@faststore/core 4.3.0-dev.7 → 4.3.0

package/src/pages/password-protection/password-protection.module.scss

@@ -0,0 +1,43 @@
+@use "sass:meta";
+
+@layer components {
+  .fsPasswordProtection {
+    @include meta.load-css("~@faststore/ui/src/components/atoms/Button/styles.scss");
+    @include meta.load-css("~@faststore/ui/src/components/atoms/Input/styles.scss");
+    @include meta.load-css("~@faststore/ui/src/components/atoms/Loader/styles.scss");
+    @include meta.load-css("~@faststore/ui/src/components/molecules/InputField/styles.scss");
+  }
+}
+
+.page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  padding: var(--fs-spacing-3);
+}
+
+.title {
+  margin: 0 0 var(--fs-spacing-6) 0;
+  font-size: var(--fs-text-size-title-section);
+  font-weight: var(--fs-text-weight-bold);
+}
+
+.subtitle {
+  margin: 0 0 var(--fs-spacing-3) 0;
+  font-size: var(--fs-text-size-body);
+}
+
+.form {
+  display: flex;
+  flex-direction: column;
+  gap: var(--fs-spacing-2);
+  align-items: stretch;
+  width: 100%;
+  max-width: 20rem;
+
+  button {
+    align-self: center;
+  }
+}

package/src/proxy.ts

@@ -7,6 +7,8 @@ import {
   isValidLocale,
 } from 'src/utils/localization/bindingPaths'
 
+import { PasswordProtectionService } from './server/password-protection-service'
+
 type RewriteRule = {
   regex: RegExp
   locale: string
@@ -93,7 +95,7 @@ function rewriteSubdomainRequest(
   return null
 }
 
-export function proxy(request: NextRequest) {
+function localizationRewrite(request: NextRequest): NextResponse {
   if (!storeConfig.localization?.enabled) {
     return NextResponse.next()
   }
@@ -146,9 +148,52 @@ export function proxy(request: NextRequest) {
   return NextResponse.next()
 }
 
+export async function proxy(request: NextRequest) {
+  let storeProtectionResult: Awaited<
+    ReturnType<PasswordProtectionService['checkStoreProtection']>
+  >
+
+  try {
+    const protectionService = new PasswordProtectionService()
+    storeProtectionResult =
+      await protectionService.checkStoreProtection(request)
+  } catch {
+    return NextResponse.error()
+  }
+
+  if (storeProtectionResult.response.status !== 200) {
+    return storeProtectionResult.response
+  }
+
+  const response = localizationRewrite(request)
+
+  for (const cookie of storeProtectionResult.response.cookies.getAll()) {
+    response.cookies.set(cookie)
+  }
+
+  return response
+}
+
 export const config = {
   matcher: [
-    '/((?!api|_next/static|_next/image|favicon.ico|.*\\.[^/]+$).*)',
+    /*
+     * Explicit root entry. Required because Next.js' negative-lookahead
+     * matcher pattern does not catch `/` on its own (the trailing `(.*)`
+     * makes path-to-regexp treat the root as unmatched). Without this,
+     * password protection silently bypasses the homepage.
+     * See: https://github.com/vercel/next.js/issues/62078
+     */
+    '/',
+    /*
+     * Match all other paths. Exclude:
+     * - api/fs/password-protection/unlock (password-protection unlock endpoint)
+     * - _next/static, _next/image
+     * - favicon.ico
+     * - password-protection (password-protection page)
+     * - ~partytown (partytown scripts)
+     * - paths ending with a file extension (static assets)
+     */
+    '/((?!api/fs/password-protection/unlock$|_next/static|_next/image|favicon.ico|password-protection|~partytown|.*[.][^/]+$).*)',
     '/_next/data/:path*',
   ],
 }

package/src/server/password-protection/webops-api.ts

@@ -0,0 +1,38 @@
+import discoveryConfig from 'discovery.config'
+
+const DEFAULT_WEBOPS_ORIGIN = 'https://faststore.vtex.com'
+
+function getWebopsOrigin(): string {
+  const hostFromEnv = process.env.WEBOPS_API_URL?.trim() ?? ''
+  const hostWithoutTrailingSlash = hostFromEnv.replace(/\/+$/, '')
+  const origin =
+    hostWithoutTrailingSlash.length > 0
+      ? hostWithoutTrailingSlash
+      : DEFAULT_WEBOPS_ORIGIN
+
+  return /^https?:\/\//i.test(origin) ? origin : `https://${origin}`
+}
+
+export function publicKeyUrl(): URL {
+  return new URL('/api/v1/password-protection/public-key', getWebopsOrigin())
+}
+
+export function protectionStatusUrl(): URL {
+  const url = new URL('/api/v1/password-protection/status', getWebopsOrigin())
+  url.searchParams.set('storeId', discoveryConfig.api.storeId)
+  return url
+}
+
+export function sessionUrl(): URL {
+  return new URL('/api/v1/password-protection/session', getWebopsOrigin())
+}
+
+export function renewUrl(): URL {
+  return new URL('/api/v1/password-protection/renew', getWebopsOrigin())
+}
+
+/** Timeouts for WebOps password-protection calls (middleware / API routes). */
+export const passwordProtectionTimeouts = {
+  publicKeyMs: 5_000,
+  defaultMs: 10_000,
+} as const

package/src/server/password-protection-service.ts

@@ -0,0 +1,283 @@
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+import { jwtVerify, decodeJwt, importSPKI, errors } from 'jose'
+import type { CryptoKey } from 'jose'
+
+import storeConfig from 'discovery.config'
+
+import {
+  publicKeyUrl,
+  renewUrl,
+  protectionStatusUrl,
+  passwordProtectionTimeouts,
+} from './password-protection/webops-api'
+
+export const COOKIE_NAME = '__fs_password_protection'
+export const TOKEN_TTL_SECONDS = 10 * 60
+/** How long to reuse the RSA public key fetched from WebOps */
+const PUBLIC_KEY_CACHE_MS = 60 * 60 * 1000
+
+interface TokenPayload {
+  storeId: string
+  protected: boolean
+  passwordVersion?: string
+  scope?: string
+  exp?: number
+}
+
+interface StoreProtectionResult {
+  response: NextResponse
+}
+
+let publicKeyCache: {
+  pem: string
+  key: CryptoKey
+  fetchedAt: number
+} | null = null
+
+async function fetchPublicKeyPemFromWebOps(): Promise<string> {
+  const res = await fetch(publicKeyUrl(), {
+    signal: AbortSignal.timeout(passwordProtectionTimeouts.publicKeyMs),
+  })
+
+  if (!res.ok) {
+    throw new Error(`WebOps public-key returned ${res.status}`)
+  }
+
+  const body = (await res.json()) as { publicKey?: string }
+  const pem = body.publicKey?.trim()
+
+  if (!pem) {
+    throw new Error('WebOps public-key response missing publicKey')
+  }
+
+  return pem
+}
+
+async function getPublicVerificationKey(): Promise<CryptoKey> {
+  const now = Date.now()
+
+  if (publicKeyCache && now - publicKeyCache.fetchedAt < PUBLIC_KEY_CACHE_MS) {
+    return publicKeyCache.key
+  }
+
+  const pem = await fetchPublicKeyPemFromWebOps()
+  const key = await importSPKI(pem, 'RS256')
+  publicKeyCache = { pem, key, fetchedAt: now }
+
+  return key
+}
+
+/** Clears the cached WebOps public key (for unit tests only). */
+export function resetPasswordProtectionPublicKeyCacheForTests(): void {
+  publicKeyCache = null
+}
+
+export class PasswordProtectionService {
+  private readonly storeId: string
+
+  constructor() {
+    this.storeId = storeConfig.api.storeId
+  }
+
+  private getNormalizedHost(request: NextRequest): string {
+    const host = request.headers.get('host') || ''
+
+    if (host.startsWith('[')) {
+      const closingBracket = host.indexOf(']')
+
+      if (closingBracket !== -1) {
+        return host.slice(1, closingBracket).toLowerCase()
+      }
+    }
+
+    return host.split(':')[0].toLowerCase()
+  }
+
+  async checkStoreProtection(
+    request: NextRequest
+  ): Promise<StoreProtectionResult> {
+    if (!this.shouldCheckProtection(request)) {
+      return { response: NextResponse.next() }
+    }
+
+    const token = request.cookies.get(COOKIE_NAME)?.value
+
+    if (token) {
+      const verification = await this.verifyToken(token)
+
+      if (verification.valid && verification.payload) {
+        return { response: NextResponse.next() }
+      }
+
+      if (verification.expired && verification.payload) {
+        return await this.tryRenewSession(request, token, verification.payload)
+      }
+    }
+
+    return await this.handleProtectionCheck(request)
+  }
+
+  private shouldCheckProtection(request: NextRequest): boolean {
+    if (process.env.NODE_ENV === 'development') {
+      return false
+    }
+
+    const hostname = this.getNormalizedHost(request)
+    const isDefaultDomain = hostname.endsWith('.vtex.app')
+
+    if (isDefaultDomain) {
+      return true
+    }
+
+    return process.env.CUSTOM_DOMAINS_PROTECTION_ENABLED === 'true'
+  }
+
+  private shouldProtectDomain(request: NextRequest, scope?: string): boolean {
+    const hostname = this.getNormalizedHost(request)
+    const isDefaultDomain = hostname.endsWith('.vtex.app')
+
+    return (
+      scope === 'ALL_DOMAINS' ||
+      (scope === 'DEFAULT_DOMAINS' && isDefaultDomain) ||
+      (scope === 'CUSTOM_DOMAINS' && !isDefaultDomain)
+    )
+  }
+
+  private payloadMatchesStore(payload: TokenPayload): boolean {
+    return payload.storeId === this.storeId
+  }
+
+  private isJwtExpiredError(error: unknown): boolean {
+    return (
+      error instanceof errors.JWTExpired ||
+      (error instanceof Error && error.name === 'JWTExpired')
+    )
+  }
+
+  private async verifyToken(token: string): Promise<{
+    valid: boolean
+    expired: boolean
+    payload?: TokenPayload
+  }> {
+    try {
+      const key = await getPublicVerificationKey()
+      const { payload } = await jwtVerify(token, key)
+      const p = payload as unknown as TokenPayload
+
+      if (!this.payloadMatchesStore(p)) {
+        return { valid: false, expired: false }
+      }
+
+      return {
+        valid: true,
+        expired: false,
+        payload: p,
+      }
+    } catch (error) {
+      if (this.isJwtExpiredError(error)) {
+        const payload = decodeJwt(token) as unknown as TokenPayload
+
+        if (!this.payloadMatchesStore(payload)) {
+          return { valid: false, expired: false }
+        }
+
+        return { valid: false, expired: true, payload }
+      }
+
+      return { valid: false, expired: false }
+    }
+  }
+
+  private async tryRenewSession(
+    request: NextRequest,
+    expiredToken: string,
+    payload: TokenPayload
+  ): Promise<StoreProtectionResult> {
+    try {
+      const res = await fetch(renewUrl(), {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          storeId: this.storeId,
+          expiredToken,
+        }),
+        signal: AbortSignal.timeout(passwordProtectionTimeouts.defaultMs),
+      })
+
+      if (res.ok) {
+        const data = await res.json()
+
+        if (data.valid && data.token) {
+          const response = NextResponse.next()
+          this.setProtectionCookie(response, data.token)
+
+          return { response }
+        }
+      }
+    } catch {
+      // Fall through to redirect or fail-open below
+    }
+
+    if (!this.shouldProtectDomain(request, payload.scope)) {
+      return { response: NextResponse.next() }
+    }
+
+    return { response: this.redirectToUnlockPage(request) }
+  }
+
+  private async handleProtectionCheck(
+    request: NextRequest
+  ): Promise<StoreProtectionResult> {
+    try {
+      const res = await fetch(protectionStatusUrl(), {
+        signal: AbortSignal.timeout(passwordProtectionTimeouts.defaultMs),
+      })
+
+      if (!res.ok) {
+        return { response: this.redirectToUnlockPage(request) }
+      }
+
+      const status = await res.json()
+
+      if (!status.protected) {
+        const response = NextResponse.next()
+
+        if (status.token) {
+          this.setProtectionCookie(response, status.token)
+        }
+
+        return { response }
+      }
+
+      if (!this.shouldProtectDomain(request, status.scope)) {
+        return { response: NextResponse.next() }
+      }
+
+      return { response: this.redirectToUnlockPage(request) }
+    } catch {
+      return { response: this.redirectToUnlockPage(request) }
+    }
+  }
+
+  private setProtectionCookie(response: NextResponse, token: string): void {
+    response.cookies.set(COOKIE_NAME, token, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: TOKEN_TTL_SECONDS,
+    })
+  }
+
+  private redirectToUnlockPage(request: NextRequest): NextResponse {
+    const loginUrl = new URL('/password-protection', request.url)
+    const returnTo = `${request.nextUrl.pathname}${request.nextUrl.search}`
+    loginUrl.searchParams.set('returnTo', returnTo)
+
+    const response = NextResponse.redirect(loginUrl)
+    response.headers.set('Cache-Control', 'no-store')
+
+    return response
+  }
+}

package/src/utils/unlockResponse.ts

@@ -0,0 +1,25 @@
+export interface UnlockResponse {
+  success?: boolean
+  redirectUrl?: string
+  error?: string
+}
+
+export const isUnlockResponse = (data: unknown): data is UnlockResponse => {
+  if (typeof data !== 'object' || data === null || Array.isArray(data)) {
+    return false
+  }
+
+  const payload = data as Record<string, unknown>
+  const hasUnlockResponseField =
+    payload.success !== undefined ||
+    payload.redirectUrl !== undefined ||
+    payload.error !== undefined
+
+  return (
+    hasUnlockResponseField &&
+    (payload.success === undefined || typeof payload.success === 'boolean') &&
+    (payload.redirectUrl === undefined ||
+      typeof payload.redirectUrl === 'string') &&
+    (payload.error === undefined || typeof payload.error === 'string')
+  )
+}