@salesforce/pwa-kit-runtime 3.12.0-preview.0 → 3.12.0-preview.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/pwa-kit-runtime",
-  "version": "3.12.0-preview.0",
+  "version": "3.12.0-preview.2",
   "description": "The PWAKit Runtime",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/pwa-kit-runtime#readme",
   "bugs": {
@@ -46,11 +46,11 @@
   },
   "devDependencies": {
     "@loadable/component": "^5.15.3",
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.0",
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.2",
     "@serverless/event-mocks": "^1.1.1",
     "aws-lambda-mock-context": "^3.2.1",
     "fs-extra": "^11.1.1",
-    "internal-lib-build": "3.12.0-preview.0",
+    "internal-lib-build": "3.12.0-preview.2",
     "nock": "^13.3.0",
     "nodemon": "^2.0.22",
     "sinon": "^13.0.2",
@@ -58,7 +58,7 @@
     "supertest": "^4.0.2"
   },
   "peerDependencies": {
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.0"
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.2"
   },
   "peerDependenciesMeta": {
     "@salesforce/pwa-kit-dev": {
@@ -72,5 +72,5 @@
   "publishConfig": {
     "directory": "dist"
   },
-  "gitHead": "f79699d763ecdf8e0733e2d6c08b71487af8b15c"
+  "gitHead": "c0d7ff4673e54ecb119ca4aff5b919f0064b6539"
 }

package/ssr/server/build-remote-server.js

@@ -27,6 +27,7 @@ var _awsServerlessExpress = _interopRequireDefault(require("aws-serverless-expre
 var _morgan = _interopRequireDefault(require("morgan"));
 var _loggerInstance = _interopRequireDefault(require("../../utils/logger-instance"));
 var _httpProxyMiddleware = require("http-proxy-middleware");
+var _convertExpressRoute = require("../../utils/ssr-server/convert-express-route");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
 function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
@@ -179,7 +180,7 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
    * @private
    */
   _isBundleOrProxyPath(url) {
-    return url.includes(_ssrNamespacePaths.proxyBasePath) || url.includes(_ssrNamespacePaths.bundleBasePath);
+    return url.startsWith(_ssrNamespacePaths.proxyBasePath) || url.startsWith(_ssrNamespacePaths.bundleBasePath);
   },
   /**
    * @private
@@ -300,7 +301,12 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     // We want to remove any base paths that have made it this far.
     // Base paths are used to route requests to the correct server.
     // If the request has reached the server, it is no longer needed.
-    this._setupRemoveBasePathFromPathMiddleware(app);
+    // Note: We use envBasePath as the feature flag for this middleware
+    // If envBasePath is `/`, '', or undefined when the server starts, we don't need to
+    // initialize this middleware.
+    if ((0, _ssrNamespacePaths.getEnvBasePath)()) {
+      this._setupBasePathMiddleware(app);
+    }
 
     // Ordering of the next two calls are vital - we don't
     // want request-processors applied to development views.
@@ -402,79 +408,118 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
   /**
    * @private
    */
-  _setupRemoveBasePathFromPathMiddleware(app) {
+  _setupBasePathMiddleware(app) {
+    // Cache the express route regexes to avoid re-calculating them on every request.
+    let expressRouteRegexes;
+
+    /**
+     * Remove the base path from a path.
+     *
+     * If path is like '/basepath/something', this returns '/something'
+     * If path is exactly '/basepath', this returns '/'
+     * If path doesn't start with base path or if there is no base path defined,
+     * returns the unmodified path
+     *
+     * @param path {string} the path to remove the base path from
+     * @returns {string} the path with the base path removed
+     */
     const removeBasePathFromPath = path => {
-      if (!(0, _ssrNamespacePaths.getEnvBasePath)()) return path;
-      const regex = new RegExp(`^${(0, _ssrNamespacePaths.getEnvBasePath)()}(/|$)`);
-      return path.replace(regex, '/');
+      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+      if (!basePath) {
+        return path;
+      }
+      if (path.startsWith(basePath + '/')) {
+        return path.substring(basePath.length);
+      } else if (path === basePath) {
+        return '/';
+      }
+      return path;
     };
-    const _convertExpressRouteToRegex = routePattern => {
-      if (!routePattern) return null;
 
-      // Replace route parameters like :id with regex capture groups
-      let regexPattern = routePattern.replace(/:[^/]+/g, '[^/]+').replace(/\/\*/g, '/.*').replace(/\*/g, '.*');
-
-      // Escape other regex special characters except those we just handled
-      regexPattern = regexPattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-
-      // Unescape the patterns we want to keep
-      regexPattern = regexPattern.replace(/\\\[\\\^\/\\\]\\\+/g, '[^/]+').replace(/\\\/\\\.\\\*/g, '/.*').replace(/\\\.\\\*/g, '.*').replace(/\\\(/g, '(').replace(/\\\)/g, ')').replace(/\\\?/g, '?');
-      return new RegExp(`^${regexPattern}$`);
+    /**
+     * Initializes a cache of regexes that correspond to the registered express routes
+     *
+     * This specifically omits the generic wildcard from the express routes where we
+     * want to remove the base path from since it is mapped to the app render. This is
+     * because routes sent to the render are handled by React Router
+     */
+    const initializeExpressRouteRegexes = () => {
+      const expressRoutes = app._router.stack.filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
+      expressRouteRegexes = expressRoutes.map(route => (0, _convertExpressRoute.convertExpressRouteToRegex)(route));
     };
 
     /**
      * Very early request processing.
      *
-     * If the server receives a request containing the base path, remove it before allowing it through
+     * If the server receives a request containing the base path, remove it before allowing
+     * the request through to the other express endpoints
+     *
+     * We scope base path removal to /mobify routes and routes defined by the express app
+     * (For example /callback or /worker.js)
+     * This is to avoid affecting React Router routes where a site id or locale might be present
+     * that is equal to the base path.
+     *
+     * For example, if you have a base path of /us and a site id of /us we don't want
+     * to remove the /us from www.example.com/us/en-US/category/... as this route is handled by
+     * React Router and the PWA multisite implementation.
      *
      * @param req {express.req} the incoming request - modified in-place
      * @private
      */
-    const removeBasePathFromPathMiddleware = (req, res, next) => {
-      // Scope base path removal to /mobify routes and routes defined by the express app (ie. worker.js)
-      // This is to avoid affecting other paths where a base path might be present if it happens to
-      // be equal to a site id.
-      // For example, if you have a base path of /us and a site id of /us we don't want
-      // to remove the /us from www.example.com/us/en-US/category/...
-
+    const removeBasePathMiddleware = (req, res, next) => {
       const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
-      let shouldRemoveBasePath = false;
-      if (basePath) {
-        if (req.path.startsWith(`${basePath}/mobify`)) {
-          shouldRemoveBasePath = true;
-        }
 
-        // Check if path matches any existing express route with base path prepended
-        if (!shouldRemoveBasePath) {
-          // Routes are dynamically checked since we want to ensure that any express route
-          // defined after the app is created, such as routes defined in ssr.js are included.
-          const expressRoutes = app._router.stack
-          // specifically omit the generic wildcard from the express routes we want to
-          // remove the base path from since it is mapped to the app render
-          .filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
-          for (const route of expressRoutes) {
-            if (route) {
-              const routeRegex = _convertExpressRouteToRegex(route);
-              if (routeRegex) {
-                const pathWithoutBase = req.path.replace(new RegExp(`^${basePath}`), '');
-                if (routeRegex.test(pathWithoutBase)) {
-                  shouldRemoveBasePath = true;
-                  break;
-                }
-              }
+      // Fast path: /mobify routes always get the base path removed
+      if (req.path.startsWith(`${basePath}/mobify`)) {
+        const cleanPath = removeBasePathFromPath(req.path);
+        const parsed = _url.default.parse(req.url);
+        parsed.pathname = cleanPath;
+        req.url = _url.default.format(parsed);
+        return next();
+      }
+
+      // For other routes, only proceed if path actually starts with base path
+      if (!req.path.startsWith(basePath)) {
+        return next();
+      }
+
+      // Now we know path starts with base path, so we can remove it
+      const cleanPath = removeBasePathFromPath(req.path);
+
+      // Initialize express route regexes if needed
+      // We do this here since we want to ensure that any express route defined
+      // after the app is created, such as routes defined in ssr.js, are included.
+      if (!expressRouteRegexes) {
+        initializeExpressRouteRegexes();
+      }
+
+      // Next we check if the clean path matches any existing express routes
+      // (like /callback or /worker.js)
+      const matchesExpressRoute = expressRouteRegexes.some(routeRegex => {
+        try {
+          return routeRegex.test(cleanPath);
+        } catch (error) {
+          _loggerInstance.default.warn(`Invalid express route pattern: ${routeRegex}`, /* istanbul ignore next */
+          {
+            namespace: 'removeBasePathMiddleware',
+            additionalProperties: {
+              error: error
             }
-          }
+          });
+          return false;
         }
-      }
-      if (shouldRemoveBasePath) {
-        const updatedPath = removeBasePathFromPath(req.path);
+      });
+
+      // Only update URL if our clean path matches an Express route
+      // This leaves React Router paths (like /en-US/category) unchanged
+      if (matchesExpressRoute) {
         const parsed = _url.default.parse(req.url);
-        parsed.pathname = updatedPath;
+        parsed.pathname = cleanPath;
         req.url = _url.default.format(parsed);
       }
       next();
     };
-    app.use(removeBasePathFromPathMiddleware);
+    app.use(removeBasePathMiddleware);
   },
   /**
    * @private
@@ -674,6 +719,15 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     if (!options.useSLASPrivateClient) {
       return;
     }
+
+    // This is the full path to the SLAS trusted-system endpoint
+    // We want to throw an error if the regex defined options.applySLASPrivateClientToEndpoints
+    // matches this path as an early warning to developers that they should update their regex
+    // in ssr.js to exclude this path.
+    const trustedSystemPath = '/shopper/auth/v1/oauth2/trusted-system/token';
+    if (trustedSystemPath.match(options.applySLASPrivateClientToEndpoints)) {
+      throw new Error('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
+    }
     (0, _ssrServer.localDevLog)(`Proxying ${_ssrNamespacePaths.slasPrivateProxyPath} to ${options.slasTarget}`);
     const clientId = (_options$mobify2 = options.mobify) === null || _options$mobify2 === void 0 ? void 0 : (_options$mobify2$app = _options$mobify2.app) === null || _options$mobify2$app === void 0 ? void 0 : (_options$mobify2$app$ = _options$mobify2$app.commerceAPI) === null || _options$mobify2$app$ === void 0 ? void 0 : (_options$mobify2$app$2 = _options$mobify2$app$.parameters) === null || _options$mobify2$app$2 === void 0 ? void 0 : _options$mobify2$app$2.clientId;
     const clientSecret = process.env.PWA_KIT_SLAS_CLIENT_SECRET;
@@ -682,7 +736,20 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
       return;
     }
     const encodedSlasCredentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
-    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (0, _httpProxyMiddleware.createProxyMiddleware)({
+    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (req, res, next) => {
+      var _req$path, _req$path2;
+      // Check if the request should be blocked before it reaches the proxy
+      // We run this outside of the proxy middleware because modifying the response
+      // to send a 403 in the proxy causes issues with the response interceptor.
+      if (!((_req$path = req.path) !== null && _req$path !== void 0 && _req$path.match(options.slasApiPath)) || (_req$path2 = req.path) !== null && _req$path2 !== void 0 && _req$path2.match(/\/oauth2\/trusted-system/)) {
+        const message = `Request to ${req.path} is not allowed through the SLAS Private Client Proxy`;
+        _loggerInstance.default.error(message);
+        return res.status(403).json({
+          message: message
+        });
+      }
+      next();
+    }, (0, _httpProxyMiddleware.createProxyMiddleware)({
       target: options.slasTarget,
       changeOrigin: true,
       // http-proxy-middleware uses the original incoming request path to determine
@@ -694,8 +761,9 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
         const regex = new RegExp(`^${basePathRegexEntry}${_ssrNamespacePaths.slasPrivateProxyPath}`);
         return path.replace(regex, '');
       },
+      selfHandleResponse: true,
       onProxyReq: (proxyRequest, incomingRequest, res) => {
-        var _incomingRequest$path, _incomingRequest$path2, _incomingRequest$path3;
+        var _incomingRequest$path, _incomingRequest$path2;
         (0, _configureProxy.applyProxyRequestHeaders)({
           proxyRequest,
           incomingRequest,
@@ -703,28 +771,41 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
           targetHost: options.slasHostName,
           targetProtocol: 'https'
         });
-
-        // We pattern match and add client secrets only to endpoints that
-        // match the regex specified by options.applySLASPrivateClientToEndpoints
-        // (see option defaults at the top of this file).
-        // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
-        // SLAS logout (/oauth2/logout), use the Authorization header for a different
-        // purpose so we don't want to overwrite the header for those calls.
-        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(options.applySLASPrivateClientToEndpoints)) {
+        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(/\/oauth2\/trusted-agent\/token/)) {
+          // /oauth2/trusted-agent/token endpoint auth header comes from Account Manager
+          // so the SLAS private client is sent via this special header
+          proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
+        } else if ((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.applySLASPrivateClientToEndpoints)) {
+          // We pattern match and add client secrets only to endpoints that
+          // match the regex specified by options.applySLASPrivateClientToEndpoints.
+          //
+          // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
+          // SLAS logout (/oauth2/logout), use the Authorization header for a different
+          // purpose so we don't want to overwrite the header for those calls.
           proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
-        } else if (!((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.slasApiPath))) {
-          const message = `Request to ${incomingRequest.path} is not allowed through the SLAS Private Client Proxy`;
-          _loggerInstance.default.error(message);
-          return res.status(403).json({
-            message: message
-          });
         }
-
-        // /oauth2/trusted-agent/token endpoint requires a different auth header
-        if ((_incomingRequest$path3 = incomingRequest.path) !== null && _incomingRequest$path3 !== void 0 && _incomingRequest$path3.match(/\/oauth2\/trusted-agent\/token/)) {
-          proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
+      },
+      onProxyRes: (0, _httpProxyMiddleware.responseInterceptor)((responseBuffer, proxyRes, req, res) => {
+        try {
+          var _req$path3;
+          // If the passwordless login endpoint returns a 404, which corresponds to a user
+          // email not being found, we mask it with a 200 OK response so that it is not
+          // obvious that the user does not exist.
+          // We do this to prevent user enumeration.
+          if ((_req$path3 = req.path) !== null && _req$path3 !== void 0 && _req$path3.match(/\/oauth2\/passwordless\/login/) && proxyRes.statusCode === 404) {
+            res.statusCode = 200;
+            res.statusMessage = 'OK';
+
+            // When a /passwordless/login endpoint response returns 200, it has no body
+            // so we return an empty body here to match an actual 200 response.
+            return Buffer.from('', 'utf8');
+          }
+          return responseBuffer;
+        } catch (error) {
+          console.error('There is an error processing the response from SLAS. Returning original response.', error);
+          return responseBuffer;
         }
-      }
+      })
     }));
   },
   /**

package/ssr/server/constants.js

@@ -14,7 +14,7 @@ const APPLICATION_OCTET_STREAM = exports.APPLICATION_OCTET_STREAM = 'application
 const BUILD = exports.BUILD = 'build';
 const STATIC_ASSETS = exports.STATIC_ASSETS = 'static_assets';
 
-/**  * @deprecated Use ssr-namespace-paths.proxyBasePath instead  */
+/**  * @deprecated Use ssr-namespace-paths proxyBasePath instead  */
 const PROXY_PATH_PREFIX = exports.PROXY_PATH_PREFIX = '/mobify/proxy';
 
 // All these values MUST be lower case

package/ssr/server/express.test.js

@@ -918,9 +918,24 @@ describe('DevServer middleware', () => {
 describe('SLAS private client proxy', () => {
   const savedEnvironment = _extends({}, process.env);
   let proxyApp;
+  let proxyServer;
   const proxyPort = 12345;
   const proxyPath = '/shopper/auth/responseHeaders';
   const slasTarget = `http://localhost:${proxyPort}${proxyPath}`;
+  const appConfig = {
+    mobify: {
+      app: {
+        commerceAPI: {
+          parameters: {
+            clientId: 'clientId',
+            shortCode: 'shortCode'
+          }
+        }
+      }
+    },
+    useSLASPrivateClient: true,
+    slasTarget: slasTarget
+  };
   beforeAll(() => {
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({});
     // by setting slasTarget, rather than forwarding the request to SLAS,
@@ -929,14 +944,38 @@ describe('SLAS private client proxy', () => {
     proxyApp.use(proxyPath, (req, res) => {
       res.send(req.headers);
     });
-    proxyApp.listen(proxyPort);
+    proxyServer = proxyApp.listen(proxyPort);
   });
   afterEach(() => {
     process.env = savedEnvironment;
   });
-  afterAll(() => {
-    proxyApp.close();
-  });
+
+  // There is a lot of cleanup done here to ensure the proxy server is closed
+  // after these tests.
+  afterAll(/*#__PURE__*/_asyncToGenerator(function* () {
+    if (proxyServer) {
+      // Close the server and wait for it to fully close
+      yield new Promise(resolve => {
+        proxyServer.close(() => {
+          resolve();
+        });
+      });
+
+      // Additional cleanup to ensure all connections are closed
+      proxyServer.unref();
+
+      // Force close any remaining connections
+      if (proxyServer._handle) {
+        proxyServer._handle.close();
+      }
+
+      // Clear any remaining event listeners
+      proxyServer.removeAllListeners();
+    }
+
+    // Clear any remaining timers or intervals
+    jest.clearAllTimers();
+  }));
   test('should not create proxy by default', () => {
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
     return (0, _supertest.default)(app).get('/mobify/slas/private').expect(404);
@@ -950,20 +989,7 @@ describe('SLAS private client proxy', () => {
   });
   test('does not insert client secret if request not for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/somePath').then(response => {
       expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -973,20 +999,7 @@ describe('SLAS private client proxy', () => {
   test('inserts client secret if request is for /oauth2/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
     const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/token').then(response => {
       expect(response.body.authorization).toBe(`Basic ${encodedCredentials}`);
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
@@ -995,21 +1008,7 @@ describe('SLAS private client proxy', () => {
   }), 15000);
   test('does not add _sfdc_client_auth header if request not for /oauth2/trusted-agent/token', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const encodedCredentials = Buffer.from('clientId:a secret').toString('base64');
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
-            }
-          }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/other-path').then(response => {
       expect(response.body._sfdc_client_auth).toBeUndefined();
     });
@@ -1034,28 +1033,71 @@ describe('SLAS private client proxy', () => {
     }));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-agent/token').then(response => {
       expect(response.body['_sfdc_client_auth']).toBe(encodedCredentials);
+      expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
       expect(response.body['x-mobify']).toBe('true');
     });
   }), 15000);
   test('returns 403 if request is not for /shopper/auth endpoints', /*#__PURE__*/_asyncToGenerator(function* () {
     process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
-    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts({
-      mobify: {
-        app: {
-          commerceAPI: {
-            parameters: {
-              clientId: 'clientId',
-              shortCode: 'shortCode'
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+  }), 15000);
+  test('returns 403 if request is for /oauth2/trusted-system/* endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(appConfig));
+    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-system/token').expect(403);
+  }), 15000);
+  test('throws an error if /oauth2/trusted-system/* is included in applySLASPrivateClientToEndpoints', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+    expect(() => {
+      _buildRemoteServer.RemoteServerFactory._createApp(opts({
+        mobify: {
+          app: {
+            commerceAPI: {
+              parameters: {
+                clientId: 'clientId',
+                shortCode: 'shortCode'
+              }
             }
           }
-        }
-      },
-      useSLASPrivateClient: true,
-      slasTarget: slasTarget
-    }));
-    return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth-admin/v1/other-path').expect(403);
+        },
+        useSLASPrivateClient: true,
+        slasTarget: slasTarget,
+        applySLASPrivateClientToEndpoints: /\/oauth2\/trusted-system/
+      }));
+    }).toThrow('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
   }), 15000);
+  test('proxy returns a 200 OK masking a user not found error', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+
+    // Create a new mock server specifically for this test so we can mock a response from SLAS
+    const testProxyApp = (0, _express.default)();
+    const testProxyPort = 12346;
+    const testSlasTarget = `http://localhost:${testProxyPort}/shopper/auth/responseHeaders`;
+
+    // Set up the mock server to return a 404 for passwordless login
+    testProxyApp.use('/shopper/auth/responseHeaders', (req, res) => {
+      if (req.url.includes('/oauth2/passwordless/login')) {
+        res.status(404).send();
+      } else {
+        res.send(req.headers);
+      }
+    });
+    const testProxyServer = testProxyApp.listen(testProxyPort);
+    try {
+      const testAppConfig = _objectSpread(_objectSpread({}, appConfig), {}, {
+        slasTarget: testSlasTarget
+      });
+      const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(testAppConfig));
+      return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/passwordless/login').expect(200).then(response => {
+        expect(response.text).toBe('');
+      });
+    } finally {
+      // Clean up the test server
+      testProxyServer.close();
+    }
+  }));
 });
 describe('Base path tests', () => {
   test('Base path is removed from /mobify request path and still gets through to /mobify endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
@@ -1068,20 +1110,23 @@ describe('Base path tests', () => {
     });
   }), 15000);
   test('should not remove base path from non /mobify non-express routes', /*#__PURE__*/_asyncToGenerator(function* () {
+    // Set base path to something that might also be a site id used by react router routes
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
-      envBasePath: '/basepath'
+      envBasePath: '/us'
     });
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
 
-    // Add a route that doesn't match the request
-    app.get('/api/other', (req, res) => {
-      res.status(200).json({
-        message: 'other'
-      });
+    // Add a middleware to capture the request path after base path processing
+    let capturedPath = null;
+    app.use((req, res, next) => {
+      capturedPath = req.path;
+      next();
     });
-    return (0, _supertest.default)(app).get('/basepath/api/unknown').then(response => {
-      // Should get a 404 since the route doesn't exist
-      expect(response.status).toBe(404);
+    return (0, _supertest.default)(app).get('/us/products/123').then(response => {
+      expect(response.status).toBe(404); // 404 because the route doesn't exist in express
+
+      // Verify that the base path was not removed from the request path
+      expect(capturedPath).toBe('/us/products/123');
     });
   }), 15000);
   test('should remove base path from routes with path parameters', /*#__PURE__*/_asyncToGenerator(function* () {
@@ -1099,7 +1144,25 @@ describe('Base path tests', () => {
       expect(response.body.userId).toBe('123');
     });
   }), 15000);
-  test('remove base path can handle complex base paths', /*#__PURE__*/_asyncToGenerator(function* () {
+  test('should remove base path from routes defined with regex', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+    app.get(/\/api\/users\/\d+/, (req, res) => {
+      // Extract the user ID from the URL path since regex routes don't create req.params automatically
+      const match = req.path.match(/\/api\/users\/(\d+)/);
+      const userId = match ? match[1] : 'unknown';
+      res.status(200).json({
+        userId: userId
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/api/users/123').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.userId).toBe('123');
+    });
+  }), 15000);
+  test('remove base path can handle multi-part base paths', /*#__PURE__*/_asyncToGenerator(function* () {
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
       envBasePath: '/my/base/path'
     });
@@ -1114,4 +1177,25 @@ describe('Base path tests', () => {
       expect(response.body.message).toBe('test');
     });
   }), 15000);
+  test('should handle optional characters in route pattern', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+
+    // This route is intentionally made complex to test the following:
+    // 1. Optional characters in route pattern ie. 'k?'
+    // 2. Optional characters in route pattern with groups ie. (c)?
+    // 3. Optional characters in route pattern with path parameters ie. (:param?)
+    // 4. Wildcards ie. '*'
+    app.get('/callba(c)?k?*/:param?', (req, res) => {
+      res.status(200).json({
+        message: 'test'
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/callback').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('test');
+    });
+  }), 15000);
 });

package/utils/ssr-namespace-paths.js

@@ -32,15 +32,37 @@ const SLAS_PRIVATE_CLIENT_PROXY_PATH = `${MOBIFY_PATH}/slas/private`;
 
 /*
  * Returns the base path. This is prepended to a /mobify path.
+ * Returns an empty string if the base path is not set or is '/'.
  */
 const getEnvBasePath = () => {
   const config = (0, _ssrConfig.getConfig)();
   let basePath = (config === null || config === void 0 ? void 0 : config.envBasePath) || '';
   if (typeof basePath !== 'string') {
-    _loggerInstance.default.warn('Invalid envBasePath configuration. No base path is applied.');
+    _loggerInstance.default.warn('Invalid envBasePath configuration. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
     return '';
   }
-  return basePath.replace(/\/$/, '');
+
+  // Normalize the base path
+  basePath = basePath.trim().replace(/^\/?/, '/') // Ensure leading slash
+  .replace(/\/+/g, '/') // Normalize multiple slashes
+  .replace(/\/$/, ''); // Remove trailing slash
+
+  // Return empty string for root path or empty result
+  if (basePath === '/' || !basePath) {
+    return '';
+  }
+
+  // only allow simple, safe characters
+  // eslint-disable-next-line no-useless-escape
+  if (!/^\/[a-zA-Z0-9\-_\/]*$/.test(basePath)) {
+    _loggerInstance.default.warn('Invalid envBasePath configuration. Only letters, numbers, hyphens, underscores, and slashes allowed. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
+    return '';
+  }
+  return basePath;
 };
 exports.getEnvBasePath = getEnvBasePath;
 const proxyBasePath = exports.proxyBasePath = PROXY_PATH_BASE;

package/utils/ssr-namespace-paths.test.js

@@ -29,4 +29,28 @@ describe('ssr-namespace-paths tests', () => {
     });
     expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
   });
+  test('getEnvBasePath removes trailing slash', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample/'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath returns empty string if invalid cahracters are detected in envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample.*'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
+  });
+  test('getEnvBasePath normalizes envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '  //sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath works with multiple part base path', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '//test/sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/test/sample');
+  });
 });

package/utils/ssr-server/convert-express-route.js

@@ -0,0 +1,126 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.convertExpressRouteToRegex = void 0;
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/**
+ * Utillty function that converts an express route pattern into a regex.
+ *
+ * This is used in build-remote-server's removeBasePathMiddleware to check
+ * whether an incoming request path will match a registered Express endpoint.
+ *
+ * @param {string} routePattern - The express route pattern to convert
+ * @returns {RegExp} - The regex that corresponds to the express route pattern
+ * @throws {Error} - If the route pattern is invalid
+ */
+const convertExpressRouteToRegex = routePattern => {
+  if (!routePattern) return null;
+  if (routePattern instanceof RegExp) return routePattern;
+  if (typeof routePattern !== 'string') return null;
+  try {
+    // If it's a string, it's an Express route pattern that needs conversion
+    // Express route patterns can contain:
+    // - Static paths: /users, /about
+    // - Route parameters: :id, :userId
+    // - Optional parameters: :id?
+    // - Regex constraints: :id(\d+)
+    // - Wildcards: *, /*
+    // - Optional characters: abc?
+    // - Optional groups: (abc)?
+
+    let regexPattern = routePattern;
+
+    // Step 1: Handle regex constraints in parameters like :param(regex)
+    // Example: /search/:query(\d+) -> /search/(\d+)
+    // Store the constraints to prevent them from being escaped later
+    const constraints = [];
+    regexPattern = regexPattern.replace(/:([^(/]+)\(([^)]+)\)/g, (match, paramName, constraint) => {
+      const constraintId = `__CONSTRAINT_${constraints.length}__`;
+      constraints.push(constraint);
+      return constraintId;
+    });
+
+    // Step 2: Handle complex optional parameter sequences first
+    // For patterns like /api/:version?/users/:id?/posts/:postId?
+    // We need to make literal segments optional when they're followed by optional parameters
+    regexPattern = regexPattern.replace(/\/([a-zA-Z0-9_-]+)\/:([^(/]+)\?/g, (match, segment, param) => `(?:/${segment}(?:/[^/]+)?)?`);
+
+    // Step 3: Handle remaining optional parameters :param?
+    // For /users/:id?, we want to match both /users and /users/123
+    // So we need to replace the entire pattern, not just the parameter
+    regexPattern = regexPattern.replace(/\/:([^(/]+)\?/g, '(?:/[^/]+)?');
+
+    // Step 4: Handle regular parameters :param
+    regexPattern = regexPattern.replace(/:([^(/]+)/g, '[^/]+');
+
+    // Step 5: Handle wildcards
+    // Express wildcards * should be converted to .* which matches everything including slashes
+    // Handle /* first, then handle standalone * (but not if it's already been converted)
+    regexPattern = regexPattern.replace(/\/\*/g, '/.*');
+    // Handle standalone * that hasn't been converted yet
+    regexPattern = regexPattern.replace(/(?<!\.)\*(?!\*)/g, '.*');
+
+    // Step 6: Handle wildcard + optional parameter combinations
+    // For example /users*/:id?
+    regexPattern = regexPattern.replace(
+    // eslint-disable-next-line no-useless-escape
+    /\.\*\/\(\?\:\/\[(\^\/)\]\+\)\?/g, '.*(?:/(?:[^/]+)?)?');
+
+    // Step 7: Handle optional groups (user|admin) -> (?:user|admin)
+    regexPattern = regexPattern.replace(/\(([^)]*\|[^)]*)\)/g, '(?:$1)');
+
+    // Step 8: Handle optional characters in literal strings
+    // For patterns like /favori?te, /colou?r, /analy?se
+    // The ? makes the preceding character optional
+    regexPattern = regexPattern.replace(/([a-zA-Z0-9])\?/g, (match, char) => `(?:${char})?`);
+
+    // Step 9: Fix double slashes that may have been created
+    regexPattern = regexPattern.replace(/\/\//g, '/');
+
+    // Step 10: Restore regex constraints without escaping
+    constraints.forEach((constraint, index) => {
+      const constraintId = `__CONSTRAINT_${index}__`;
+      regexPattern = regexPattern.replace(constraintId, `(${constraint})`);
+    });
+
+    // Step 10.5: Handle optional parameters with regex constraints
+    // For patterns like /users/:id(\d+)?, we need to make the entire constraint group optional
+    // This step must be applied after the constraints are restored but before root path handling
+    // Only apply to actual constraint groups, not already processed optional groups
+    regexPattern = regexPattern.replace(/\(([^)]+)\)\?/g, (match, content) => {
+      // Only convert if this looks like a regex constraint (contains regex patterns like \d, \w, etc.)
+      // and is not already an optional group (doesn't start with ?:)
+      if ((/\\[dwDsS]/.test(content) || /[^a-zA-Z0-9\s]/.test(content)) && !content.startsWith('?:')) {
+        return `(?:${content})?`;
+      }
+      return match;
+    });
+
+    // Step 11: Only escape literal characters that need escaping, but not regex constraints
+    // Don't escape curly braces {} as they're used in regex quantifiers
+    // eslint-disable-next-line no-useless-escape
+    regexPattern = regexPattern.replace(/[\$]/g, '\\$&');
+
+    // Step 12: Handle root path optional parameters
+    // For patterns like /:id? or /*, we need to handle the root path correctly
+    if (regexPattern === '^(?:/[^/]+)?$') {
+      // This is a root optional parameter, should match both / and /something
+      regexPattern = '^(?:/|/[^/]+)$';
+    } else if (regexPattern === '^/.*$') {
+      // This is a root wildcard, should match everything including /
+      regexPattern = '^/.*$';
+    }
+    return new RegExp(`^${regexPattern}$`);
+  } catch (error) {
+    throw new Error(`Invalid route pattern: ${routePattern}`);
+  }
+};
+exports.convertExpressRouteToRegex = convertExpressRouteToRegex;