@salesforce/pwa-kit-create-app 3.9.0-preview.2 → 3.9.0-preview.4

package/assets/bootstrap/js/config/default.js.hbs

@@ -25,7 +25,9 @@ module.exports = {
                 // Required in 'callback' mode; if missing, passwordless login defaults to 'sms' mode, which requires Marketing Cloud configuration.
                 // If the env var `PASSWORDLESS_LOGIN_CALLBACK_URI` is set, it will override the config value.
                 callbackURI:
-                    process.env.PASSWORDLESS_LOGIN_CALLBACK_URI || '/passwordless-login-callback'
+                    process.env.PASSWORDLESS_LOGIN_CALLBACK_URI || '/passwordless-login-callback',
+                // The landing path for passwordless login
+                landingPath: '/passwordless-login-landing'
             },
             social: {
                 // Enables or disables social login for the site. Defaults to: false
@@ -41,7 +43,9 @@ module.exports = {
             resetPassword: {
                 // The callback URI, which can be an absolute URL (including third-party URIs) or a relative path set up by the developer.
                 // If the env var `RESET_PASSWORD_CALLBACK_URI` is set, it will override the config value.
-                callbackURI: process.env.RESET_PASSWORD_CALLBACK_URI || '/reset-password-callback'
+                callbackURI: process.env.RESET_PASSWORD_CALLBACK_URI || '/reset-password-callback',
+                // The landing path for reset password
+                landingPath: '/reset-password-landing'
             }
         },
         // The default site for your app. This value will be used when a siteRef could not be determined from the url

package/assets/bootstrap/js/overrides/app/components/_app-config/index.jsx.hbs

@@ -27,6 +27,7 @@ import {withReactQuery} from '@salesforce/pwa-kit-react-sdk/ssr/universal/compon
 import {useCorrelationId} from '@salesforce/pwa-kit-react-sdk/ssr/universal/hooks'
 import {getAppOrigin} from '@salesforce/pwa-kit-react-sdk/utils/url'
 import {ReactQueryDevtools} from '@tanstack/react-query-devtools'
+import {DEFAULT_DNT_STATE} from '@salesforce/retail-react-app/app/constants'
 
 /**
  * Use the AppConfig component to inject extra arguments into the getProps
@@ -57,6 +58,7 @@ const AppConfig = ({children, locals = {}}) => {
             redirectURI={`${appOrigin}/callback`}
             proxy={`${appOrigin}${commerceApiConfig.proxyPath}`}
             headers={headers}
+            defaultDnt={DEFAULT_DNT_STATE}
             logger={createLogger({packageName: 'commerce-sdk-react'})}
             {{#if answers.project.commerce.isSlasPrivate}}
             // Set 'enablePWAKitPrivateClient' to true use SLAS private client login flows.

package/assets/bootstrap/js/overrides/app/ssr.js.hbs

@@ -7,22 +7,15 @@
 
 'use strict'
 
+import crypto from 'crypto'
+import express from 'express'
+import helmet from 'helmet'
+import {createRemoteJWKSet as joseCreateRemoteJWKSet, jwtVerify, decodeJwt} from 'jose'
 import path from 'path'
 import {getRuntime} from '@salesforce/pwa-kit-runtime/ssr/server/express'
 import {defaultPwaKitSecurityHeaders} from '@salesforce/pwa-kit-runtime/utils/middleware'
 import {getConfig} from '@salesforce/pwa-kit-runtime/utils/ssr-config'
-import helmet from 'helmet'
-
-import express from 'express'
-import {emailLink} from '@salesforce/retail-react-app/app/utils/marketing-cloud/marketing-cloud-email-link'
-import {
-    PASSWORDLESS_LOGIN_LANDING_PATH,
-    RESET_PASSWORD_LANDING_PATH
-} from '@salesforce/retail-react-app/app/constants'
-import {
-    validateSlasCallbackToken,
-    jwksCaching
-} from '@salesforce/retail-react-app/app/utils/jwt-utils'
+import {getAppOrigin} from '@salesforce/pwa-kit-react-sdk/utils/url'
 
 const config = getConfig()
 
@@ -62,6 +55,117 @@ const options = {
 
 const runtime = getRuntime()
 
+/**
+ * Tokens are valid for 20 minutes. We store it at the top level scope to reuse
+ * it during the lambda invocation. We'll refresh it after 15 minutes.
+ */
+let marketingCloudToken = ''
+let marketingCloudTokenExpiration = new Date()
+
+/**
+ * Generates a unique ID for the email message.
+ *
+ * @return {string} A unique ID for the email message.
+ */
+function generateUniqueId() {
+    return crypto.randomBytes(16).toString('hex')
+}
+
+/**
+ * Sends an email to a specified contact using the Marketing Cloud API. The template email must have a
+ * `%%magic-link%%` personalization string inserted.
+ * https://help.salesforce.com/s/articleView?id=mktg.mc_es_personalization_strings.htm&type=5
+ *
+ * @param {string} email - The email address of the contact to whom the email will be sent.
+ * @param {string} templateId - The ID of the email template to be used for the email.
+ * @param {string} magicLink - The magic link to be included in the email.
+ *
+ * @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
+ */
+async function sendMarketingCloudEmail(emailId, marketingCloudConfig) {
+    // Refresh token if expired
+    if (new Date() > marketingCloudTokenExpiration) {
+        const {clientId, clientSecret, subdomain} = marketingCloudConfig
+        const tokenUrl = `https://${subdomain}.auth.marketingcloudapis.com/v2/token`
+        const tokenResponse = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {'Content-Type': 'application/json'},
+            body: JSON.stringify({
+                grant_type: 'client_credentials',
+                client_id: clientId,
+                client_secret: clientSecret
+            })
+        })
+
+        if (!tokenResponse.ok)
+            throw new Error(
+                'Failed to fetch Marketing Cloud access token. Check your Marketing Cloud credentials and try again.'
+            )
+
+        const {access_token} = await tokenResponse.json()
+        marketingCloudToken = access_token
+        // Set expiration to 15 mins
+        marketingCloudTokenExpiration = new Date(Date.now() + 15 * 60 * 1000)
+    }
+
+    // Send the email
+    const emailUrl = `https://${
+        marketingCloudConfig.subdomain
+    }.rest.marketingcloudapis.com/messaging/v1/email/messages/${generateUniqueId()}`
+    const emailResponse = await fetch(emailUrl, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${marketingCloudToken}`,
+            'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+            definitionKey: marketingCloudConfig.templateId,
+            recipient: {
+                contactKey: emailId,
+                to: emailId,
+                attributes: {'magic-link': marketingCloudConfig.magicLink}
+            }
+        })
+    })
+
+    if (!emailResponse.ok) throw new Error('Failed to send email to Marketing Cloud')
+
+    return await emailResponse.json()
+}
+
+/**
+ * Generates a unique ID, constructs an email message URL, and sends the email to the specified contact
+ * using the Marketing Cloud API.
+ *
+ * @param {string} email - The email address of the contact to whom the email will be sent.
+ * @param {string} templateId - The ID of the email template to be used for the email.
+ * @param {string} magicLink - The magic link to be included in the email.
+ *
+ * @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
+ */
+export async function emailLink(emailId, templateId, magicLink) {
+    if (!process.env.MARKETING_CLOUD_CLIENT_ID) {
+        console.warn('MARKETING_CLOUD_CLIENT_ID is not set in the environment variables.')
+    }
+
+    if (!process.env.MARKETING_CLOUD_CLIENT_SECRET) {
+        console.warn(' MARKETING_CLOUD_CLIENT_SECRET is not set in the environment variables.')
+    }
+
+    if (!process.env.MARKETING_CLOUD_SUBDOMAIN) {
+        console.warn('MARKETING_CLOUD_SUBDOMAIN is not set in the environment variables.')
+    }
+
+    const marketingCloudConfig = {
+        clientId: process.env.MARKETING_CLOUD_CLIENT_ID,
+        clientSecret: process.env.MARKETING_CLOUD_CLIENT_SECRET,
+        magicLink: magicLink,
+        subdomain: process.env.MARKETING_CLOUD_SUBDOMAIN,
+        templateId: templateId
+    }
+    return await sendMarketingCloudEmail(emailId, marketingCloudConfig)
+}
+
 const resetPasswordCallback =
     config.app.login?.resetPassword?.callbackURI || '/reset-password-callback'
 const passwordlessLoginCallback =
@@ -78,11 +182,11 @@ async function sendMagicLinkEmail(req, res, landingPath, emailTemplate, redirect
 
     // Construct the magic link URL
     let magicLink = `${base}${landingPath}?token=${encodeURIComponent(token)}`
-    if (landingPath === RESET_PASSWORD_LANDING_PATH) {
+    if (landingPath === config.app.login?.resetPassword?.landingPath) {
         // Add email query parameter for reset password flow
         magicLink += `&email=${encodeURIComponent(email_id)}`
     }
-    if (landingPath === PASSWORDLESS_LOGIN_LANDING_PATH && redirectUrl) {
+    if (landingPath === config.app.login?.passwordless?.landingPath && redirectUrl) {
         magicLink += `&redirect_url=${encodeURIComponent(redirectUrl)}`
     }
 
@@ -93,6 +197,85 @@ async function sendMagicLinkEmail(req, res, landingPath, emailTemplate, redirect
     res.send(emailLinkResponse)
 }
 
+const CLAIM = {
+    ISSUER: 'iss'
+}
+
+const DELIMITER = {
+    ISSUER: '/'
+}
+
+const throwSlasTokenValidationError = (message, code) => {
+    throw new Error(`SLAS Token Validation Error: ${message}`, code)
+}
+
+export const createRemoteJWKSet = (tenantId) => {
+    const appOrigin = getAppOrigin()
+    const {app: appConfig} = getConfig()
+    const shortCode = appConfig.commerceAPI.parameters.shortCode
+    const configTenantId = appConfig.commerceAPI.parameters.organizationId.replace(/^f_ecom_/, '')
+    if (tenantId !== configTenantId) {
+        throw new Error(
+            `The tenant ID in your PWA Kit configuration ("${configTenantId}") does not match the tenant ID in the SLAS callback token ("${tenantId}").`
+        )
+    }
+    const JWKS_URI = `${appOrigin}/${shortCode}/${tenantId}/oauth2/jwks`
+    return joseCreateRemoteJWKSet(new URL(JWKS_URI))
+}
+
+export const validateSlasCallbackToken = async (token) => {
+    const payload = decodeJwt(token)
+    const subClaim = payload[CLAIM.ISSUER]
+    const tokens = subClaim.split(DELIMITER.ISSUER)
+    const tenantId = tokens[2]
+    try {
+        const jwks = createRemoteJWKSet(tenantId)
+        const {payload} = await jwtVerify(token, jwks, {})
+        return payload
+    } catch (error) {
+        throwSlasTokenValidationError(error.message, 401)
+    }
+}
+
+const tenantIdRegExp = /^[a-zA-Z]{4}_([0-9]{3}|s[0-9]{2}|stg|dev|prd)$/
+const shortCodeRegExp = /^[a-zA-Z0-9-]+$/
+
+/**
+ *  Handles JWKS (JSON Web Key Set) caching the JWKS response for 2 weeks.
+ *
+ * @param {object} req Express request object.
+ * @param {object} res Express response object.
+ * @param {object} options Options for fetching B2C Commerce API JWKS.
+ * @param {string} options.shortCode - The Short Code assigned to the realm.
+ * @param {string} options.tenantId - The Tenant ID for the ECOM instance.
+ * @returns {Promise<*>} Promise with the JWKS data.
+ */
+export async function jwksCaching(req, res, options) {
+    const {shortCode, tenantId} = options
+
+    const isValidRequest = tenantIdRegExp.test(tenantId) && shortCodeRegExp.test(shortCode)
+    if (!isValidRequest)
+        return res
+            .status(400)
+            .json({error: 'Bad request parameters: Tenant ID or short code is invalid.'})
+    try {
+        const JWKS_URI = `https://${shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/f_ecom_${tenantId}/oauth2/jwks`
+        const response = await fetch(JWKS_URI)
+
+        if (!response.ok) {
+            throw new Error('Request failed with status: ' + response.status)
+        }
+
+        // JWKS rotate every 30 days. For now, cache response for 14 days so that
+        // fetches only need to happen twice a month
+        res.set('Cache-Control', 'public, max-age=1209600, stale-while-revalidate=86400')
+
+        return res.json(await response.json())
+    } catch (error) {
+        res.status(400).json({error: `Error while fetching data: ${error.message}`})
+    }
+}
+
 const {handler} = runtime.createHandler(options, (app) => {
     app.use(express.json()) // To parse JSON payloads
     app.use(express.urlencoded({extended: true}))
@@ -144,7 +327,7 @@ const {handler} = runtime.createHandler(options, (app) => {
             sendMagicLinkEmail(
                 req,
                 res,
-                PASSWORDLESS_LOGIN_LANDING_PATH,
+                config.app.login?.passwordless?.landingPath,
                 process.env.MARKETING_CLOUD_PASSWORDLESS_LOGIN_TEMPLATE,
                 redirectUrl
             )
@@ -161,7 +344,7 @@ const {handler} = runtime.createHandler(options, (app) => {
             sendMagicLinkEmail(
                 req,
                 res,
-                RESET_PASSWORD_LANDING_PATH,
+                config.app.login?.resetPassword?.landingPath,
                 process.env.MARKETING_CLOUD_RESET_PASSWORD_TEMPLATE
             )
         })

package/assets/templates/@salesforce/retail-react-app/app/components/_app-config/index.jsx.hbs

@@ -27,6 +27,7 @@ import {CommerceApiProvider} from '@salesforce/commerce-sdk-react'
 import {withReactQuery} from '@salesforce/pwa-kit-react-sdk/ssr/universal/components/with-react-query'
 import {useCorrelationId} from '@salesforce/pwa-kit-react-sdk/ssr/universal/hooks'
 import {ReactQueryDevtools} from '@tanstack/react-query-devtools'
+import {DEFAULT_DNT_STATE} from '@salesforce/retail-react-app/app/constants'
 
 /**
  * Use the AppConfig component to inject extra arguments into the getProps
@@ -57,6 +58,7 @@ const AppConfig = ({children, locals = {}}) => {
             redirectURI={`${appOrigin}/callback`}
             proxy={`${appOrigin}${commerceApiConfig.proxyPath}`}
             headers={headers}
+            defaultDnt={DEFAULT_DNT_STATE}
             logger={createLogger({packageName: 'commerce-sdk-react'})}
             {{#if answers.project.commerce.isSlasPrivate}}
             // Set 'enablePWAKitPrivateClient' to true use SLAS private client login flows.

package/assets/templates/@salesforce/retail-react-app/app/ssr.js.hbs

@@ -7,22 +7,15 @@
 
 'use strict'
 
+import crypto from 'crypto'
+import express from 'express'
+import helmet from 'helmet'
+import {createRemoteJWKSet as joseCreateRemoteJWKSet, jwtVerify, decodeJwt} from 'jose'
 import path from 'path'
 import {getRuntime} from '@salesforce/pwa-kit-runtime/ssr/server/express'
 import {defaultPwaKitSecurityHeaders} from '@salesforce/pwa-kit-runtime/utils/middleware'
 import {getConfig} from '@salesforce/pwa-kit-runtime/utils/ssr-config'
-import helmet from 'helmet'
-
-import express from 'express'
-import {emailLink} from '@salesforce/retail-react-app/app/utils/marketing-cloud/marketing-cloud-email-link'
-import {
-    PASSWORDLESS_LOGIN_LANDING_PATH,
-    RESET_PASSWORD_LANDING_PATH
-} from '@salesforce/retail-react-app/app/constants'
-import {
-    validateSlasCallbackToken,
-    jwksCaching
-} from '@salesforce/retail-react-app/app/utils/jwt-utils'
+import {getAppOrigin} from '@salesforce/pwa-kit-react-sdk/utils/url'
 
 const config = getConfig()
 
@@ -62,6 +55,117 @@ const options = {
 
 const runtime = getRuntime()
 
+/**
+ * Tokens are valid for 20 minutes. We store it at the top level scope to reuse
+ * it during the lambda invocation. We'll refresh it after 15 minutes.
+ */
+let marketingCloudToken = ''
+let marketingCloudTokenExpiration = new Date()
+
+/**
+ * Generates a unique ID for the email message.
+ *
+ * @return {string} A unique ID for the email message.
+ */
+function generateUniqueId() {
+    return crypto.randomBytes(16).toString('hex')
+}
+
+/**
+ * Sends an email to a specified contact using the Marketing Cloud API. The template email must have a
+ * `%%magic-link%%` personalization string inserted.
+ * https://help.salesforce.com/s/articleView?id=mktg.mc_es_personalization_strings.htm&type=5
+ *
+ * @param {string} email - The email address of the contact to whom the email will be sent.
+ * @param {string} templateId - The ID of the email template to be used for the email.
+ * @param {string} magicLink - The magic link to be included in the email.
+ *
+ * @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
+ */
+async function sendMarketingCloudEmail(emailId, marketingCloudConfig) {
+    // Refresh token if expired
+    if (new Date() > marketingCloudTokenExpiration) {
+        const {clientId, clientSecret, subdomain} = marketingCloudConfig
+        const tokenUrl = `https://${subdomain}.auth.marketingcloudapis.com/v2/token`
+        const tokenResponse = await fetch(tokenUrl, {
+            method: 'POST',
+            headers: {'Content-Type': 'application/json'},
+            body: JSON.stringify({
+                grant_type: 'client_credentials',
+                client_id: clientId,
+                client_secret: clientSecret
+            })
+        })
+
+        if (!tokenResponse.ok)
+            throw new Error(
+                'Failed to fetch Marketing Cloud access token. Check your Marketing Cloud credentials and try again.'
+            )
+
+        const {access_token} = await tokenResponse.json()
+        marketingCloudToken = access_token
+        // Set expiration to 15 mins
+        marketingCloudTokenExpiration = new Date(Date.now() + 15 * 60 * 1000)
+    }
+
+    // Send the email
+    const emailUrl = `https://${
+        marketingCloudConfig.subdomain
+    }.rest.marketingcloudapis.com/messaging/v1/email/messages/${generateUniqueId()}`
+    const emailResponse = await fetch(emailUrl, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${marketingCloudToken}`,
+            'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+            definitionKey: marketingCloudConfig.templateId,
+            recipient: {
+                contactKey: emailId,
+                to: emailId,
+                attributes: {'magic-link': marketingCloudConfig.magicLink}
+            }
+        })
+    })
+
+    if (!emailResponse.ok) throw new Error('Failed to send email to Marketing Cloud')
+
+    return await emailResponse.json()
+}
+
+/**
+ * Generates a unique ID, constructs an email message URL, and sends the email to the specified contact
+ * using the Marketing Cloud API.
+ *
+ * @param {string} email - The email address of the contact to whom the email will be sent.
+ * @param {string} templateId - The ID of the email template to be used for the email.
+ * @param {string} magicLink - The magic link to be included in the email.
+ *
+ * @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
+ */
+export async function emailLink(emailId, templateId, magicLink) {
+    if (!process.env.MARKETING_CLOUD_CLIENT_ID) {
+        console.warn('MARKETING_CLOUD_CLIENT_ID is not set in the environment variables.')
+    }
+
+    if (!process.env.MARKETING_CLOUD_CLIENT_SECRET) {
+        console.warn(' MARKETING_CLOUD_CLIENT_SECRET is not set in the environment variables.')
+    }
+
+    if (!process.env.MARKETING_CLOUD_SUBDOMAIN) {
+        console.warn('MARKETING_CLOUD_SUBDOMAIN is not set in the environment variables.')
+    }
+
+    const marketingCloudConfig = {
+        clientId: process.env.MARKETING_CLOUD_CLIENT_ID,
+        clientSecret: process.env.MARKETING_CLOUD_CLIENT_SECRET,
+        magicLink: magicLink,
+        subdomain: process.env.MARKETING_CLOUD_SUBDOMAIN,
+        templateId: templateId
+    }
+    return await sendMarketingCloudEmail(emailId, marketingCloudConfig)
+}
+
 const resetPasswordCallback =
     config.app.login?.resetPassword?.callbackURI || '/reset-password-callback'
 const passwordlessLoginCallback =
@@ -78,11 +182,11 @@ async function sendMagicLinkEmail(req, res, landingPath, emailTemplate, redirect
 
     // Construct the magic link URL
     let magicLink = `${base}${landingPath}?token=${encodeURIComponent(token)}`
-    if (landingPath === RESET_PASSWORD_LANDING_PATH) {
+    if (landingPath === config.app.login?.resetPassword?.landingPath) {
         // Add email query parameter for reset password flow
         magicLink += `&email=${encodeURIComponent(email_id)}`
     }
-    if (landingPath === PASSWORDLESS_LOGIN_LANDING_PATH && redirectUrl) {
+    if (landingPath === config.app.login?.passwordless?.landingPath && redirectUrl) {
         magicLink += `&redirect_url=${encodeURIComponent(redirectUrl)}`
     }
 
@@ -93,6 +197,85 @@ async function sendMagicLinkEmail(req, res, landingPath, emailTemplate, redirect
     res.send(emailLinkResponse)
 }
 
+const CLAIM = {
+    ISSUER: 'iss'
+}
+
+const DELIMITER = {
+    ISSUER: '/'
+}
+
+const throwSlasTokenValidationError = (message, code) => {
+    throw new Error(`SLAS Token Validation Error: ${message}`, code)
+}
+
+export const createRemoteJWKSet = (tenantId) => {
+    const appOrigin = getAppOrigin()
+    const {app: appConfig} = getConfig()
+    const shortCode = appConfig.commerceAPI.parameters.shortCode
+    const configTenantId = appConfig.commerceAPI.parameters.organizationId.replace(/^f_ecom_/, '')
+    if (tenantId !== configTenantId) {
+        throw new Error(
+            `The tenant ID in your PWA Kit configuration ("${configTenantId}") does not match the tenant ID in the SLAS callback token ("${tenantId}").`
+        )
+    }
+    const JWKS_URI = `${appOrigin}/${shortCode}/${tenantId}/oauth2/jwks`
+    return joseCreateRemoteJWKSet(new URL(JWKS_URI))
+}
+
+export const validateSlasCallbackToken = async (token) => {
+    const payload = decodeJwt(token)
+    const subClaim = payload[CLAIM.ISSUER]
+    const tokens = subClaim.split(DELIMITER.ISSUER)
+    const tenantId = tokens[2]
+    try {
+        const jwks = createRemoteJWKSet(tenantId)
+        const {payload} = await jwtVerify(token, jwks, {})
+        return payload
+    } catch (error) {
+        throwSlasTokenValidationError(error.message, 401)
+    }
+}
+
+const tenantIdRegExp = /^[a-zA-Z]{4}_([0-9]{3}|s[0-9]{2}|stg|dev|prd)$/
+const shortCodeRegExp = /^[a-zA-Z0-9-]+$/
+
+/**
+ *  Handles JWKS (JSON Web Key Set) caching the JWKS response for 2 weeks.
+ *
+ * @param {object} req Express request object.
+ * @param {object} res Express response object.
+ * @param {object} options Options for fetching B2C Commerce API JWKS.
+ * @param {string} options.shortCode - The Short Code assigned to the realm.
+ * @param {string} options.tenantId - The Tenant ID for the ECOM instance.
+ * @returns {Promise<*>} Promise with the JWKS data.
+ */
+export async function jwksCaching(req, res, options) {
+    const {shortCode, tenantId} = options
+
+    const isValidRequest = tenantIdRegExp.test(tenantId) && shortCodeRegExp.test(shortCode)
+    if (!isValidRequest)
+        return res
+            .status(400)
+            .json({error: 'Bad request parameters: Tenant ID or short code is invalid.'})
+    try {
+        const JWKS_URI = `https://${shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/f_ecom_${tenantId}/oauth2/jwks`
+        const response = await fetch(JWKS_URI)
+
+        if (!response.ok) {
+            throw new Error('Request failed with status: ' + response.status)
+        }
+
+        // JWKS rotate every 30 days. For now, cache response for 14 days so that
+        // fetches only need to happen twice a month
+        res.set('Cache-Control', 'public, max-age=1209600, stale-while-revalidate=86400')
+
+        return res.json(await response.json())
+    } catch (error) {
+        res.status(400).json({error: `Error while fetching data: ${error.message}`})
+    }
+}
+
 const {handler} = runtime.createHandler(options, (app) => {
     app.use(express.json()) // To parse JSON payloads
     app.use(express.urlencoded({extended: true}))
@@ -144,7 +327,7 @@ const {handler} = runtime.createHandler(options, (app) => {
             sendMagicLinkEmail(
                 req,
                 res,
-                PASSWORDLESS_LOGIN_LANDING_PATH,
+                config.app.login?.passwordless?.landingPath,
                 process.env.MARKETING_CLOUD_PASSWORDLESS_LOGIN_TEMPLATE,
                 redirectUrl
             )
@@ -161,7 +344,7 @@ const {handler} = runtime.createHandler(options, (app) => {
             sendMagicLinkEmail(
                 req,
                 res,
-                RESET_PASSWORD_LANDING_PATH,
+                config.app.login?.resetPassword?.landingPath,
                 process.env.MARKETING_CLOUD_RESET_PASSWORD_TEMPLATE
             )
         })

package/assets/templates/@salesforce/retail-react-app/config/default.js.hbs

@@ -26,8 +26,10 @@ module.exports = {
                 // The callback URI, which can be an absolute URL (including third-party URIs) or a relative path set up by the developer.
                 // Required in 'callback' mode; if missing, passwordless login defaults to 'sms' mode, which requires Marketing Cloud configuration.
                 // If the env var `PASSWORDLESS_LOGIN_CALLBACK_URI` is set, it will override the config value.
-                callbackURI: 
-                    process.env.PASSWORDLESS_LOGIN_CALLBACK_URI || '/passwordless-login-callback'
+                callbackURI:
+                    process.env.PASSWORDLESS_LOGIN_CALLBACK_URI || '/passwordless-login-callback',
+                // The landing path for passwordless login
+                landingPath: '/passwordless-login-landing'
             },
             social: {
                 // Enables or disables social login for the site. Defaults to: false
@@ -43,7 +45,9 @@ module.exports = {
             resetPassword: {
                 // The callback URI, which can be an absolute URL (including third-party URIs) or a relative path set up by the developer.
                 // If the env var `RESET_PASSWORD_CALLBACK_URI` is set, it will override the config value.
-                callbackURI: process.env.RESET_PASSWORD_CALLBACK_URI || '/reset-password-callback'
+                callbackURI: process.env.RESET_PASSWORD_CALLBACK_URI || '/reset-password-callback',
+                // The landing path for reset password
+                landingPath: '/reset-password-landing'
             }
         },
         // The default site for your app. This value will be used when a siteRef could not be determined from the url

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/pwa-kit-create-app",
-  "version": "3.9.0-preview.2",
+  "version": "3.9.0-preview.4",
   "description": "Salesforce's project generator tool",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/pwa-kit-create-app#readme",
   "bugs": {
@@ -38,13 +38,13 @@
     "tar": "^6.2.1"
   },
   "devDependencies": {
-    "@salesforce/pwa-kit-dev": "3.9.0-preview.2",
-    "internal-lib-build": "3.9.0-preview.2",
+    "@salesforce/pwa-kit-dev": "3.9.0-preview.4",
+    "internal-lib-build": "3.9.0-preview.4",
     "verdaccio": "^5.22.1"
   },
   "engines": {
     "node": "^16.11.0 || ^18.0.0 || ^20.0.0 || ^22.0.0",
     "npm": "^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0"
   },
-  "gitHead": "6965aa2fc067c784660c4bb816e699789ea386c5"
+  "gitHead": "1f16c75dcb6939a4edc76bb477888239fa76357b"
 }