@salesforce/pwa-kit-runtime 3.11.0 → 3.12.0-dev

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/pwa-kit-runtime",
-  "version": "3.11.0",
+  "version": "3.12.0-dev",
   "description": "The PWAKit Runtime",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/pwa-kit-runtime#readme",
   "bugs": {
@@ -46,11 +46,11 @@
   },
   "devDependencies": {
     "@loadable/component": "^5.15.3",
-    "@salesforce/pwa-kit-dev": "3.11.0",
+    "@salesforce/pwa-kit-dev": "3.12.0-dev",
     "@serverless/event-mocks": "^1.1.1",
     "aws-lambda-mock-context": "^3.2.1",
     "fs-extra": "^11.1.1",
-    "internal-lib-build": "3.11.0",
+    "internal-lib-build": "3.12.0-dev",
     "nock": "^13.3.0",
     "nodemon": "^2.0.22",
     "sinon": "^13.0.2",
@@ -58,7 +58,7 @@
     "supertest": "^4.0.2"
   },
   "peerDependencies": {
-    "@salesforce/pwa-kit-dev": "3.11.0"
+    "@salesforce/pwa-kit-dev": "3.12.0-dev"
   },
   "peerDependenciesMeta": {
     "@salesforce/pwa-kit-dev": {
@@ -72,5 +72,5 @@
   "publishConfig": {
     "directory": "dist"
   },
-  "gitHead": "ce537dc2e48c980ca78607e03125f9cccf8314c5"
+  "gitHead": "60d9a47ad71824709be52bbe1110b092f7698244"
 }

package/ssr/server/build-remote-server.js

@@ -27,6 +27,7 @@ var _awsServerlessExpress = _interopRequireDefault(require("aws-serverless-expre
 var _morgan = _interopRequireDefault(require("morgan"));
 var _loggerInstance = _interopRequireDefault(require("../../utils/logger-instance"));
 var _httpProxyMiddleware = require("http-proxy-middleware");
+var _convertExpressRoute = require("../../utils/ssr-server/convert-express-route");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
 function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
@@ -296,6 +297,17 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     this._setCompression(app);
     this._setRequestId(app);
     // this._addEventContext(app)
+
+    // We want to remove any base paths that have made it this far.
+    // Base paths are used to route requests to the correct server.
+    // If the request has reached the server, it is no longer needed.
+    // Note: We use envBasePath as the feature flag for this middleware
+    // If envBasePath is `/`, '', or undefined when the server starts, we don't need to
+    // initialize this middleware.
+    if ((0, _ssrNamespacePaths.getEnvBasePath)()) {
+      this._setupBasePathMiddleware(app);
+    }
+
     // Ordering of the next two calls are vital - we don't
     // want request-processors applied to development views.
     this._addSDKInternalHandlers(app);
@@ -393,6 +405,122 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
       next();
     });
   },
+  /**
+   * @private
+   */
+  _setupBasePathMiddleware(app) {
+    // Cache the express route regexes to avoid re-calculating them on every request.
+    let expressRouteRegexes;
+
+    /**
+     * Remove the base path from a path.
+     *
+     * If path is like '/basepath/something', this returns '/something'
+     * If path is exactly '/basepath', this returns '/'
+     * If path doesn't start with base path or if there is no base path defined,
+     * returns the unmodified path
+     *
+     * @param path {string} the path to remove the base path from
+     * @returns {string} the path with the base path removed
+     */
+    const removeBasePathFromPath = path => {
+      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+      if (!basePath) {
+        return path;
+      }
+      if (path.startsWith(basePath + '/')) {
+        return path.substring(basePath.length);
+      } else if (path === basePath) {
+        return '/';
+      }
+      return path;
+    };
+
+    /**
+     * Initializes a cache of regexes that correspond to the registered express routes
+     *
+     * This specifically omits the generic wildcard from the express routes where we
+     * want to remove the base path from since it is mapped to the app render. This is
+     * because routes sent to the render are handled by React Router
+     */
+    const initializeExpressRouteRegexes = () => {
+      const expressRoutes = app._router.stack.filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
+      expressRouteRegexes = expressRoutes.map(route => (0, _convertExpressRoute.convertExpressRouteToRegex)(route));
+    };
+
+    /**
+     * Very early request processing.
+     *
+     * If the server receives a request containing the base path, remove it before allowing
+     * the request through to the other express endpoints
+     *
+     * We scope base path removal to /mobify routes and routes defined by the express app
+     * (For example /callback or /worker.js)
+     * This is to avoid affecting React Router routes where a site id or locale might be present
+     * that is equal to the base path.
+     *
+     * For example, if you have a base path of /us and a site id of /us we don't want
+     * to remove the /us from www.example.com/us/en-US/category/... as this route is handled by
+     * React Router and the PWA multisite implementation.
+     *
+     * @param req {express.req} the incoming request - modified in-place
+     * @private
+     */
+    const removeBasePathMiddleware = (req, res, next) => {
+      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+
+      // Fast path: /mobify routes always get the base path removed
+      if (req.path.startsWith(`${basePath}/mobify`)) {
+        const cleanPath = removeBasePathFromPath(req.path);
+        const parsed = _url.default.parse(req.url);
+        parsed.pathname = cleanPath;
+        req.url = _url.default.format(parsed);
+        return next();
+      }
+
+      // For other routes, only proceed if path actually starts with base path
+      if (!req.path.startsWith(basePath)) {
+        return next();
+      }
+
+      // Now we know path starts with base path, so we can remove it
+      const cleanPath = removeBasePathFromPath(req.path);
+
+      // Initialize express route regexes if needed
+      // We do this here since we want to ensure that any express route defined
+      // after the app is created, such as routes defined in ssr.js, are included.
+      if (!expressRouteRegexes) {
+        initializeExpressRouteRegexes();
+      }
+
+      // Next we check if the clean path matches any existing express routes
+      // (like /callback or /worker.js)
+      const matchesExpressRoute = expressRouteRegexes.some(routeRegex => {
+        try {
+          return routeRegex.test(cleanPath);
+        } catch (error) {
+          _loggerInstance.default.warn(`Invalid express route pattern: ${routeRegex}`, /* istanbul ignore next */
+          {
+            namespace: 'removeBasePathMiddleware',
+            additionalProperties: {
+              error: error
+            }
+          });
+          return false;
+        }
+      });
+
+      // Only update URL if our clean path matches an Express route
+      // This leaves React Router paths (like /en-US/category) unchanged
+      if (matchesExpressRoute) {
+        const parsed = _url.default.parse(req.url);
+        parsed.pathname = cleanPath;
+        req.url = _url.default.format(parsed);
+      }
+      next();
+    };
+    app.use(removeBasePathMiddleware);
+  },
   /**
    * @private
    */
@@ -576,8 +704,8 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
   /**
    * @private
    */
-  _handleMissingSlasPrivateEnvVar(app) {
-    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (_, res) => {
+  _handleMissingSlasPrivateEnvVar(app, slasPrivateProxyPath) {
+    app.use(slasPrivateProxyPath, (_, res) => {
       return res.status(501).json({
         message: 'Environment variable PWA_KIT_SLAS_CLIENT_SECRET not set: Please set this environment variable to proceed.'
       });
@@ -591,6 +719,15 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     if (!options.useSLASPrivateClient) {
       return;
     }
+
+    // This is the full path to the SLAS trusted-system endpoint
+    // We want to throw an error if the regex defined options.applySLASPrivateClientToEndpoints
+    // matches this path as an early warning to developers that they should update their regex
+    // in ssr.js to exclude this path.
+    const trustedSystemPath = '/shopper/auth/v1/oauth2/trusted-system/token';
+    if (trustedSystemPath.match(options.applySLASPrivateClientToEndpoints)) {
+      throw new Error('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
+    }
     (0, _ssrServer.localDevLog)(`Proxying ${_ssrNamespacePaths.slasPrivateProxyPath} to ${options.slasTarget}`);
     const clientId = (_options$mobify2 = options.mobify) === null || _options$mobify2 === void 0 ? void 0 : (_options$mobify2$app = _options$mobify2.app) === null || _options$mobify2$app === void 0 ? void 0 : (_options$mobify2$app$ = _options$mobify2$app.commerceAPI) === null || _options$mobify2$app$ === void 0 ? void 0 : (_options$mobify2$app$2 = _options$mobify2$app$.parameters) === null || _options$mobify2$app$2 === void 0 ? void 0 : _options$mobify2$app$2.clientId;
     const clientSecret = process.env.PWA_KIT_SLAS_CLIENT_SECRET;
@@ -599,14 +736,34 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
       return;
     }
     const encodedSlasCredentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
-    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (0, _httpProxyMiddleware.createProxyMiddleware)({
+    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (req, res, next) => {
+      var _req$path, _req$path2;
+      // Check if the request should be blocked before it reaches the proxy
+      // We run this outside of the proxy middleware because modifying the response
+      // to send a 403 in the proxy causes issues with the response interceptor.
+      if (!((_req$path = req.path) !== null && _req$path !== void 0 && _req$path.match(options.slasApiPath)) || (_req$path2 = req.path) !== null && _req$path2 !== void 0 && _req$path2.match(/\/oauth2\/trusted-system/)) {
+        const message = `Request to ${req.path} is not allowed through the SLAS Private Client Proxy`;
+        _loggerInstance.default.error(message);
+        return res.status(403).json({
+          message: message
+        });
+      }
+      next();
+    }, (0, _httpProxyMiddleware.createProxyMiddleware)({
       target: options.slasTarget,
       changeOrigin: true,
-      pathRewrite: {
-        [_ssrNamespacePaths.slasPrivateProxyPath]: ''
+      // http-proxy-middleware uses the original incoming request path to determine
+      // both proxyRequest and incomingRequest paths.
+      // This cannot be modified by any express middleware
+      // So we need to use the built in pathRewrite to remove the base path
+      pathRewrite: path => {
+        const basePathRegexEntry = (0, _ssrNamespacePaths.getEnvBasePath)() ? `${(0, _ssrNamespacePaths.getEnvBasePath)()}?` : '';
+        const regex = new RegExp(`^${basePathRegexEntry}${_ssrNamespacePaths.slasPrivateProxyPath}`);
+        return path.replace(regex, '');
       },
+      selfHandleResponse: true,
       onProxyReq: (proxyRequest, incomingRequest, res) => {
-        var _incomingRequest$path, _incomingRequest$path2, _incomingRequest$path3;
+        var _incomingRequest$path, _incomingRequest$path2;
         (0, _configureProxy.applyProxyRequestHeaders)({
           proxyRequest,
           incomingRequest,
@@ -614,28 +771,41 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
           targetHost: options.slasHostName,
           targetProtocol: 'https'
         });
-
-        // We pattern match and add client secrets only to endpoints that
-        // match the regex specified by options.applySLASPrivateClientToEndpoints
-        // (see option defaults at the top of this file).
-        // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
-        // SLAS logout (/oauth2/logout), use the Authorization header for a different
-        // purpose so we don't want to overwrite the header for those calls.
-        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(options.applySLASPrivateClientToEndpoints)) {
+        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(/\/oauth2\/trusted-agent\/token/)) {
+          // /oauth2/trusted-agent/token endpoint auth header comes from Account Manager
+          // so the SLAS private client is sent via this special header
+          proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
+        } else if ((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.applySLASPrivateClientToEndpoints)) {
+          // We pattern match and add client secrets only to endpoints that
+          // match the regex specified by options.applySLASPrivateClientToEndpoints.
+          //
+          // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
+          // SLAS logout (/oauth2/logout), use the Authorization header for a different
+          // purpose so we don't want to overwrite the header for those calls.
           proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
-        } else if (!((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.slasApiPath))) {
-          const message = `Request to ${incomingRequest.path} is not allowed through the SLAS Private Client Proxy`;
-          _loggerInstance.default.error(message);
-          return res.status(403).json({
-            message: message
-          });
         }
+      },
+      onProxyRes: (0, _httpProxyMiddleware.responseInterceptor)((responseBuffer, proxyRes, req, res) => {
+        try {
+          var _req$path3;
+          // If the passwordless login endpoint returns a 404, which corresponds to a user
+          // email not being found, we mask it with a 200 OK response so that it is not
+          // obvious that the user does not exist.
+          // We do this to prevent user enumeration.
+          if ((_req$path3 = req.path) !== null && _req$path3 !== void 0 && _req$path3.match(/\/oauth2\/passwordless\/login/) && proxyRes.statusCode === 404) {
+            res.statusCode = 200;
+            res.statusMessage = 'OK';
 
-        // /oauth2/trusted-agent/token endpoint requires a different auth header
-        if ((_incomingRequest$path3 = incomingRequest.path) !== null && _incomingRequest$path3 !== void 0 && _incomingRequest$path3.match(/\/oauth2\/trusted-agent\/token/)) {
-          proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
+            // When a /passwordless/login endpoint response returns 200, it has no body
+            // so we return an empty body here to match an actual 200 response.
+            return Buffer.from('', 'utf8');
+          }
+          return responseBuffer;
+        } catch (error) {
+          console.error('There is an error processing the response from SLAS. Returning original response.', error);
+          return responseBuffer;
         }
-      }
+      })
     }));
   },
   /**

package/ssr/server/build-remote-server.test.js

@@ -20,6 +20,11 @@ jest.mock('aws-serverless-express', () => {
     proxy: jest.fn()
   };
 });
+jest.mock('../../utils/ssr-config', () => {
+  return {
+    getConfig: () => {}
+  };
+});
 describe('the once function', () => {
   test('should prevent a function being called more than once', () => {
     const fn = jest.fn(() => ({

package/ssr/server/express.lambda.test.js

@@ -45,6 +45,11 @@ const testPackageMobify = {
     proxyPath2: 'base2'
   }
 };
+jest.mock('../../utils/ssr-config', () => {
+  return {
+    getConfig: () => testPackageMobify
+  };
+});
 const testFixtures = path.resolve(process.cwd(), 'src/ssr/server/test_fixtures');
 
 /**

package/ssr/server/express.test.js

@@ -12,6 +12,7 @@ var _express = _interopRequireDefault(require("express"));
 var _ssrCache = require("../../utils/ssr-cache");
 var _ssrServer = require("../../utils/ssr-server");
 var ssrServerUtils = _interopRequireWildcard(require("../../utils/ssr-server/utils"));
+var ssrConfig = _interopRequireWildcard(require("../../utils/ssr-config"));
 var _buildRemoteServer = require("./build-remote-server");
 var _constants = require("./constants");
 var _express2 = require("./express");
@@ -88,6 +89,8 @@ const opts = (overrides = {}) => {
 };
 const mkdtempSync = () => _fsExtra.default.mkdtempSync(_path.default.resolve(_os.default.tmpdir(), 'ssr-server-tests-'));
 beforeAll(() => {
+  jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({});
+
   // The SSR app applies patches on creation. Those patches are specific to an
   // environment (Lambda or not) and we need to ensure that the non-lambda patches
   // are applied for testing. Creating and immediately discarding an app in
@@ -915,29 +918,70 @@ describe('DevServer middleware', () => {
 describe('SLAS private client proxy', () => {
   const savedEnvironment = _extends({}, process.env);
   let proxyApp;
+  let proxyServer;
   const proxyPort = 12345;
   const proxyPath = '/shopper/auth/responseHeaders';
   const slasTarget = `http://localhost:${proxyPort}${proxyPath}`;
+  const appConfig = {
+    mobify: {
+      app: {
+        commerceAPI: {
+          parameters: {
+            clientId: 'clientId',
+            shortCode: 'shortCode'
+          }
+        }
+      }
+    },
+    useSLASPrivateClient: true,
+    slasTarget: slasTarget
+  };
   beforeAll(() => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({});
     // by setting slasTarget, rather than forwarding the request to SLAS,
     // we send the proxy request here so we can return the request headers
     proxyApp = (0, _express.default)();
     proxyApp.use(proxyPath, (req, res) => {
       res.send(req.headers);
     });
-    proxyApp.listen(proxyPort);
+    proxyServer = proxyApp.listen(proxyPort);
   });
   afterEach(() => {
     process.env = savedEnvironment;
   });
-  afterAll(() => {
-    proxyApp.close();
-  });
+
+  // There is a lot of cleanup done here to ensure the proxy server is closed
+  // after these tests.
+  afterAll(/*#__PURE__*/_asyncToGenerator(function* () {
+    if (proxyServer) {
+      // Close the server and wait for it to fully close
+      yield new Promise(resolve => {
+        proxyServer.close(() => {
+          resolve();
+        });
+      });
+
+      // Additional cleanup to ensure all connections are closed
+      proxyServer.unref();
+
+      // Force close any remaining connections
+      if (proxyServer._handle) {
+        proxyServer._handle.close();
+      }
+
+      // Clear any remaining event listeners
+      proxyServer.removeAllListeners();
+    }
+
+    // Clear any remaining timers or intervals
+    jest.clearAllTimers();
+  }));
   test('should not create proxy by default', () => {
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
     return (0, _supertest.default)(app).get('/mobify/slas/private').expect(404);
   });
   test('should return HTTP 501 if PWA_KIT_SLAS_CLIENT_SECRET env var not set', () => {
+    delete process.env.PWA_KIT_SLAS_CLIENT_SECRET;
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
       useSLASPrivateClient: true
     }));
@@ -945,20 +989,7 @@ describe('SLAS private client proxy', () => {
   });
   test('does not insert client secret if request not for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/somePath').then(response => {
       expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -968,20 +999,7 @@ describe('SLAS private client proxy', () => {
   test('inserts client secret if request is for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
     const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/token').then(response => {
       expect(response.body.authorization).toBe(`Basic ${encodedCredentials}`);
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -990,21 +1008,7 @@ describe('SLAS private client proxy', () => {
   }), 15000);
   test('does not add _sfdc_client_auth header if request not for /oauth2/trusted-agent/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/other-path').then(response => {
       expect(response.body._sfdc_client_auth).toBeUndefined();
     });
@@ -1029,26 +1033,169 @@ describe('SLAS private client proxy', () => {
     }));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-agent/token').then(response => {
       expect(response.body['_sfdc_client_auth']).toBe(encodedCredentials);
+      expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
       expect(response.body['x-mobify']).toBe('true');
     });
   }), 15000);
   test('returns 403 if request is not for /shopper/auth endpoints', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+  }), 15000);
+  test('returns 403 if request is for /oauth2/trusted-system/* endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-system/token').expect(403);
+  }), 15000);
+  test('throws an error if /oauth2/trusted-system/* is included in applySLASPrivateClientToEndpoints', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    expect(() => {
+      _buildRemoteServer.RemoteServerFactory._createApp(opts({
+        mobify: {
+          app: {
+            commerceAPI: {
+              parameters: {
+                clientId: 'clientId',
+                shortCode: 'shortCode'
+              }
             }
           }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
-    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+        },
+        useSLASPrivateClient: true,
+        slasTarget: slasTarget,
+        applySLASPrivateClientToEndpoints: /\/oauth2\/trusted-system/
+      }));
+    }).toThrow('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
+  }), 15000);
+  test('proxy returns a 200 OK masking a user not found error', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+
+    // Create a new mock server specifically for this test so we can mock a response from SLAS
+    const testProxyApp = (0, _express.default)();
+    const testProxyPort = 12346;
+    const testSlasTarget = `http://localhost:${testProxyPort}/shopper/auth/responseHeaders`;
+
+    // Set up the mock server to return a 404 for passwordless login
+    testProxyApp.use('/shopper/auth/responseHeaders', (req, res) => {
+      if (req.url.includes('/oauth2/passwordless/login')) {
+        res.status(404).send();
+      } else {
+        res.send(req.headers);
+      }
+    });
+    const testProxyServer = testProxyApp.listen(testProxyPort);
+    try {
+      const testAppConfig = _objectSpread(_objectSpread({}, appConfig), {}, {
+        slasTarget: testSlasTarget
+      });
+      const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(testAppConfig));
+      return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/passwordless/login').expect(200).then(response => {
+        expect(response.text).toBe('');
+      });
+    } finally {
+      // Clean up the test server
+      testProxyServer.close();
+    }
+  }));
+});
+describe('Base path tests', () => {
+  test('Base path is removed from /mobify request path and still gets through to /mobify endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    return (0, _supertest.default)(app).get('/basepath/mobify/ping').then(response => {
+      expect(response.status).toBe(200);
+    });
+  }), 15000);
+  test('should not remove base path from non /mobify non-express routes', /*#__PURE__*/_asyncToGenerator(function* () {
+    // Set base path to something that might also be a site id used by react router routes
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/us'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+
+    // Add a middleware to capture the request path after base path processing
+    let capturedPath = null;
+    app.use((req, res, next) => {
+      capturedPath = req.path;
+      next();
+    });
+    return (0, _supertest.default)(app).get('/us/products/123').then(response => {
+      expect(response.status).toBe(404); // 404 because the route doesn't exist in express
+
+      // Verify that the base path was not removed from the request path
+      expect(capturedPath).toBe('/us/products/123');
+    });
+  }), 15000);
+  test('should remove base path from routes with path parameters', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    app.get('/api/users/:id', (req, res) => {
+      res.status(200).json({
+        userId: req.params.id
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/api/users/123').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.userId).toBe('123');
+    });
+  }), 15000);
+  test('should remove base path from routes defined with regex', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    app.get(/\/api\/users\/\d+/, (req, res) => {
+      // Extract the user ID from the URL path since regex routes don't create req.params automatically
+      const match = req.path.match(/\/api\/users\/(\d+)/);
+      const userId = match ? match[1] : 'unknown';
+      res.status(200).json({
+        userId: userId
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/api/users/123').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.userId).toBe('123');
+    });
+  }), 15000);
+  test('remove base path can handle multi-part base paths', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/my/base/path'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    app.get('/api/test', (req, res) => {
+      res.status(200).json({
+        message: 'test'
+      });
+    });
+    return (0, _supertest.default)(app).get('/my/base/path/api/test').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('test');
+    });
+  }), 15000);
+  test('should handle optional characters in route pattern', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+
+    // This route is intentionally made complex to test the following:
+    // 1. Optional characters in route pattern ie. 'k?'
+    // 2. Optional characters in route pattern with groups ie. (c)?
+    // 3. Optional characters in route pattern with path parameters ie. (:param?)
+    // 4. Wildcards ie. '*'
+    app.get('/callba(c)?k?*/:param?', (req, res) => {
+      res.status(200).json({
+        message: 'test'
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/callback').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('test');
+    });
   }), 15000);
 });

package/utils/middleware/security.js

@@ -26,16 +26,18 @@ const defaultPwaKitSecurityHeaders = (req, res, next) => {
   /** CSP-compatible origin for Runtime Admin. */
   // localhost doesn't include a protocol because different browsers behave differently :\
   const runtimeAdmin = (0, _ssrServer.isRemote)() ? 'https://runtime.commercecloud.com' : 'localhost:*';
+  const siteDotCom = '*.site.com';
   /**
    * Map of directive names/values that are required for PWA Kit to work. Array values will be
    * merged with user-provided values; boolean values will replace user-provided values.
    * @type Object.<string, string[] | boolean>
    */
   const directives = {
-    'connect-src': ["'self'", runtimeAdmin],
+    'connect-src': ["'self'", runtimeAdmin, '*.salesforce-scrt.com'],
+    'frame-src': [siteDotCom],
     'frame-ancestors': [runtimeAdmin],
     'img-src': ["'self'", 'data:'],
-    'script-src': ["'self'", "'unsafe-eval'", runtimeAdmin],
+    'script-src': ["'self'", "'unsafe-eval'", runtimeAdmin, siteDotCom],
     // Always upgrade insecure requests when deployed, never upgrade on local dev server
     'upgrade-insecure-requests': (0, _ssrServer.isRemote)()
   };

package/utils/middleware/security.test.js

@@ -9,6 +9,11 @@ var _security = require("./security");
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
 
+jest.mock('../ssr-config', () => {
+  return {
+    getConfig: () => {}
+  };
+});
 describe('Content-Security-Policy enforcement', () => {
   let res;
 
@@ -38,18 +43,18 @@ describe('Content-Security-Policy enforcement', () => {
   test('adds required directives for development', () => {
     (0, _security.defaultPwaKitSecurityHeaders)({}, res, () => {});
     res.setHeader(_constants.CONTENT_SECURITY_POLICY, '');
-    expectDirectives(["connect-src 'self' localhost:*", 'frame-ancestors localhost:*', "img-src 'self' data:", "script-src 'self' 'unsafe-eval' localhost:*"]);
+    expectDirectives(["connect-src 'self' localhost:* *.salesforce-scrt.com", 'frame-src *.site.com', 'frame-ancestors localhost:*', "img-src 'self' data:", "script-src 'self' 'unsafe-eval' localhost:* *.site.com"]);
   });
   test('adds required directives for production', () => {
     mockProduction();
     (0, _security.defaultPwaKitSecurityHeaders)({}, res, () => {});
     res.setHeader(_constants.CONTENT_SECURITY_POLICY, '');
-    expectDirectives(["connect-src 'self' https://runtime.commercecloud.com", 'frame-ancestors https://runtime.commercecloud.com', "img-src 'self' data:", "script-src 'self' 'unsafe-eval' https://runtime.commercecloud.com", 'upgrade-insecure-requests']);
+    expectDirectives(["connect-src 'self' https://runtime.commercecloud.com *.salesforce-scrt.com", 'frame-ancestors https://runtime.commercecloud.com', "img-src 'self' data:", "script-src 'self' 'unsafe-eval' https://runtime.commercecloud.com *.site.com", 'upgrade-insecure-requests']);
   });
   test('merges with existing CSP directives', () => {
     (0, _security.defaultPwaKitSecurityHeaders)({}, res, () => {});
     res.setHeader(_constants.CONTENT_SECURITY_POLICY, "connect-src test:* ; script-src 'unsafe-eval' test:*");
-    expectDirectives(["connect-src test:* 'self' localhost:*", "script-src 'unsafe-eval' test:* 'self' localhost:*"]);
+    expectDirectives(["connect-src test:* 'self' localhost:* *.salesforce-scrt.com", "script-src 'unsafe-eval' test:* 'self' localhost:* *.site.com", 'frame-src *.site.com', 'frame-ancestors localhost:*', "img-src 'self' data:"]);
   });
   test('allows other CSP directives', () => {
     (0, _security.defaultPwaKitSecurityHeaders)({}, res, () => {});

package/utils/ssr-namespace-paths.js

@@ -3,9 +3,12 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.ssrNamespace = exports.slasPrivateProxyPath = exports.proxyBasePath = exports.healthCheckPath = exports.cachingBasePath = exports.bundleBasePath = void 0;
+exports.ssrNamespace = exports.slasPrivateProxyPath = exports.proxyBasePath = exports.healthCheckPath = exports.getEnvBasePath = exports.cachingBasePath = exports.bundleBasePath = void 0;
+var _ssrConfig = require("./ssr-config");
+var _loggerInstance = _interopRequireDefault(require("./logger-instance"));
+function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 /*
- * Copyright (c) 2024, salesforce.com, inc.
+ * Copyright (c) 2025, salesforce.com, inc.
  * All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
@@ -14,10 +17,12 @@ exports.ssrNamespace = exports.slasPrivateProxyPath = exports.proxyBasePath = ex
 /**
  * This file defines the /mobify paths used to set up our Express endpoints.
  *
- * If a namespace for the /mobify paths is defined, the methods in here will return the
- * namespaced path. ie. /namespace/mobify/...
+ * If a base path for the /mobify paths is defined, the methods in here will return the
+ * basepath. ie. /basepath/mobify/...
  */
 
+// The MOBIFY_PATH is defined separately in preparation for the future eventual removal or
+// replacement of the 'mobify' part of these paths
 const MOBIFY_PATH = '/mobify';
 const PROXY_PATH_BASE = `${MOBIFY_PATH}/proxy`;
 const BUNDLE_PATH_BASE = `${MOBIFY_PATH}/bundle`;
@@ -25,23 +30,49 @@ const CACHING_PATH_BASE = `${MOBIFY_PATH}/caching`;
 const HEALTHCHECK_PATH = `${MOBIFY_PATH}/ping`;
 const SLAS_PRIVATE_CLIENT_PROXY_PATH = `${MOBIFY_PATH}/slas/private`;
 
-/**
- * @private
+/*
+ * Returns the base path. This is prepended to a /mobify path.
+ * Returns an empty string if the base path is not set or is '/'.
  */
-const _getNamespace = () => {
-  // TODO - namespaces for /mobify path will be implemented at a later date.
-  // Returns an empty string for now.
-  // Below is an example of what this implementation might look like.
-  /*
-      let {namespace = ""} = getConfig()
-      namespace = typeof namespace === 'function' ? namespace() : namespace
-      return namespace
-  */
-  return '';
+const getEnvBasePath = () => {
+  const config = (0, _ssrConfig.getConfig)();
+  let basePath = (config === null || config === void 0 ? void 0 : config.envBasePath) || '';
+  if (typeof basePath !== 'string') {
+    _loggerInstance.default.warn('Invalid envBasePath configuration. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
+    return '';
+  }
+
+  // Normalize the base path
+  basePath = basePath.trim().replace(/^\/?/, '/') // Ensure leading slash
+  .replace(/\/+/g, '/') // Normalize multiple slashes
+  .replace(/\/$/, ''); // Remove trailing slash
+
+  // Return empty string for root path or empty result
+  if (basePath === '/' || !basePath) {
+    return '';
+  }
+
+  // only allow simple, safe characters
+  // eslint-disable-next-line no-useless-escape
+  if (!/^\/[a-zA-Z0-9\-_\/]*$/.test(basePath)) {
+    _loggerInstance.default.warn('Invalid envBasePath configuration. Only letters, numbers, hyphens, underscores, and slashes allowed. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
+    return '';
+  }
+  return basePath;
 };
-const ssrNamespace = exports.ssrNamespace = _getNamespace();
-const proxyBasePath = exports.proxyBasePath = `${ssrNamespace}${PROXY_PATH_BASE}`;
-const bundleBasePath = exports.bundleBasePath = `${ssrNamespace}${BUNDLE_PATH_BASE}`;
-const cachingBasePath = exports.cachingBasePath = `${ssrNamespace}${CACHING_PATH_BASE}`;
-const healthCheckPath = exports.healthCheckPath = `${ssrNamespace}${HEALTHCHECK_PATH}`;
-const slasPrivateProxyPath = exports.slasPrivateProxyPath = `${ssrNamespace}${SLAS_PRIVATE_CLIENT_PROXY_PATH}`;
+exports.getEnvBasePath = getEnvBasePath;
+const proxyBasePath = exports.proxyBasePath = PROXY_PATH_BASE;
+const bundleBasePath = exports.bundleBasePath = BUNDLE_PATH_BASE;
+const cachingBasePath = exports.cachingBasePath = CACHING_PATH_BASE;
+const healthCheckPath = exports.healthCheckPath = HEALTHCHECK_PATH;
+const slasPrivateProxyPath = exports.slasPrivateProxyPath = SLAS_PRIVATE_CLIENT_PROXY_PATH;
+
+/**
+ * @deprecated This variable is no longer used. This variable has always been an empty string.
+ * Use getEnvBasePath() instead. Import from @salesforce/pwa-kit-runtime/utils/ssr-namespace-paths
+ */
+const ssrNamespace = exports.ssrNamespace = '';

package/utils/ssr-namespace-paths.test.js

@@ -0,0 +1,56 @@
+"use strict";
+
+var _ssrNamespacePaths = require("./ssr-namespace-paths");
+var ssrConfig = _interopRequireWildcard(require("./ssr-config"));
+function _getRequireWildcardCache(e) { if ("function" != typeof WeakMap) return null; var r = new WeakMap(), t = new WeakMap(); return (_getRequireWildcardCache = function (e) { return e ? t : r; })(e); }
+function _interopRequireWildcard(e, r) { if (!r && e && e.__esModule) return e; if (null === e || "object" != typeof e && "function" != typeof e) return { default: e }; var t = _getRequireWildcardCache(r); if (t && t.has(e)) return t.get(e); var n = { __proto__: null }, a = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var u in e) if ("default" !== u && {}.hasOwnProperty.call(e, u)) { var i = a ? Object.getOwnPropertyDescriptor(e, u) : null; i && (i.get || i.set) ? Object.defineProperty(n, u, i) : n[u] = e[u]; } return n.default = e, t && t.set(e, n), n; }
+/*
+ * Copyright (c) 2024, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+jest.mock('./ssr-config');
+describe('ssr-namespace-paths tests', () => {
+  test('getEnvBasePath returns base path from config', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath returns empty string if no base path is set', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({});
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
+  });
+  test('getEnvBasePath returns empty string if envBasePath is not a string', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: 123
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
+  });
+  test('getEnvBasePath removes trailing slash', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample/'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath returns empty string if invalid cahracters are detected in envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample.*'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
+  });
+  test('getEnvBasePath normalizes envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '  //sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath works with multiple part base path', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '//test/sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/test/sample');
+  });
+});

package/utils/ssr-server/configure-proxy.js

@@ -10,6 +10,7 @@ var _ssrShared = require("../ssr-shared");
 var _processExpressResponse = require("./process-express-response");
 var _utils = require("./utils");
 var _loggerInstance = _interopRequireDefault(require("../logger-instance"));
+var _ssrNamespacePaths = require("../ssr-namespace-paths");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 /*
  * Copyright (c) 2022, Salesforce, Inc.
@@ -239,10 +240,13 @@ const configureProxy = ({
         (0, _processExpressResponse.processExpressResponse)(proxyResponse);
       }
     },
-    // Rewrite the request's path to remove the /mobify/proxy/...
-    // prefix.
-    pathRewrite: {
-      [`^${proxyPath}`]: ''
+    // Rewrite the request's path to remove the /mobify/proxy/... prefix.
+    // This cannot be modified by any express middleware
+    // So we need to use the built in pathRewrite to remove the base path if present
+    pathRewrite: path => {
+      const basePathRegexEntry = (0, _ssrNamespacePaths.getEnvBasePath)() ? `${(0, _ssrNamespacePaths.getEnvBasePath)()}?` : '';
+      const regex = new RegExp(`^${basePathRegexEntry}${proxyPath}`);
+      return path.replace(regex, '');
     },
     // The origin (protocol + host) to which we proxy
     target: targetOrigin

package/utils/ssr-server/convert-express-route.js

@@ -0,0 +1,126 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.convertExpressRouteToRegex = void 0;
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/**
+ * Utillty function that converts an express route pattern into a regex.
+ *
+ * This is used in build-remote-server's removeBasePathMiddleware to check
+ * whether an incoming request path will match a registered Express endpoint.
+ *
+ * @param {string} routePattern - The express route pattern to convert
+ * @returns {RegExp} - The regex that corresponds to the express route pattern
+ * @throws {Error} - If the route pattern is invalid
+ */
+const convertExpressRouteToRegex = routePattern => {
+  if (!routePattern) return null;
+  if (routePattern instanceof RegExp) return routePattern;
+  if (typeof routePattern !== 'string') return null;
+  try {
+    // If it's a string, it's an Express route pattern that needs conversion
+    // Express route patterns can contain:
+    // - Static paths: /users, /about
+    // - Route parameters: :id, :userId
+    // - Optional parameters: :id?
+    // - Regex constraints: :id(\d+)
+    // - Wildcards: *, /*
+    // - Optional characters: abc?
+    // - Optional groups: (abc)?
+
+    let regexPattern = routePattern;
+
+    // Step 1: Handle regex constraints in parameters like :param(regex)
+    // Example: /search/:query(\d+) -> /search/(\d+)
+    // Store the constraints to prevent them from being escaped later
+    const constraints = [];
+    regexPattern = regexPattern.replace(/:([^(/]+)\(([^)]+)\)/g, (match, paramName, constraint) => {
+      const constraintId = `__CONSTRAINT_${constraints.length}__`;
+      constraints.push(constraint);
+      return constraintId;
+    });
+
+    // Step 2: Handle complex optional parameter sequences first
+    // For patterns like /api/:version?/users/:id?/posts/:postId?
+    // We need to make literal segments optional when they're followed by optional parameters
+    regexPattern = regexPattern.replace(/\/([a-zA-Z0-9_-]+)\/:([^(/]+)\?/g, (match, segment, param) => `(?:/${segment}(?:/[^/]+)?)?`);
+
+    // Step 3: Handle remaining optional parameters :param?
+    // For /users/:id?, we want to match both /users and /users/123
+    // So we need to replace the entire pattern, not just the parameter
+    regexPattern = regexPattern.replace(/\/:([^(/]+)\?/g, '(?:/[^/]+)?');
+
+    // Step 4: Handle regular parameters :param
+    regexPattern = regexPattern.replace(/:([^(/]+)/g, '[^/]+');
+
+    // Step 5: Handle wildcards
+    // Express wildcards * should be converted to .* which matches everything including slashes
+    // Handle /* first, then handle standalone * (but not if it's already been converted)
+    regexPattern = regexPattern.replace(/\/\*/g, '/.*');
+    // Handle standalone * that hasn't been converted yet
+    regexPattern = regexPattern.replace(/(?<!\.)\*(?!\*)/g, '.*');
+
+    // Step 6: Handle wildcard + optional parameter combinations
+    // For example /users*/:id?
+    regexPattern = regexPattern.replace(
+    // eslint-disable-next-line no-useless-escape
+    /\.\*\/\(\?\:\/\[(\^\/)\]\+\)\?/g, '.*(?:/(?:[^/]+)?)?');
+
+    // Step 7: Handle optional groups (user|admin) -> (?:user|admin)
+    regexPattern = regexPattern.replace(/\(([^)]*\|[^)]*)\)/g, '(?:$1)');
+
+    // Step 8: Handle optional characters in literal strings
+    // For patterns like /favori?te, /colou?r, /analy?se
+    // The ? makes the preceding character optional
+    regexPattern = regexPattern.replace(/([a-zA-Z0-9])\?/g, (match, char) => `(?:${char})?`);
+
+    // Step 9: Fix double slashes that may have been created
+    regexPattern = regexPattern.replace(/\/\//g, '/');
+
+    // Step 10: Restore regex constraints without escaping
+    constraints.forEach((constraint, index) => {
+      const constraintId = `__CONSTRAINT_${index}__`;
+      regexPattern = regexPattern.replace(constraintId, `(${constraint})`);
+    });
+
+    // Step 10.5: Handle optional parameters with regex constraints
+    // For patterns like /users/:id(\d+)?, we need to make the entire constraint group optional
+    // This step must be applied after the constraints are restored but before root path handling
+    // Only apply to actual constraint groups, not already processed optional groups
+    regexPattern = regexPattern.replace(/\(([^)]+)\)\?/g, (match, content) => {
+      // Only convert if this looks like a regex constraint (contains regex patterns like \d, \w, etc.)
+      // and is not already an optional group (doesn't start with ?:)
+      if ((/\\[dwDsS]/.test(content) || /[^a-zA-Z0-9\s]/.test(content)) && !content.startsWith('?:')) {
+        return `(?:${content})?`;
+      }
+      return match;
+    });
+
+    // Step 11: Only escape literal characters that need escaping, but not regex constraints
+    // Don't escape curly braces {} as they're used in regex quantifiers
+    // eslint-disable-next-line no-useless-escape
+    regexPattern = regexPattern.replace(/[\$]/g, '\\$&');
+
+    // Step 12: Handle root path optional parameters
+    // For patterns like /:id? or /*, we need to handle the root path correctly
+    if (regexPattern === '^(?:/[^/]+)?$') {
+      // This is a root optional parameter, should match both / and /something
+      regexPattern = '^(?:/|/[^/]+)$';
+    } else if (regexPattern === '^/.*$') {
+      // This is a root wildcard, should match everything including /
+      regexPattern = '^/.*$';
+    }
+    return new RegExp(`^${regexPattern}$`);
+  } catch (error) {
+    throw new Error(`Invalid route pattern: ${routePattern}`);
+  }
+};
+exports.convertExpressRouteToRegex = convertExpressRouteToRegex;

package/utils/ssr-server/utils.test.js

@@ -9,6 +9,11 @@ function _extends() { return _extends = Object.assign ? Object.assign.bind() : f
  * SPDX-License-Identifier: BSD-3-Clause
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
+jest.mock('../ssr-config', () => {
+  return {
+    getConfig: () => {}
+  };
+});
 describe.each([[true], [false]])('Utils remote/local tests (isRemote: %p)', isRemote => {
   let originalEnv;
   const bundleId = 'test-bundle-id-12345';

package/utils/ssr-server.test.js

@@ -38,6 +38,11 @@ const baseMobify = {
     }]
   }
 };
+jest.mock('./ssr-config', () => {
+  return {
+    getConfig: () => baseMobify
+  };
+});
 let consoleLog;
 let consoleWarn;
 let consoleError;