
+    // regardless of the `experimental.refreshToken` flag.
+    const isLocal = isLocalHost(getRequestHostname(context.req.headers.host))
+
     return {
       props: {
         globalSections: globalSectionsResult,
         needsRefreshToken:
+          !isLocal &&
           (statusCode === 401 || statusCode === 403) &&
           storeConfig.experimental?.refreshToken,
         fromPage,

package/src/sdk/account/useRefreshToken.ts

@@ -1,4 +1,5 @@
 import { useEffect, useState } from 'react'
+import { isLocalHostBrowser } from 'src/utils/isLocalHost'
 import { logoutAndClearSession, sessionStore } from '../session'
 import { isRefreshTokenSuccessful, refreshTokenRequest } from './refreshToken'
 
@@ -12,6 +13,17 @@ export const useRefreshToken = (
     const handleRefreshTokenAndUpdateSession = async () => {
       if (!needsRefreshToken) return
 
+      // The refresh-token endpoint lives on the production origin and relies on
+      // the `vid_rt` cookie scoped to that origin. From localhost the request is
+      // cross-origin, so the cookie is not sent and the refresh always fails —
+      // which would also wipe the manually injected `VtexIdclientAutCookie_<account>`
+      // via `logoutAndClearSession`. Bail out and fall back to the static 403
+      // view so developers can keep testing logged-in flows.
+      if (isLocalHostBrowser()) {
+        setShouldShow403(true)
+        return
+      }
+
       const currentSession = sessionStore.read() ?? sessionStore.readInitial()
 
       try {

package/src/sdk/session/index.ts

@@ -8,6 +8,7 @@ import type {
   ValidateSessionMutationVariables,
 } from '@generated/graphql'
 import deepEqual from 'fast-deep-equal'
+import { isLocalHostBrowser } from 'src/utils/isLocalHost'
 import { filterChannel } from 'src/utils/utilities'
 import storeConfig from '../../../discovery.config'
 import {
@@ -21,11 +22,6 @@ import { createValidationStore, useStore } from '../useStore'
 import { getPostalCode } from '../userLocation/index'
 import { RELOAD_AFTER_LOGOUT_KEY, SESSION_READY_KEY } from './storageKeys'
 
-const isLocalEnvironment = (): boolean =>
-  typeof window !== 'undefined' &&
-  (window.location.hostname === 'localhost' ||
-    window.location.hostname === '127.0.0.1')
-
 const isReloadAfterLogoutPending = (): boolean => {
   try {
     return (
@@ -129,7 +125,7 @@ export const validateSession = async (session: Session) => {
   // On failure (logoutAndClearSession already triggered), bail out.
   // Skipped in local environments where the refresh token infrastructure is unavailable.
   if (
-    !isLocalEnvironment() &&
+    !isLocalHostBrowser() &&
     storeConfig.experimental?.refreshToken &&
     isRefreshAfterExpired(session)
   ) {
@@ -200,7 +196,7 @@ export const validateSession = async (session: Session) => {
     return data.validateSession
   } catch (error) {
     const shouldRefreshToken =
-      !isLocalEnvironment() &&
+      !isLocalHostBrowser() &&
       error?.status === 401 &&
       storeConfig.experimental?.refreshToken
 

package/src/utils/isLocalHost.ts

@@ -0,0 +1,33 @@
+/**
+ * Hostnames that represent a local development environment.
+ *
+ * These are the only hosts where the FastStore app skips the refresh-token
+ * flow so developers can drive the app with a manually injected
+ * `VtexIdclientAutCookie_<account>` cookie regardless of feature flags.
+ */
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1'])
+
+/**
+ * Returns `true` when the given hostname corresponds to a local development
+ * environment (`localhost` / `127.0.0.1`).
+ *
+ * Refresh-token and other production-only flows MUST be bypassed on these
+ * hostnames so that developers can test logged-in scenarios with manually
+ * injected cookies, independent of any experimental flag.
+ *
+ * The input MUST be a bare hostname (no port). Use {@link getRequestHostname}
+ * on server-side request headers before calling this helper.
+ */
+export function isLocalHost(hostname: string | null | undefined): boolean {
+  if (!hostname) return false
+  return LOCAL_HOSTNAMES.has(hostname.toLowerCase())
+}
+
+/**
+ * Browser-side wrapper that reads `window.location.hostname`. Returns `false`
+ * when `window` is not available (SSR/Node).
+ */
+export function isLocalHostBrowser(): boolean {
+  if (typeof window === 'undefined') return false
+  return isLocalHost(window.location.hostname)
+}

package/test/utils/isLocalHost.browser.test.ts

@@ -0,0 +1,37 @@
+import { afterEach, describe, expect, it } from 'vitest'
+import { isLocalHostBrowser } from '../../src/utils/isLocalHost'
+
+const originalLocation = window.location
+
+function stubHostname(hostname: string) {
+  // jsdom forbids assigning to `window.location` directly, so we redefine the
+  // descriptor with a minimal stub that exposes the hostname we want to test.
+  Object.defineProperty(window, 'location', {
+    configurable: true,
+    value: { ...originalLocation, hostname },
+  })
+}
+
+describe('isLocalHostBrowser', () => {
+  afterEach(() => {
+    Object.defineProperty(window, 'location', {
+      configurable: true,
+      value: originalLocation,
+    })
+  })
+
+  it('returns true when window.location.hostname is "localhost"', () => {
+    stubHostname('localhost')
+    expect(isLocalHostBrowser()).toBe(true)
+  })
+
+  it('returns true when window.location.hostname is "127.0.0.1"', () => {
+    stubHostname('127.0.0.1')
+    expect(isLocalHostBrowser()).toBe(true)
+  })
+
+  it('returns false for a production hostname', () => {
+    stubHostname('brandless.fast.store')
+    expect(isLocalHostBrowser()).toBe(false)
+  })
+})

package/test/utils/isLocalHost.test.ts

@@ -0,0 +1,38 @@
+import { describe, expect, it } from 'vitest'
+import { isLocalHost } from '../../src/utils/isLocalHost'
+
+describe('isLocalHost', () => {
+  it('returns true for "localhost"', () => {
+    expect(isLocalHost('localhost')).toBe(true)
+  })
+
+  it('returns true for "127.0.0.1"', () => {
+    expect(isLocalHost('127.0.0.1')).toBe(true)
+  })
+
+  it('is case-insensitive', () => {
+    expect(isLocalHost('LOCALHOST')).toBe(true)
+    expect(isLocalHost('Localhost')).toBe(true)
+  })
+
+  it('returns false for a production hostname', () => {
+    expect(isLocalHost('brandless.fast.store')).toBe(false)
+  })
+
+  it('returns false for IPv6 loopback (not in the bypass list)', () => {
+    // We intentionally bypass only the two canonical local hosts. IPv6
+    // loopback (`::1`) and other loopback variants are out of scope.
+    expect(isLocalHost('::1')).toBe(false)
+  })
+
+  it('returns false for inputs that still carry a port', () => {
+    // Callers MUST normalize the hostname via getRequestHostname first.
+    expect(isLocalHost('localhost:3000')).toBe(false)
+  })
+
+  it('returns false for null/undefined/empty input', () => {
+    expect(isLocalHost(null)).toBe(false)
+    expect(isLocalHost(undefined)).toBe(false)
+    expect(isLocalHost('')).toBe(false)
+  })
+})