@salesforce/pwa-kit-runtime 3.12.0-preview.0 → 3.12.0-preview.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/pwa-kit-runtime",
-  "version": "3.12.0-preview.0",
+  "version": "3.12.0-preview.1",
   "description": "The PWAKit Runtime",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/pwa-kit-runtime#readme",
   "bugs": {
@@ -46,11 +46,11 @@
   },
   "devDependencies": {
     "@loadable/component": "^5.15.3",
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.0",
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.1",
     "@serverless/event-mocks": "^1.1.1",
     "aws-lambda-mock-context": "^3.2.1",
     "fs-extra": "^11.1.1",
-    "internal-lib-build": "3.12.0-preview.0",
+    "internal-lib-build": "3.12.0-preview.1",
     "nock": "^13.3.0",
     "nodemon": "^2.0.22",
     "sinon": "^13.0.2",
@@ -58,7 +58,7 @@
     "supertest": "^4.0.2"
   },
   "peerDependencies": {
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.0"
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.1"
   },
   "peerDependenciesMeta": {
     "@salesforce/pwa-kit-dev": {
@@ -72,5 +72,5 @@
   "publishConfig": {
     "directory": "dist"
   },
-  "gitHead": "f79699d763ecdf8e0733e2d6c08b71487af8b15c"
+  "gitHead": "0f66d26584f98d3322bffcb70e7feed08c81cc7a"
 }

package/ssr/server/build-remote-server.js

@@ -403,78 +403,84 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
    * @private
    */
   _setupRemoveBasePathFromPathMiddleware(app) {
-    const removeBasePathFromPath = path => {
-      if (!(0, _ssrNamespacePaths.getEnvBasePath)()) return path;
-      const regex = new RegExp(`^${(0, _ssrNamespacePaths.getEnvBasePath)()}(/|$)`);
-      return path.replace(regex, '/');
-    };
-    const _convertExpressRouteToRegex = routePattern => {
-      if (!routePattern) return null;
+    // Use envBasePath as the feature flag for this middleware
+    // If envBasePath is `/`, '', or undefined when the server starts, we don't need to
+    // initialize this middleware.
+    if ((0, _ssrNamespacePaths.getEnvBasePath)()) {
+      const removeBasePathFromPath = path => {
+        const regex = new RegExp(`^${(0, _ssrNamespacePaths.getEnvBasePath)()}(/|$)`);
+        return path.replace(regex, '/');
+      };
+      const _convertExpressRouteToRegex = routePattern => {
+        if (!routePattern) return null;
+        if (routePattern instanceof RegExp) return routePattern;
+        if (typeof routePattern !== 'string') return null;
 
-      // Replace route parameters like :id with regex capture groups
-      let regexPattern = routePattern.replace(/:[^/]+/g, '[^/]+').replace(/\/\*/g, '/.*').replace(/\*/g, '.*');
+        // Replace route parameters like :id with regex capture groups
+        let regexPattern = routePattern.replace(/:[^/]+/g, '[^/]+').replace(/\/\*/g, '/.*').replace(/\*/g, '.*');
 
-      // Escape other regex special characters except those we just handled
-      regexPattern = regexPattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        // Escape other regex special characters except those we just handled
+        regexPattern = regexPattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 
-      // Unescape the patterns we want to keep
-      regexPattern = regexPattern.replace(/\\\[\\\^\/\\\]\\\+/g, '[^/]+').replace(/\\\/\\\.\\\*/g, '/.*').replace(/\\\.\\\*/g, '.*').replace(/\\\(/g, '(').replace(/\\\)/g, ')').replace(/\\\?/g, '?');
-      return new RegExp(`^${regexPattern}$`);
-    };
+        // Unescape the patterns we want to keep
+        regexPattern = regexPattern.replace(/\\\[\\\^\/\\\]\\\+/g, '[^/]+').replace(/\\\/\\\.\\\*/g, '/.*').replace(/\\\.\\\*/g, '.*').replace(/\\\(/g, '(').replace(/\\\)/g, ')').replace(/\\\?/g, '?');
+        return new RegExp(`^${regexPattern}$`);
+      };
 
-    /**
-     * Very early request processing.
-     *
-     * If the server receives a request containing the base path, remove it before allowing it through
-     *
-     * @param req {express.req} the incoming request - modified in-place
-     * @private
-     */
-    const removeBasePathFromPathMiddleware = (req, res, next) => {
-      // Scope base path removal to /mobify routes and routes defined by the express app (ie. worker.js)
-      // This is to avoid affecting other paths where a base path might be present if it happens to
-      // be equal to a site id.
-      // For example, if you have a base path of /us and a site id of /us we don't want
-      // to remove the /us from www.example.com/us/en-US/category/...
-
-      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
-      let shouldRemoveBasePath = false;
-      if (basePath) {
-        if (req.path.startsWith(`${basePath}/mobify`)) {
-          shouldRemoveBasePath = true;
-        }
+      /**
+       * Very early request processing.
+       *
+       * If the server receives a request containing the base path, remove it before allowing it through
+       *
+       * @param req {express.req} the incoming request - modified in-place
+       * @private
+       */
+      const removeBasePathFromPathMiddleware = (req, res, next) => {
+        // Scope base path removal to /mobify routes and routes defined by the express app (ie. worker.js)
+        // This is to avoid affecting other paths where a base path might be present if it happens to
+        // be equal to a site id.
+        // For example, if you have a base path of /us and a site id of /us we don't want
+        // to remove the /us from www.example.com/us/en-US/category/...
+
+        const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+        let shouldRemoveBasePath = false;
+        if (basePath) {
+          if (req.path.startsWith(`${basePath}/mobify`)) {
+            shouldRemoveBasePath = true;
+          }
 
-        // Check if path matches any existing express route with base path prepended
-        if (!shouldRemoveBasePath) {
-          // Routes are dynamically checked since we want to ensure that any express route
-          // defined after the app is created, such as routes defined in ssr.js are included.
-          const expressRoutes = app._router.stack
-          // specifically omit the generic wildcard from the express routes we want to
-          // remove the base path from since it is mapped to the app render
-          .filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
-          for (const route of expressRoutes) {
-            if (route) {
-              const routeRegex = _convertExpressRouteToRegex(route);
-              if (routeRegex) {
-                const pathWithoutBase = req.path.replace(new RegExp(`^${basePath}`), '');
-                if (routeRegex.test(pathWithoutBase)) {
-                  shouldRemoveBasePath = true;
-                  break;
+          // Check if path matches any existing express route with base path prepended
+          if (!shouldRemoveBasePath) {
+            // Routes are dynamically checked since we want to ensure that any express route
+            // defined after the app is created, such as routes defined in ssr.js, are included.
+            const expressRoutes = app._router.stack
+            // specifically omit the generic wildcard from the express routes we want to
+            // remove the base path from since it is mapped to the app render
+            .filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
+            for (const route of expressRoutes) {
+              if (route) {
+                const routeRegex = _convertExpressRouteToRegex(route);
+                if (routeRegex) {
+                  const pathWithoutBase = req.path.replace(new RegExp(`^${basePath}`), '');
+                  if (routeRegex.test(pathWithoutBase)) {
+                    shouldRemoveBasePath = true;
+                    break;
+                  }
                 }
               }
             }
           }
         }
-      }
-      if (shouldRemoveBasePath) {
-        const updatedPath = removeBasePathFromPath(req.path);
-        const parsed = _url.default.parse(req.url);
-        parsed.pathname = updatedPath;
-        req.url = _url.default.format(parsed);
-      }
-      next();
-    };
-    app.use(removeBasePathFromPathMiddleware);
+        if (shouldRemoveBasePath) {
+          const updatedPath = removeBasePathFromPath(req.path);
+          const parsed = _url.default.parse(req.url);
+          parsed.pathname = updatedPath;
+          req.url = _url.default.format(parsed);
+        }
+        next();
+      };
+      app.use(removeBasePathFromPathMiddleware);
+    }
   },
   /**
    * @private
@@ -674,6 +680,15 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     if (!options.useSLASPrivateClient) {
       return;
     }
+
+    // This is the full path to the SLAS trusted-system endpoint
+    // We want to throw an error if the regex defined options.applySLASPrivateClientToEndpoints
+    // matches this path as an early warning to developers that they should update their regex
+    // in ssr.js to exclude this path.
+    const trustedSystemPath = '/shopper/auth/v1/oauth2/trusted-system/token';
+    if (trustedSystemPath.match(options.applySLASPrivateClientToEndpoints)) {
+      throw new Error('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
+    }
     (0, _ssrServer.localDevLog)(`Proxying ${_ssrNamespacePaths.slasPrivateProxyPath} to ${options.slasTarget}`);
     const clientId = (_options$mobify2 = options.mobify) === null || _options$mobify2 === void 0 ? void 0 : (_options$mobify2$app = _options$mobify2.app) === null || _options$mobify2$app === void 0 ? void 0 : (_options$mobify2$app$ = _options$mobify2$app.commerceAPI) === null || _options$mobify2$app$ === void 0 ? void 0 : (_options$mobify2$app$2 = _options$mobify2$app$.parameters) === null || _options$mobify2$app$2 === void 0 ? void 0 : _options$mobify2$app$2.clientId;
     const clientSecret = process.env.PWA_KIT_SLAS_CLIENT_SECRET;
@@ -695,7 +710,7 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
         return path.replace(regex, '');
       },
       onProxyReq: (proxyRequest, incomingRequest, res) => {
-        var _incomingRequest$path, _incomingRequest$path2, _incomingRequest$path3;
+        var _incomingRequest$path, _incomingRequest$path2, _incomingRequest$path3, _incomingRequest$path4;
         (0, _configureProxy.applyProxyRequestHeaders)({
           proxyRequest,
           incomingRequest,
@@ -704,15 +719,9 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
           targetProtocol: 'https'
         });
 
-        // We pattern match and add client secrets only to endpoints that
-        // match the regex specified by options.applySLASPrivateClientToEndpoints
-        // (see option defaults at the top of this file).
-        // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
-        // SLAS logout (/oauth2/logout), use the Authorization header for a different
-        // purpose so we don't want to overwrite the header for those calls.
-        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(options.applySLASPrivateClientToEndpoints)) {
-          proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
-        } else if (!((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.slasApiPath))) {
+        // We don't want the proxy to handle any non-SLAS requests
+        // or any trusted system requests
+        if (!((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(options.slasApiPath)) || (_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(/\/oauth2\/trusted-system/)) {
           const message = `Request to ${incomingRequest.path} is not allowed through the SLAS Private Client Proxy`;
           _loggerInstance.default.error(message);
           return res.status(403).json({
@@ -720,8 +729,17 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
           });
         }
 
-        // /oauth2/trusted-agent/token endpoint requires a different auth header
-        if ((_incomingRequest$path3 = incomingRequest.path) !== null && _incomingRequest$path3 !== void 0 && _incomingRequest$path3.match(/\/oauth2\/trusted-agent\/token/)) {
+        // We pattern match and add client secrets only to endpoints that
+        // match the regex specified by options.applySLASPrivateClientToEndpoints.
+        //
+        // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
+        // SLAS logout (/oauth2/logout), use the Authorization header for a different
+        // purpose so we don't want to overwrite the header for those calls.
+        if ((_incomingRequest$path3 = incomingRequest.path) !== null && _incomingRequest$path3 !== void 0 && _incomingRequest$path3.match(options.applySLASPrivateClientToEndpoints)) {
+          proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
+        } else if ((_incomingRequest$path4 = incomingRequest.path) !== null && _incomingRequest$path4 !== void 0 && _incomingRequest$path4.match(/\/oauth2\/trusted-agent\/token/)) {
+          // /oauth2/trusted-agent/token endpoint auth header comes from Account Manager
+          // so the SLAS private client is sent via this special header
           proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
         }
       }

package/ssr/server/constants.js

@@ -14,7 +14,7 @@ const APPLICATION_OCTET_STREAM = exports.APPLICATION_OCTET_STREAM = 'application
 const BUILD = exports.BUILD = 'build';
 const STATIC_ASSETS = exports.STATIC_ASSETS = 'static_assets';
 
-/**  * @deprecated Use ssr-namespace-paths.proxyBasePath instead  */
+/**  * @deprecated Use ssr-namespace-paths proxyBasePath instead  */
 const PROXY_PATH_PREFIX = exports.PROXY_PATH_PREFIX = '/mobify/proxy';
 
 // All these values MUST be lower case

package/ssr/server/express.test.js

@@ -918,9 +918,24 @@ describe('DevServer middleware', () => {
 describe('SLAS private client proxy', () => {
   const savedEnvironment = _extends({}, process.env);
   let proxyApp;
+  let proxyServer;
   const proxyPort = 12345;
   const proxyPath = '/shopper/auth/responseHeaders';
   const slasTarget = `http://localhost:${proxyPort}${proxyPath}`;
+  const appConfig = {
+    mobify: {
+      app: {
+        commerceAPI: {
+          parameters: {
+            clientId: 'clientId',
+            shortCode: 'shortCode'
+          }
+        }
+      }
+    },
+    useSLASPrivateClient: true,
+    slasTarget: slasTarget
+  };
   beforeAll(() => {
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({});
     // by setting slasTarget, rather than forwarding the request to SLAS,
@@ -929,14 +944,38 @@ describe('SLAS private client proxy', () => {
     proxyApp.use(proxyPath, (req, res) => {
       res.send(req.headers);
     });
-    proxyApp.listen(proxyPort);
+    proxyServer = proxyApp.listen(proxyPort);
   });
   afterEach(() => {
     process.env = savedEnvironment;
   });
-  afterAll(() => {
-    proxyApp.close();
-  });
+
+  // There is a lot of cleanup done here to ensure the proxy server is closed
+  // after these tests.
+  afterAll(/*#__PURE__*/_asyncToGenerator(function* () {
+    if (proxyServer) {
+      // Close the server and wait for it to fully close
+      yield new Promise(resolve => {
+        proxyServer.close(() => {
+          resolve();
+        });
+      });
+
+      // Additional cleanup to ensure all connections are closed
+      proxyServer.unref();
+
+      // Force close any remaining connections
+      if (proxyServer._handle) {
+        proxyServer._handle.close();
+      }
+
+      // Clear any remaining event listeners
+      proxyServer.removeAllListeners();
+    }
+
+    // Clear any remaining timers or intervals
+    jest.clearAllTimers();
+  }));
   test('should not create proxy by default', () => {
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
     return (0, _supertest.default)(app).get('/mobify/slas/private').expect(404);
@@ -950,20 +989,7 @@ describe('SLAS private client proxy', () => {
   });
   test('does not insert client secret if request not for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/somePath').then(response => {
       expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -973,20 +999,7 @@ describe('SLAS private client proxy', () => {
   test('inserts client secret if request is for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
     const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/token').then(response => {
       expect(response.body.authorization).toBe(`Basic ${encodedCredentials}`);
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -995,21 +1008,7 @@ describe('SLAS private client proxy', () => {
   }), 15000);
   test('does not add _sfdc_client_auth header if request not for /oauth2/trusted-agent/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/other-path').then(response => {
       expect(response.body._sfdc_client_auth).toBeUndefined();
     });
@@ -1040,21 +1039,33 @@ describe('SLAS private client proxy', () => {
   }), 15000);
   test('returns 403 if request is not for /shopper/auth endpoints', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+  }), 15000);
+  test('returns 403 if request is for /oauth2/trusted-system/* endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-system/token').expect(403);
+  }), 15000);
+  test('throws an error if /oauth2/trusted-system/* is included in applySLASPrivateClientToEndpoints', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    expect(() => {
+      _buildRemoteServer.RemoteServerFactory._createApp(opts({
+        mobify: {
+          app: {
+            commerceAPI: {
+              parameters: {
+                clientId: 'clientId',
+                shortCode: 'shortCode'
+              }
             }
           }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
-    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+        },
+        useSLASPrivateClient: true,
+        slasTarget: slasTarget,
+        applySLASPrivateClientToEndpoints: /\/oauth2\/trusted-system/
+      }));
+    }).toThrow('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
   }), 15000);
 });
 describe('Base path tests', () => {
@@ -1099,6 +1110,24 @@ describe('Base path tests', () => {
       expect(response.body.userId).toBe('123');
     });
   }), 15000);
+  test('should remove base path from routes defined with regex', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    app.get(/\/api\/users\/\d+/, (req, res) => {
+      // Extract the user ID from the URL path since regex routes don't create req.params automatically
+      const match = req.path.match(/\/api\/users\/(\d+)/);
+      const userId = match ? match[1] : 'unknown';
+      res.status(200).json({
+        userId: userId
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/api/users/123').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.userId).toBe('123');
+    });
+  }), 15000);
   test('remove base path can handle complex base paths', /*#__PURE__*/_asyncToGenerator(function* () {
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
       envBasePath: '/my/base/path'

package/utils/ssr-namespace-paths.js

@@ -32,6 +32,7 @@ const SLAS_PRIVATE_CLIENT_PROXY_PATH = `${MOBIFY_PATH}/slas/private`;
 
 /*
  * Returns the base path. This is prepended to a /mobify path.
+ * Returns an empty string if the base path is not set or is '/'.
  */
 const getEnvBasePath = () => {
   const config = (0, _ssrConfig.getConfig)();