@faststore/core 4.3.0-dev.7 → 4.3.0-dev.8

package/.turbo/turbo-generate.log

@@ -1,9 +1,9 @@
 
-> @faststore/core@4.3.0-dev.6 generate /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.3.0-dev.7 generate /home/runner/work/faststore/faststore/packages/core
 > pnpm run gen-types && pnpm run cache-graphql 
 
 
-> @faststore/core@4.3.0-dev.6 gen-types /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.3.0-dev.7 gen-types /home/runner/work/faststore/faststore/packages/core
 > node ../cli/bin/run generate-types .
 
 [STARTED] Parse Configuration
@@ -19,7 +19,7 @@
 [COMPLETED] Generate to /home/runner/work/faststore/faststore/packages/core/@generated/
 [COMPLETED] Generate outputs
 
-> @faststore/core@4.3.0-dev.6 cache-graphql /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.3.0-dev.7 cache-graphql /home/runner/work/faststore/faststore/packages/core
 > node ../cli/bin/run cache-graphql --config=./discovery.config.default.js --queries=./@generated/persisted-documents.json
 
 [Info] - Config file location: /home/runner/work/faststore/faststore/packages/core/discovery.config.default.js

package/.turbo/turbo-test.log

@@ -1,12 +1,12 @@
 
-> @faststore/core@4.3.0-dev.6 test /home/runner/work/faststore/faststore/packages/core
+> @faststore/core@4.3.0-dev.7 test /home/runner/work/faststore/faststore/packages/core
 > vitest run
 
 
  RUN  v4.0.7 /home/runner/work/faststore/faststore/packages/core
 
- ✓  browser  test/sdk/session/getInitialSession.browser.test.ts (6 tests) 36ms
- ✓  browser  test/sdk/session/installLocaleCorrector.browser.test.ts (7 tests) 54ms
+ ✓  browser  test/sdk/session/getInitialSession.browser.test.ts (6 tests) 18ms
+ ✓  browser  test/sdk/session/installLocaleCorrector.browser.test.ts (7 tests) 76ms
 stderr | test/sdk/localization/store-url.browser.test.ts
 Error in optimistic validation: TypeError: Cannot read properties of undefined (reading 'read')
     at validateCart (/home/runner/work/faststore/faststore/packages/core/src/sdk/cart/index.ts:119:27)
@@ -14,11 +14,245 @@
     at a (/home/runner/work/faststore/faststore/packages/sdk/dist/es/index.mjs:353:23)
     at processTicksAndRejections (node:internal/process/task_queues:103:5)
 
- ✓  browser  test/sdk/localization/store-url.browser.test.ts (3 tests) 11ms
- ✓  node  test/utils/localization/bindingPaths.test.ts (71 tests) 123ms
- ✓  node  test/utils/match-url.test.ts (10 tests) 21ms
- ✓  browser  test/utils/isLocalHost.browser.test.ts (3 tests) 15ms
- ✓  node  test/sdk/localization/bindingSelector.test.ts (18 tests) 20ms
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > posts the password and redirects to the requested return path
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > posts the password and redirects to the requested return path
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+ ✓  browser  test/utils/isLocalHost.browser.test.ts (3 tests) 14ms
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > defaults returnTo to root and shows API validation errors
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > defaults returnTo to root and shows API validation errors
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > uses the fallback invalid-password message when API omits an error
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > uses the fallback invalid-password message when API omits an error
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > shows service unavailable when the response is not a login payload
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > shows service unavailable when the response is not a login payload
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > shows service unavailable when the login request fails
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+stderr | test/pages/password-protection.browser.test.tsx > PasswordProtectionLogin > shows service unavailable when the login request fails
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+Warning: An update to PasswordProtectionLogin inside a test was not wrapped in act(...).
+
+When testing, code that causes React state updates should be wrapped into act(...):
+
+act(() => {
+  /* fire events that update state */
+});
+/* assert on the output */
+
+This ensures that you're testing the behavior the user would see in the browser. Learn more at https://reactjs.org/link/wrap-tests-with-act
+    at PasswordProtectionLogin (/home/runner/work/faststore/faststore/packages/core/src/pages/password-protection/index.tsx:19:69)
+
+ ✓  browser  test/pages/password-protection.browser.test.tsx (6 tests) 1695ms
+     ✓ renders the password protection form  805ms
+ ✓  browser  test/sdk/localization/store-url.browser.test.ts (3 tests) 17ms
+ ✓  node  test/utils/localization/bindingPaths.test.ts (71 tests) 125ms
+ ✓  node  test/server/password-protection-service.test.ts (22 tests) 117ms
+ ✓  node  test/utils/match-url.test.ts (10 tests) 36ms
+ ✓  node  test/sdk/localization/bindingSelector.test.ts (18 tests) 28ms
+ ✓  node  test/pages/api/unlock.test.ts (15 tests) 856ms
+     ✓ returns 405 for non-POST requests  613ms
 stderr | test/components/search/SearchInputComponent.test.tsx
 Warning: forwardRef render functions accept exactly two parameters: props and ref. Did you forget to use the ref parameter?
 
@@ -82,17 +316,17 @@ Warning: React does not recognize the `providerProps` prop on a DOM element. If
     at Suspense
     at Wrapper (/home/runner/work/faststore/faststore/packages/core/test/components/search/SearchInputComponent.test.tsx:106:20)
 
- ✓  node  test/components/search/SearchInputComponent.test.tsx (6 tests) 372ms
- ✓  node  test/utils/cookieCacheBusting.test.ts (10 tests) 50ms
- ✓  node  test/sdk/search/useSearchHistory.test.ts (13 tests) 244ms
- ✓  node  test/sdk/localization/useBindingSelector.test.tsx (12 tests) 71ms
- ✓  node  test/utils/clearCookies.test.ts (20 tests) 98ms
- ✓  node  test/utils/multipleTemplates.test.ts (8 tests) 37ms
+ ✓  node  test/components/search/SearchInputComponent.test.tsx (6 tests) 242ms
+ ✓  node  test/sdk/localization/useBindingSelector.test.tsx (12 tests) 25ms
+ ✓  node  test/sdk/search/useSearchHistory.test.ts (13 tests) 185ms
+ ✓  node  test/utils/cookieCacheBusting.test.ts (10 tests) 53ms
+ ✓  node  test/utils/clearCookies.test.ts (20 tests) 148ms
+ ✓  node  test/utils/multipleTemplates.test.ts (8 tests) 31ms
 stderr | test/sdk/account/useSetPassword.test.ts > useSetPassword > maps wrongcredentials error responses to the existing message
 Set password request failed: Bad Request
 
- ✓  node  test/sdk/account/useSetPassword.test.ts (6 tests) 247ms
- ✓  node  test/sdk/orderEntry/useOrderEntryOperation.test.ts (8 tests) 89ms
+ ✓  node  test/sdk/account/useSetPassword.test.ts (6 tests) 113ms
+ ✓  node  test/sdk/orderEntry/useOrderEntryOperation.test.ts (8 tests) 84ms
 stderr | test/pages/api/graphql.test.ts > /api/graphql error status propagation > propagates the upstream 400 from a wrapped BadRequestError instead of 500
 Graphql execution returned with error:  [
   {
@@ -139,27 +373,29 @@ Warning: React does not recognize the `providerProps` prop on a DOM element. If
   { message: 'bad', status: 400, type: 'BadRequestError' }
 ]
 
- ✓  node  test/pages/api/graphql.test.ts (10 tests) 59ms
- ✓  node  test/sdk/orderEntry/useOrderEntryUpload.test.ts (8 tests) 81ms
- ✓  node  test/sdk/orderEntry/useOrderEntry.test.ts (8 tests) 62ms
- ✓  node  test/sdk/orderEntry/useOrderFormItems.test.ts (7 tests) 41ms
- ✓  node  test/server/cms/global.test.ts (3 tests) 5ms
- ✓  node  test/server/index.test.ts (7 tests) 862ms
-       ✓ should exist with its plugins  303ms
-       ✓ should handle options and execute  311ms
- ✓  node  test/server/content/service.test.ts (5 tests) 6ms
- ✓  node  test/sdk/localization/store-url.test.ts (1 test) 5ms
- ✓  node  test/utils/getRequestHostname.test.ts (12 tests) 7ms
- ✓  node  test/pages/api/preview.test.ts (2 tests) 10ms
- ✓  node  test/sdk/auth/useAuth.test.ts (5 tests) 33ms
+ ✓  node  test/pages/api/graphql.test.ts (10 tests) 24ms
+ ✓  node  test/sdk/orderEntry/useOrderEntryUpload.test.ts (8 tests) 49ms
+ ✓  node  test/sdk/orderEntry/useOrderEntry.test.ts (8 tests) 48ms
+ ✓  node  test/sdk/orderEntry/useOrderFormItems.test.ts (7 tests) 39ms
+ ✓  node  test/proxy.test.ts (4 tests) 63ms
+ ✓  node  test/server/webops-api.test.ts (9 tests) 31ms
+ ✓  node  test/server/cms/global.test.ts (3 tests) 4ms
+ ✓  node  test/server/index.test.ts (7 tests) 1124ms
+       ✓ should handle options and execute  599ms
+ ✓  node  test/server/content/service.test.ts (5 tests) 5ms
+ ✓  node  test/utils/getRequestHostname.test.ts (12 tests) 5ms
+ ✓  node  test/sdk/localization/store-url.test.ts (1 test) 4ms
+ ✓  node  test/sdk/auth/useAuth.test.ts (5 tests) 32ms
  ✓  node  test/utils/validateSessionRefreshToken.test.ts (6 tests) 5ms
+ ✓  node  test/pages/api/preview.test.ts (2 tests) 10ms
  ✓  node  test/components/search/SearchInput.test.ts (6 tests) 8ms
- ✓  node  test/utils/isLocalHost.test.ts (7 tests) 6ms
+ ✓  node  test/utils/unlockResponse.test.ts (11 tests) 5ms
+ ✓  node  test/utils/isLocalHost.test.ts (7 tests) 5ms
  ✓  node  test/server/cms/index.test.ts (2 tests) 6ms
- ✓  node  test/components/auth/ProfileChallenge.test.tsx (3 tests) 27ms
+ ✓  node  test/components/auth/ProfileChallenge.test.tsx (3 tests) 26ms
 
- Test Files  31 passed (31)
-      Tests  293 passed (293)
-   Start at  16:58:10
-   Duration  24.02s (transform 5.83s, setup 0ms, collect 19.89s, tests 2.71s, environment 32.71s, prepare 998ms)
+ Test Files  37 passed (37)
+      Tests  360 passed (360)
+   Start at  21:17:04
+   Duration  24.45s (transform 6.16s, setup 0ms, collect 17.83s, tests 5.36s, environment 32.81s, prepare 1.08s)
 

package/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [4.3.0-dev.8](https://github.com/vtex/faststore/compare/v4.3.0-dev.7...v4.3.0-dev.8) (2026-06-17)
+
+### Features
+
+- Password Protection (v4) ([#3276](https://github.com/vtex/faststore/issues/3276)) ([575f162](https://github.com/vtex/faststore/commit/575f162f6ec6fda9d3134ab61f673a897dcc2f56))
+
 # [4.3.0-dev.7](https://github.com/vtex/faststore/compare/v4.3.0-dev.6...v4.3.0-dev.7) (2026-06-17)
 
 ### Bug Fixes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@faststore/core",
-  "version": "4.3.0-dev.7",
+  "version": "4.3.0-dev.8",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -58,6 +58,7 @@
     "fs-extra": "^10.1.0",
     "idb-keyval": "^5.1.3",
     "isomorphic-unfetch": "^3.1.0",
+    "jose": "^6.2.3",
     "lexical": "^0.34.0",
     "next": "^16.2.6",
     "next-seo": "^6.6.0",
@@ -70,17 +71,19 @@
     "style-loader": "^3.3.1",
     "swr": "^2.2.5",
     "use-sync-external-store": "^1.6.0",
-    "@faststore/api": "4.3.0-dev.7",
-    "@faststore/diagnostics": "4.3.0-dev.7",
-    "@faststore/lighthouse": "4.3.0-dev.7",
-    "@faststore/ui": "4.3.0-dev.7",
-    "@faststore/sdk": "4.3.0-dev.7"
+    "@faststore/api": "4.3.0-dev.8",
+    "@faststore/diagnostics": "4.3.0-dev.8",
+    "@faststore/sdk": "4.3.0-dev.8",
+    "@faststore/ui": "4.3.0-dev.8",
+    "@faststore/lighthouse": "4.3.0-dev.8"
   },
   "devDependencies": {
     "@cypress/code-coverage": "^3.12.1",
     "@envelop/testing": "^10",
     "@testing-library/cypress": "^10.0.1",
+    "@testing-library/jest-dom": "6.9.1",
     "@testing-library/react": "14.3.1",
+    "@testing-library/user-event": "14.5.2",
     "@types/cookie": "^0.6.0",
     "@types/fs-extra": "^9.0.13",
     "@types/node": "20.19.13",

package/src/pages/api/fs/password-protection/unlock.ts

@@ -0,0 +1,123 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next'
+
+import storeConfig from 'discovery.config'
+
+import type { UnlockResponse } from 'src/utils/unlockResponse'
+import {
+  sessionUrl,
+  passwordProtectionTimeouts,
+} from 'src/server/password-protection/webops-api'
+import {
+  COOKIE_NAME,
+  TOKEN_TTL_SECONDS,
+} from 'src/server/password-protection-service'
+
+interface WebOpsSessionPayload {
+  valid: boolean
+  token?: string
+}
+
+const isSafeReturnToPath = (value: string): boolean => {
+  return value.startsWith('/') && !value.startsWith('//')
+}
+
+const isWebOpsSessionPayload = (
+  data: unknown
+): data is WebOpsSessionPayload => {
+  if (typeof data !== 'object' || data === null || Array.isArray(data)) {
+    return false
+  }
+
+  const payload = data as Record<string, unknown>
+
+  return (
+    typeof payload.valid === 'boolean' &&
+    (payload.token === undefined || typeof payload.token === 'string')
+  )
+}
+
+const handler: NextApiHandler<UnlockResponse> = async (
+  request: NextApiRequest,
+  response: NextApiResponse<UnlockResponse>
+) => {
+  if (request.method !== 'POST') {
+    response.status(405).end()
+    return
+  }
+
+  const storeId = storeConfig.api.storeId
+
+  try {
+    const { password } = request.body ?? {}
+
+    if (!password || typeof password !== 'string') {
+      response.status(400).json({
+        success: false,
+        error: 'Password is required',
+      })
+      return
+    }
+
+    const webopsResponse = await fetch(sessionUrl(), {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ storeId, password }),
+      signal: AbortSignal.timeout(passwordProtectionTimeouts.defaultMs),
+    })
+
+    if (!webopsResponse.ok) {
+      if (webopsResponse.status === 401 || webopsResponse.status === 403) {
+        response.status(401).json({
+          success: false,
+          error: 'Invalid password',
+        })
+        return
+      }
+
+      response.status(503).json({
+        success: false,
+        error: 'Service temporarily unavailable',
+      })
+      return
+    }
+
+    const data: unknown = await webopsResponse.json()
+
+    if (!isWebOpsSessionPayload(data)) {
+      response.status(500).json({
+        success: false,
+        error: 'Internal server error',
+      })
+      return
+    }
+
+    if (data.valid && data.token) {
+      const returnTo =
+        typeof request.query.returnTo === 'string'
+          ? request.query.returnTo
+          : '/'
+      const sanitizedReturnTo = isSafeReturnToPath(returnTo) ? returnTo : '/'
+
+      response.setHeader('Set-Cookie', [
+        `${COOKIE_NAME}=${data.token}; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=${TOKEN_TTL_SECONDS}`,
+      ])
+
+      response.status(200).json({
+        success: true,
+        redirectUrl: sanitizedReturnTo,
+      })
+    } else {
+      response.status(401).json({
+        success: false,
+        error: 'Invalid password',
+      })
+    }
+  } catch {
+    response.status(503).json({
+      success: false,
+      error: 'Service temporarily unavailable',
+    })
+  }
+}
+
+export default handler

package/src/pages/password-protection/index.tsx

@@ -0,0 +1,93 @@
+import { Button, InputField } from '@faststore/ui'
+import Head from 'next/head'
+import { useRouter } from 'next/router'
+import { type FormEvent, useState } from 'react'
+
+import { isUnlockResponse } from '../../utils/unlockResponse'
+import styles from './password-protection.module.scss'
+
+export default function PasswordProtectionLogin() {
+  const router = useRouter()
+  const returnTo =
+    typeof router.query.returnTo === 'string' ? router.query.returnTo : '/'
+
+  const [password, setPassword] = useState('')
+  const [error, setError] = useState('')
+  const [loading, setLoading] = useState(false)
+
+  const handleSubmit = async (e: FormEvent) => {
+    e.preventDefault()
+    setLoading(true)
+    setError('')
+
+    try {
+      const url = new URL(
+        '/api/fs/password-protection/unlock',
+        globalThis.location.origin
+      )
+      url.searchParams.set('returnTo', returnTo)
+
+      const response = await fetch(url.toString(), {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ password }),
+      })
+
+      const data: unknown = await response.json()
+
+      if (!isUnlockResponse(data)) {
+        setError('Service temporarily unavailable')
+        return
+      }
+
+      if (data.success && data.redirectUrl) {
+        globalThis.location.href = data.redirectUrl
+      } else {
+        setError(data.error ?? 'Invalid password')
+      }
+    } catch {
+      setError('Service temporarily unavailable')
+    } finally {
+      setLoading(false)
+    }
+  }
+
+  return (
+    <div className={styles.fsPasswordProtection}>
+      <Head>
+        <meta name="robots" content="noindex,nofollow" />
+      </Head>
+      <div className={styles.page}>
+        <h1 className={styles.title}>This store is password protected</h1>
+
+        <h2 className={styles.subtitle}>
+          Enter the password to access the store
+        </h2>
+
+        <form className={styles.form} onSubmit={handleSubmit}>
+          <InputField
+            id="password-protection-input"
+            label="Password"
+            type="password"
+            value={password}
+            onChange={(e) => setPassword(e.target.value)}
+            placeholder="Enter password"
+            autoComplete="current-password"
+            required
+            disabled={loading}
+            error={error || undefined}
+          />
+          <Button
+            type="submit"
+            variant="primary"
+            size="small"
+            disabled={loading}
+            loading={loading}
+          >
+            Unlock
+          </Button>
+        </form>
+      </div>
+    </div>
+  )
+}