@openmrs/esm-app-shell 9.0.3-pre.4533 → 9.0.3-pre.4550

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openmrs/esm-app-shell",
-  "version": "9.0.3-pre.4533",
+  "version": "9.0.3-pre.4550",
   "license": "MPL-2.0",
   "main": "dist/openmrs.js",
   "scripts": {
@@ -35,8 +35,8 @@
   "dependencies": {
     "@carbon/react": "^1.92.1",
     "@internationalized/date": "^3.8.0",
-    "@openmrs/esm-framework": "9.0.3-pre.4533",
-    "@openmrs/esm-styleguide": "9.0.3-pre.4533",
+    "@openmrs/esm-framework": "9.0.3-pre.4550",
+    "@openmrs/esm-styleguide": "9.0.3-pre.4550",
     "@rspack/cli": "1.7.9",
     "@rspack/core": "1.7.9",
     "dayjs": "^1.11.13",
@@ -44,7 +44,6 @@
     "html-webpack-plugin": "5.6.6",
     "i18next": "^25.5.3",
     "i18next-browser-languagedetector": "^8.2.0",
-    "import-map-overrides": "^3.0.0",
     "lodash-es": "^4.17.21",
     "mini-css-extract-plugin": "2.9.1",
     "react": "^18.3.1",

package/rspack.config.js

@@ -30,7 +30,40 @@ const openmrsPublicPath = removeTrailingSlash(process.env.OMRS_PUBLIC_PATH || '/
 const openmrsProxyTarget = process.env.OMRS_PROXY_TARGET || 'https://dev3.openmrs.org/';
 const openmrsPageTitle = process.env.OMRS_PAGE_TITLE || 'OpenMRS';
 const openmrsFavicon = process.env.OMRS_FAVICON || `${openmrsPublicPath}/favicon.ico`;
-const openmrsEnvironment = process.env.OMRS_ENV || process.env.NODE_ENV || '';
+/**
+ * Resolves the target environment from OMRS_ENV, falling back to NODE_ENV / build mode.
+ *
+ * Accepts aliases ("prod" → "production", "dev" → "development") and defaults
+ * to "production" when nothing is set — so dev features are never accidentally
+ * enabled in an unconfigured build.
+ *
+ * @param {string} buildMode rspack/webpack build mode ("production" | "development")
+ * @returns {"production" | "development" | "test"}
+ */
+function resolveEnvironment(buildMode) {
+  const raw = process.env.OMRS_ENV;
+
+  if (raw) {
+    switch (raw) {
+      case 'production':
+      case 'prod':
+        return 'production';
+      case 'development':
+      case 'dev':
+        return 'development';
+      case 'test':
+        return 'test';
+      default:
+        console.warn(`Unknown OMRS_ENV value "${raw}", defaulting to "production".`);
+        return 'production';
+    }
+  }
+
+  // No explicit OMRS_ENV — derive from NODE_ENV or build mode.
+  // Only "development" is treated as development; everything else is production.
+  const fallback = process.env.NODE_ENV || buildMode || '';
+  return fallback === 'development' ? 'development' : 'production';
+}
 const openmrsOffline = process.env.OMRS_OFFLINE === 'enable';
 const openmrsDefaultLocale = process.env.OMRS_ESM_DEFAULT_LOCALE || 'en';
 const openmrsImportmapDef = process.env.OMRS_ESM_IMPORTMAP;
@@ -107,6 +140,7 @@ module.exports = (env, argv = []) => {
   const mode = argv.mode || process.env.NODE_ENV || production;
   const outDir = mode === production ? 'dist' : 'lib';
   const isProd = mode === 'production';
+  const openmrsEnvironment = resolveEnvironment(mode);
   const appPatterns = [];
 
   const coreImportmap = {

package/src/index.ts

@@ -1,4 +1,3 @@
-import 'import-map-overrides';
 import type { SpaConfig } from '@openmrs/esm-framework/src/internal';
 
 function _createSpaBase(baseUrl: string) {
@@ -27,27 +26,53 @@ function setupPaths(config: SpaConfig) {
     );
   }
 
-  window.openmrsBase = config.apiUrl;
-  window.spaBase = config.spaPath;
-  window.spaEnv = config.env || 'production';
-  window.spaVersion = process.env.BUILD_VERSION ?? 'local';
+  // Object.defineProperty used to make these read-only
+  Object.defineProperty(window, 'openmrsBase', {
+    value: config.apiUrl,
+    writable: false,
+    configurable: false,
+  });
+  Object.defineProperty(window, 'spaBase', {
+    value: config.spaPath,
+    writable: false,
+    configurable: false,
+  });
+  Object.defineProperty(window, 'spaEnv', {
+    value: config.env || 'production',
+    writable: false,
+    configurable: false,
+  });
+  Object.defineProperty(window, 'spaVersion', {
+    value: process.env.BUILD_VERSION ?? 'local',
+    writable: false,
+    configurable: false,
+  });
+
   const spaBaseWithSlash = window.spaBase.endsWith('/') ? window.spaBase : window.spaBase + '/';
-  window.getOpenmrsSpaBase = _createSpaBase(spaBaseWithSlash);
+  Object.defineProperty(window, 'getOpenmrsSpaBase', {
+    value: _createSpaBase(spaBaseWithSlash),
+    writable: false,
+    configurable: false,
+  });
 }
 
 export function setupUtils() {
-  window.copyText = (source: HTMLElement) => {
-    const sel = window.getSelection();
+  Object.defineProperty(window, 'copyText', {
+    value: (source: HTMLElement) => {
+      const sel = window.getSelection();
 
-    if (sel) {
-      const r = document.createRange();
-      r.selectNode(source);
-      sel.removeAllRanges();
-      sel.addRange(r);
-      document.execCommand('copy');
-      sel.removeAllRanges();
-    }
-  };
+      if (sel) {
+        const r = document.createRange();
+        r.selectNode(source);
+        sel.removeAllRanges();
+        sel.addRange(r);
+        document.execCommand('copy');
+        sel.removeAllRanges();
+      }
+    },
+    writable: false,
+    configurable: false,
+  });
 }
 
 function wireSpaPaths() {
@@ -58,15 +83,21 @@ function wireSpaPaths() {
   __webpack_public_path__ = baseHref;
 }
 
+let initPromise: Promise<void> | null = null;
+
 /**
  * Initializes the OpenMRS Frontend App Shell.
  * @param config The global configuration to apply.
  */
 function initializeSpa(config: SpaConfig) {
+  if (initPromise) {
+    return initPromise;
+  }
+
   setupUtils();
   setupPaths(config);
   wireSpaPaths();
-  return Promise.resolve(__webpack_init_sharing__('default')).then(async () => {
+  initPromise = Promise.resolve(__webpack_init_sharing__('default')).then(async () => {
     const shareScope = __webpack_share_scopes__.default;
     // MF will deduplicate these as they're aliased at build time, but at runtime
     // apps try to load `@openmrs/esm-framework`, so here we provide a runtime
@@ -76,11 +107,20 @@ function initializeSpa(config: SpaConfig) {
     }
 
     const { configUrls = [], offline = false } = config;
-    window.offlineEnabled = offline;
+    Object.defineProperty(window, 'offlineEnabled', {
+      value: offline,
+      writable: false,
+      configurable: false,
+    });
 
     const { run } = await import(/* webpackPreload: true */ './run');
     return run(configUrls);
   });
+  return initPromise;
 }
 
-window.initializeSpa = initializeSpa;
+Object.defineProperty(window, 'initializeSpa', {
+  value: initializeSpa,
+  writable: false,
+  configurable: false,
+});

package/src/locale.ts

@@ -11,7 +11,12 @@ import {
 registerTranslationNamespace('core');
 
 export function setupI18n() {
-  const i18n = (window.i18next = i18next.default || i18next);
+  const i18n = i18next.default || i18next;
+  Object.defineProperty(window, 'i18next', {
+    value: i18n,
+    writable: false,
+    configurable: false,
+  });
 
   const languageChangeObserver = new MutationObserver(() => {
     i18n.changeLanguage().catch((e) => console.error('i18next failed to re-detect language', e));

package/src/run.ts

@@ -2,19 +2,17 @@ import { start, triggerAppChange } from 'single-spa';
 import { type CalendarIdentifier } from '@internationalized/date';
 import {
   activateOfflineCapability,
-  canAccessStorage,
   dispatchConnectivityChanged,
   dispatchPrecacheStaticDependencies,
   type ExtensionDefinition,
   finishRegisteringAllApps,
   fireOpenmrsEvent,
   getConfig,
+  getCurrentPageMap,
+  getCurrentRouteMap,
   getCurrentUser,
   integrateBreakpoints,
   interpolateUrl,
-  isOpenmrsAppRoutes,
-  isOpenmrsRoutes,
-  localStorageRoutesPrefix,
   messageOmrsServiceWorker,
   openmrsFetch,
   provide,
@@ -30,7 +28,9 @@ import {
   restBaseUrl,
   setupApiModule,
   setupHistory,
+  setupImportMapOverrides,
   setupModals,
+  setupRouteMapOverrides,
   showActionableNotification,
   showNotification,
   showSnackbar,
@@ -43,8 +43,6 @@ import {
   subscribeToastShown,
   tryRegisterExtension,
   type Config,
-  type OpenmrsAppRoutes,
-  type OpenmrsRoutes,
   type StyleguideConfigObject,
 } from '@openmrs/esm-framework/src/internal';
 import { setupI18n } from './locale';
@@ -65,106 +63,21 @@ const REGISTRATION_PROMISES = Symbol('openmrs_registration_promises');
  * as the registry of all apps in the application.
  */
 async function setupApps() {
-  const scriptTags = document.querySelectorAll<HTMLScriptElement>("script[type='openmrs-routes']");
-
-  const promises: Array<Promise<OpenmrsRoutes>> = [];
-  for (let i = 0; i < scriptTags.length; i++) {
-    promises.push(
-      (async (scriptTag) => {
-        let routes: OpenmrsRoutes | undefined = undefined;
-        try {
-          if (scriptTag.textContent) {
-            routes = JSON.parse(scriptTag.textContent) as OpenmrsRoutes;
-          } else if (scriptTag.src) {
-            routes = (await openmrsFetch<OpenmrsRoutes>(scriptTag.src)).data;
-          }
-        } catch (e) {
-          console.error(`Caught error while loading routes from ${scriptTag.src ?? 'JSON script tag content'}`, e);
-
-          return {};
-        }
-
-        return Promise.resolve(routes ?? {});
-      })(scriptTags.item(i)),
-    );
-  }
-
-  if (canAccessStorage()) {
-    // load routes overrides from localStorage if any
-    const localStorage = window.localStorage;
-    for (let i = 0; i < localStorage.length; i++) {
-      const key = localStorage.key(i);
-      if (key?.startsWith(localStorageRoutesPrefix)) {
-        const localOverride = localStorage.getItem(key);
-        if (localOverride) {
-          try {
-            const maybeOpenmrsRoutes = JSON.parse(localOverride);
-            if (isOpenmrsAppRoutes(maybeOpenmrsRoutes)) {
-              promises.push(
-                Promise.resolve<OpenmrsRoutes>({
-                  [key.slice(localStorageRoutesPrefix.length)]: maybeOpenmrsRoutes,
-                }),
-              );
-            } else if (typeof maybeOpenmrsRoutes === 'string' && maybeOpenmrsRoutes.startsWith('http')) {
-              promises.push(
-                openmrsFetch<OpenmrsAppRoutes>(maybeOpenmrsRoutes)
-                  .then((response) => {
-                    if (isOpenmrsAppRoutes(response.data)) {
-                      return Promise.resolve({
-                        [key.slice(localStorageRoutesPrefix.length)]: response.data,
-                      });
-                    }
-
-                    return Promise.reject(
-                      `${maybeOpenmrsRoutes} did not resolve to a valid OpenmrsAppRoutes JSON object`,
-                    );
-                  })
-                  .catch((reason) => {
-                    console.warn(
-                      `Failed to fetch route overrides for ${key.slice(localStorageRoutesPrefix.length)}`,
-                      reason,
-                    );
-
-                    // still fail the promise
-                    throw reason;
-                  }),
-              );
-            } else {
-              console.warn(
-                `Route override for ${key.slice(
-                  localStorageRoutesPrefix.length,
-                )} could not be handled as it was neither a JSON object nor a URL string`,
-                localOverride,
-              );
-            }
-          } catch (e) {
-            console.error(`Error parsing local route override for ${key}`, e);
-          }
-        }
-      }
-    }
-  }
-
-  const routes: OpenmrsRoutes = (await Promise.allSettled(promises))
-    .filter((p) => p.status === 'fulfilled')
-    .map((p) => (p as PromiseFulfilledResult<OpenmrsRoutes>).value)
-    .filter(isOpenmrsRoutes)
-    .reduce(
-      (accumulatedRoutes, routes) => ({
-        ...accumulatedRoutes,
-        ...routes,
-      }),
-      {},
-    );
+  await setupRouteMapOverrides();
+  const routes = await getCurrentRouteMap();
 
   const modules: typeof window.installedModules = [];
-  const registrationPromises = Object.entries(routes).map(async ([module, routes]) => {
-    modules.push([module, routes]);
-    registerApp(module, routes);
+  const registrationPromises = Object.entries(routes).map(async ([module, appRoutes]) => {
+    modules.push([module, appRoutes]);
+    registerApp(module, appRoutes);
   });
 
   window[REGISTRATION_PROMISES] = Promise.all(registrationPromises);
-  window.installedModules = modules;
+  Object.defineProperty(window, 'installedModules', {
+    value: modules,
+    writable: false,
+    configurable: false,
+  });
 }
 
 /**
@@ -385,7 +298,7 @@ async function precacheGlobalStaticDependencies() {
 }
 
 async function precacheImportMap() {
-  const importMap = await window.importMapOverrides.getCurrentPageMap();
+  const importMap = await getCurrentPageMap();
   await messageOmrsServiceWorker({
     type: 'onImportMapChanged',
     importMap,
@@ -409,6 +322,8 @@ function setupOfflineCssClasses() {
 }
 
 export function run(configUrls: Array<string>) {
+  setupImportMapOverrides();
+
   const offlineEnabled = window.offlineEnabled;
   const closeLoading = showLoadingSpinner();
   const provideConfigs = createConfigLoader(configUrls);
@@ -441,7 +356,7 @@ export function run(configUrls: Array<string>) {
 
     return polyfillReady
       .then(setupApps)
-      .then(() => finishRegisteringAllApps())
+      .then(() => Promise.resolve(finishRegisteringAllApps()))
       .then(offlineEnabled ? setupOfflineCssClasses : undefined)
       .then(offlineEnabled ? registerOfflineHandlers : undefined)
       .then(provideConfigs)

package/src/service-worker/message.ts

@@ -47,6 +47,21 @@ async function registerDynamicRoute({ pattern, url, strategy }: RegisterDynamicR
  * @param event The event data containing the message dispatched to the Service Worker.
  */
 export async function handleMessage(event: ExtendableMessageEvent) {
+  // Defense-in-depth: only process messages from same-origin Client sources.
+  // Reject messages with no source or from cross-origin sources.
+  if (!event.source || !('url' in event.source)) {
+    return;
+  }
+  let sourceOrigin: string;
+  try {
+    sourceOrigin = new URL(event.source.url).origin;
+  } catch {
+    return;
+  }
+  if (sourceOrigin !== self.location.origin) {
+    return;
+  }
+
   const handler = messageHandlers[event.data?.type?.toString() ?? ''];
 
   if (!handler) {

package/tsconfig.json

@@ -6,7 +6,7 @@
     "allowSyntheticDefaultImports": true,
     "jsx": "react",
     "strictNullChecks": true,
-    "moduleResolution": "node",
+    "moduleResolution": "bundler",
     "lib": [
       "dom",
       "es5",