@salesforce/pwa-kit-runtime 3.12.0-preview.1 → 3.12.0-preview.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/pwa-kit-runtime",
-  "version": "3.12.0-preview.1",
+  "version": "3.12.0-preview.3",
   "description": "The PWAKit Runtime",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/pwa-kit-runtime#readme",
   "bugs": {
@@ -46,11 +46,11 @@
   },
   "devDependencies": {
     "@loadable/component": "^5.15.3",
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.1",
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.3",
     "@serverless/event-mocks": "^1.1.1",
     "aws-lambda-mock-context": "^3.2.1",
     "fs-extra": "^11.1.1",
-    "internal-lib-build": "3.12.0-preview.1",
+    "internal-lib-build": "3.12.0-preview.3",
     "nock": "^13.3.0",
     "nodemon": "^2.0.22",
     "sinon": "^13.0.2",
@@ -58,7 +58,7 @@
     "supertest": "^4.0.2"
   },
   "peerDependencies": {
-    "@salesforce/pwa-kit-dev": "3.12.0-preview.1"
+    "@salesforce/pwa-kit-dev": "3.12.0-preview.3"
   },
   "peerDependenciesMeta": {
     "@salesforce/pwa-kit-dev": {
@@ -72,5 +72,5 @@
   "publishConfig": {
     "directory": "dist"
   },
-  "gitHead": "0f66d26584f98d3322bffcb70e7feed08c81cc7a"
+  "gitHead": "36ffe8203fe8661e07571b1e6035ee5a3c9d310f"
 }

package/ssr/server/build-remote-server.js

@@ -27,6 +27,7 @@ var _awsServerlessExpress = _interopRequireDefault(require("aws-serverless-expre
 var _morgan = _interopRequireDefault(require("morgan"));
 var _loggerInstance = _interopRequireDefault(require("../../utils/logger-instance"));
 var _httpProxyMiddleware = require("http-proxy-middleware");
+var _convertExpressRoute = require("../../utils/ssr-server/convert-express-route");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
 function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
@@ -179,7 +180,7 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
    * @private
    */
   _isBundleOrProxyPath(url) {
-    return url.includes(_ssrNamespacePaths.proxyBasePath) || url.includes(_ssrNamespacePaths.bundleBasePath);
+    return url.startsWith(_ssrNamespacePaths.proxyBasePath) || url.startsWith(_ssrNamespacePaths.bundleBasePath);
   },
   /**
    * @private
@@ -300,7 +301,12 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
     // We want to remove any base paths that have made it this far.
     // Base paths are used to route requests to the correct server.
     // If the request has reached the server, it is no longer needed.
-    this._setupRemoveBasePathFromPathMiddleware(app);
+    // Note: We use envBasePath as the feature flag for this middleware
+    // If envBasePath is `/`, '', or undefined when the server starts, we don't need to
+    // initialize this middleware.
+    if ((0, _ssrNamespacePaths.getEnvBasePath)()) {
+      this._setupBasePathMiddleware(app);
+    }
 
     // Ordering of the next two calls are vital - we don't
     // want request-processors applied to development views.
@@ -402,85 +408,118 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
   /**
    * @private
    */
-  _setupRemoveBasePathFromPathMiddleware(app) {
-    // Use envBasePath as the feature flag for this middleware
-    // If envBasePath is `/`, '', or undefined when the server starts, we don't need to
-    // initialize this middleware.
-    if ((0, _ssrNamespacePaths.getEnvBasePath)()) {
-      const removeBasePathFromPath = path => {
-        const regex = new RegExp(`^${(0, _ssrNamespacePaths.getEnvBasePath)()}(/|$)`);
-        return path.replace(regex, '/');
-      };
-      const _convertExpressRouteToRegex = routePattern => {
-        if (!routePattern) return null;
-        if (routePattern instanceof RegExp) return routePattern;
-        if (typeof routePattern !== 'string') return null;
+  _setupBasePathMiddleware(app) {
+    // Cache the express route regexes to avoid re-calculating them on every request.
+    let expressRouteRegexes;
 
-        // Replace route parameters like :id with regex capture groups
-        let regexPattern = routePattern.replace(/:[^/]+/g, '[^/]+').replace(/\/\*/g, '/.*').replace(/\*/g, '.*');
+    /**
+     * Remove the base path from a path.
+     *
+     * If path is like '/basepath/something', this returns '/something'
+     * If path is exactly '/basepath', this returns '/'
+     * If path doesn't start with base path or if there is no base path defined,
+     * returns the unmodified path
+     *
+     * @param path {string} the path to remove the base path from
+     * @returns {string} the path with the base path removed
+     */
+    const removeBasePathFromPath = path => {
+      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+      if (!basePath) {
+        return path;
+      }
+      if (path.startsWith(basePath + '/')) {
+        return path.substring(basePath.length);
+      } else if (path === basePath) {
+        return '/';
+      }
+      return path;
+    };
 
-        // Escape other regex special characters except those we just handled
-        regexPattern = regexPattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    /**
+     * Initializes a cache of regexes that correspond to the registered express routes
+     *
+     * This specifically omits the generic wildcard from the express routes where we
+     * want to remove the base path from since it is mapped to the app render. This is
+     * because routes sent to the render are handled by React Router
+     */
+    const initializeExpressRouteRegexes = () => {
+      const expressRoutes = app._router.stack.filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
+      expressRouteRegexes = expressRoutes.map(route => (0, _convertExpressRoute.convertExpressRouteToRegex)(route));
+    };
 
-        // Unescape the patterns we want to keep
-        regexPattern = regexPattern.replace(/\\\[\\\^\/\\\]\\\+/g, '[^/]+').replace(/\\\/\\\.\\\*/g, '/.*').replace(/\\\.\\\*/g, '.*').replace(/\\\(/g, '(').replace(/\\\)/g, ')').replace(/\\\?/g, '?');
-        return new RegExp(`^${regexPattern}$`);
-      };
+    /**
+     * Very early request processing.
+     *
+     * If the server receives a request containing the base path, remove it before allowing
+     * the request through to the other express endpoints
+     *
+     * We scope base path removal to /mobify routes and routes defined by the express app
+     * (For example /callback or /worker.js)
+     * This is to avoid affecting React Router routes where a site id or locale might be present
+     * that is equal to the base path.
+     *
+     * For example, if you have a base path of /us and a site id of /us we don't want
+     * to remove the /us from www.example.com/us/en-US/category/... as this route is handled by
+     * React Router and the PWA multisite implementation.
+     *
+     * @param req {express.req} the incoming request - modified in-place
+     * @private
+     */
+    const removeBasePathMiddleware = (req, res, next) => {
+      const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
+
+      // Fast path: /mobify routes always get the base path removed
+      if (req.path.startsWith(`${basePath}/mobify`)) {
+        const cleanPath = removeBasePathFromPath(req.path);
+        const parsed = _url.default.parse(req.url);
+        parsed.pathname = cleanPath;
+        req.url = _url.default.format(parsed);
+        return next();
+      }
 
-      /**
-       * Very early request processing.
-       *
-       * If the server receives a request containing the base path, remove it before allowing it through
-       *
-       * @param req {express.req} the incoming request - modified in-place
-       * @private
-       */
-      const removeBasePathFromPathMiddleware = (req, res, next) => {
-        // Scope base path removal to /mobify routes and routes defined by the express app (ie. worker.js)
-        // This is to avoid affecting other paths where a base path might be present if it happens to
-        // be equal to a site id.
-        // For example, if you have a base path of /us and a site id of /us we don't want
-        // to remove the /us from www.example.com/us/en-US/category/...
-
-        const basePath = (0, _ssrNamespacePaths.getEnvBasePath)();
-        let shouldRemoveBasePath = false;
-        if (basePath) {
-          if (req.path.startsWith(`${basePath}/mobify`)) {
-            shouldRemoveBasePath = true;
-          }
+      // For other routes, only proceed if path actually starts with base path
+      if (!req.path.startsWith(basePath)) {
+        return next();
+      }
 
-          // Check if path matches any existing express route with base path prepended
-          if (!shouldRemoveBasePath) {
-            // Routes are dynamically checked since we want to ensure that any express route
-            // defined after the app is created, such as routes defined in ssr.js, are included.
-            const expressRoutes = app._router.stack
-            // specifically omit the generic wildcard from the express routes we want to
-            // remove the base path from since it is mapped to the app render
-            .filter(layer => layer.route && layer.route.path && layer.route.path !== '*').map(layer => layer.route.path);
-            for (const route of expressRoutes) {
-              if (route) {
-                const routeRegex = _convertExpressRouteToRegex(route);
-                if (routeRegex) {
-                  const pathWithoutBase = req.path.replace(new RegExp(`^${basePath}`), '');
-                  if (routeRegex.test(pathWithoutBase)) {
-                    shouldRemoveBasePath = true;
-                    break;
-                  }
-                }
-              }
+      // Now we know path starts with base path, so we can remove it
+      const cleanPath = removeBasePathFromPath(req.path);
+
+      // Initialize express route regexes if needed
+      // We do this here since we want to ensure that any express route defined
+      // after the app is created, such as routes defined in ssr.js, are included.
+      if (!expressRouteRegexes) {
+        initializeExpressRouteRegexes();
+      }
+
+      // Next we check if the clean path matches any existing express routes
+      // (like /callback or /worker.js)
+      const matchesExpressRoute = expressRouteRegexes.some(routeRegex => {
+        try {
+          return routeRegex.test(cleanPath);
+        } catch (error) {
+          _loggerInstance.default.warn(`Invalid express route pattern: ${routeRegex}`, /* istanbul ignore next */
+          {
+            namespace: 'removeBasePathMiddleware',
+            additionalProperties: {
+              error: error
             }
-          }
-        }
-        if (shouldRemoveBasePath) {
-          const updatedPath = removeBasePathFromPath(req.path);
-          const parsed = _url.default.parse(req.url);
-          parsed.pathname = updatedPath;
-          req.url = _url.default.format(parsed);
+          });
+          return false;
         }
-        next();
-      };
-      app.use(removeBasePathFromPathMiddleware);
-    }
+      });
+
+      // Only update URL if our clean path matches an Express route
+      // This leaves React Router paths (like /en-US/category) unchanged
+      if (matchesExpressRoute) {
+        const parsed = _url.default.parse(req.url);
+        parsed.pathname = cleanPath;
+        req.url = _url.default.format(parsed);
+      }
+      next();
+    };
+    app.use(removeBasePathMiddleware);
   },
   /**
    * @private
@@ -697,7 +736,20 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
       return;
     }
     const encodedSlasCredentials = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
-    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (0, _httpProxyMiddleware.createProxyMiddleware)({
+    app.use(_ssrNamespacePaths.slasPrivateProxyPath, (req, res, next) => {
+      var _req$path, _req$path2;
+      // Check if the request should be blocked before it reaches the proxy
+      // We run this outside of the proxy middleware because modifying the response
+      // to send a 403 in the proxy causes issues with the response interceptor.
+      if (!((_req$path = req.path) !== null && _req$path !== void 0 && _req$path.match(options.slasApiPath)) || (_req$path2 = req.path) !== null && _req$path2 !== void 0 && _req$path2.match(/\/oauth2\/trusted-system/)) {
+        const message = `Request to ${req.path} is not allowed through the SLAS Private Client Proxy`;
+        _loggerInstance.default.error(message);
+        return res.status(403).json({
+          message: message
+        });
+      }
+      next();
+    }, (0, _httpProxyMiddleware.createProxyMiddleware)({
       target: options.slasTarget,
       changeOrigin: true,
       // http-proxy-middleware uses the original incoming request path to determine
@@ -709,8 +761,9 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
         const regex = new RegExp(`^${basePathRegexEntry}${_ssrNamespacePaths.slasPrivateProxyPath}`);
         return path.replace(regex, '');
       },
+      selfHandleResponse: true,
       onProxyReq: (proxyRequest, incomingRequest, res) => {
-        var _incomingRequest$path, _incomingRequest$path2, _incomingRequest$path3, _incomingRequest$path4;
+        var _incomingRequest$path, _incomingRequest$path2;
         (0, _configureProxy.applyProxyRequestHeaders)({
           proxyRequest,
           incomingRequest,
@@ -718,31 +771,41 @@ const RemoteServerFactory = exports.RemoteServerFactory = {
           targetHost: options.slasHostName,
           targetProtocol: 'https'
         });
-
-        // We don't want the proxy to handle any non-SLAS requests
-        // or any trusted system requests
-        if (!((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(options.slasApiPath)) || (_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(/\/oauth2\/trusted-system/)) {
-          const message = `Request to ${incomingRequest.path} is not allowed through the SLAS Private Client Proxy`;
-          _loggerInstance.default.error(message);
-          return res.status(403).json({
-            message: message
-          });
-        }
-
-        // We pattern match and add client secrets only to endpoints that
-        // match the regex specified by options.applySLASPrivateClientToEndpoints.
-        //
-        // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
-        // SLAS logout (/oauth2/logout), use the Authorization header for a different
-        // purpose so we don't want to overwrite the header for those calls.
-        if ((_incomingRequest$path3 = incomingRequest.path) !== null && _incomingRequest$path3 !== void 0 && _incomingRequest$path3.match(options.applySLASPrivateClientToEndpoints)) {
-          proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
-        } else if ((_incomingRequest$path4 = incomingRequest.path) !== null && _incomingRequest$path4 !== void 0 && _incomingRequest$path4.match(/\/oauth2\/trusted-agent\/token/)) {
+        if ((_incomingRequest$path = incomingRequest.path) !== null && _incomingRequest$path !== void 0 && _incomingRequest$path.match(/\/oauth2\/trusted-agent\/token/)) {
           // /oauth2/trusted-agent/token endpoint auth header comes from Account Manager
           // so the SLAS private client is sent via this special header
           proxyRequest.setHeader('_sfdc_client_auth', encodedSlasCredentials);
+        } else if ((_incomingRequest$path2 = incomingRequest.path) !== null && _incomingRequest$path2 !== void 0 && _incomingRequest$path2.match(options.applySLASPrivateClientToEndpoints)) {
+          // We pattern match and add client secrets only to endpoints that
+          // match the regex specified by options.applySLASPrivateClientToEndpoints.
+          //
+          // Other SLAS endpoints, ie. SLAS authenticate (/oauth2/login) and
+          // SLAS logout (/oauth2/logout), use the Authorization header for a different
+          // purpose so we don't want to overwrite the header for those calls.
+          proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`);
         }
-      }
+      },
+      onProxyRes: (0, _httpProxyMiddleware.responseInterceptor)((responseBuffer, proxyRes, req, res) => {
+        try {
+          var _req$path3;
+          // If the passwordless login endpoint returns a 404, which corresponds to a user
+          // email not being found, we mask it with a 200 OK response so that it is not
+          // obvious that the user does not exist.
+          // We do this to prevent user enumeration.
+          if ((_req$path3 = req.path) !== null && _req$path3 !== void 0 && _req$path3.match(/\/oauth2\/passwordless\/login/) && proxyRes.statusCode === 404) {
+            res.statusCode = 200;
+            res.statusMessage = 'OK';
+
+            // When a /passwordless/login endpoint response returns 200, it has no body
+            // so we return an empty body here to match an actual 200 response.
+            return Buffer.from('', 'utf8');
+          }
+          return responseBuffer;
+        } catch (error) {
+          console.error('There is an error processing the response from SLAS. Returning original response.', error);
+          return responseBuffer;
+        }
+      })
     }));
   },
   /**

package/ssr/server/express.test.js

@@ -1033,6 +1033,7 @@ describe('SLAS private client proxy', () => {
     }));
     return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/trusted-agent/token').then(response => {
       expect(response.body['_sfdc_client_auth']).toBe(encodedCredentials);
+      expect(response.body.authorization).toBeUndefined();
       expect(response.body.host).toBe('shortCode.api.commercecloud.salesforce.com');
       expect(response.body['x-mobify']).toBe('true');
     });
@@ -1067,6 +1068,36 @@ describe('SLAS private client proxy', () => {
       }));
     }).toThrow('It is not allowed to include /oauth2/trusted-system endpoints in `applySLASPrivateClientToEndpoints`');
   }), 15000);
+  test('proxy returns a 200 OK masking a user not found error', /*#__PURE__*/_asyncToGenerator(function* () {
+    process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'a secret';
+
+    // Create a new mock server specifically for this test so we can mock a response from SLAS
+    const testProxyApp = (0, _express.default)();
+    const testProxyPort = 12346;
+    const testSlasTarget = `http://localhost:${testProxyPort}/shopper/auth/responseHeaders`;
+
+    // Set up the mock server to return a 404 for passwordless login
+    testProxyApp.use('/shopper/auth/responseHeaders', (req, res) => {
+      if (req.url.includes('/oauth2/passwordless/login')) {
+        res.status(404).send();
+      } else {
+        res.send(req.headers);
+      }
+    });
+    const testProxyServer = testProxyApp.listen(testProxyPort);
+    try {
+      const testAppConfig = _objectSpread(_objectSpread({}, appConfig), {}, {
+        slasTarget: testSlasTarget
+      });
+      const app = _buildRemoteServer.RemoteServerFactory._createApp(opts(testAppConfig));
+      return yield (0, _supertest.default)(app).get('/mobify/slas/private/shopper/auth/v1/oauth2/passwordless/login').expect(200).then(response => {
+        expect(response.text).toBe('');
+      });
+    } finally {
+      // Clean up the test server
+      testProxyServer.close();
+    }
+  }));
 });
 describe('Base path tests', () => {
   test('Base path is removed from /mobify request path and still gets through to /mobify endpoint', /*#__PURE__*/_asyncToGenerator(function* () {
@@ -1079,20 +1110,23 @@ describe('Base path tests', () => {
     });
   }), 15000);
   test('should not remove base path from non /mobify non-express routes', /*#__PURE__*/_asyncToGenerator(function* () {
+    // Set base path to something that might also be a site id used by react router routes
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
-      envBasePath: '/basepath'
+      envBasePath: '/us'
     });
     const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
 
-    // Add a route that doesn't match the request
-    app.get('/api/other', (req, res) => {
-      res.status(200).json({
-        message: 'other'
-      });
+    // Add a middleware to capture the request path after base path processing
+    let capturedPath = null;
+    app.use((req, res, next) => {
+      capturedPath = req.path;
+      next();
     });
-    return (0, _supertest.default)(app).get('/basepath/api/unknown').then(response => {
-      // Should get a 404 since the route doesn't exist
-      expect(response.status).toBe(404);
+    return (0, _supertest.default)(app).get('/us/products/123').then(response => {
+      expect(response.status).toBe(404); // 404 because the route doesn't exist in express
+
+      // Verify that the base path was not removed from the request path
+      expect(capturedPath).toBe('/us/products/123');
     });
   }), 15000);
   test('should remove base path from routes with path parameters', /*#__PURE__*/_asyncToGenerator(function* () {
@@ -1128,7 +1162,7 @@ describe('Base path tests', () => {
       expect(response.body.userId).toBe('123');
     });
   }), 15000);
-  test('remove base path can handle complex base paths', /*#__PURE__*/_asyncToGenerator(function* () {
+  test('remove base path can handle multi-part base paths', /*#__PURE__*/_asyncToGenerator(function* () {
     jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
       envBasePath: '/my/base/path'
     });
@@ -1143,4 +1177,25 @@ describe('Base path tests', () => {
       expect(response.body.message).toBe('test');
     });
   }), 15000);
+  test('should handle optional characters in route pattern', /*#__PURE__*/_asyncToGenerator(function* () {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/basepath'
+    });
+    const app = _buildRemoteServer.RemoteServerFactory._createApp(opts());
+
+    // This route is intentionally made complex to test the following:
+    // 1. Optional characters in route pattern ie. 'k?'
+    // 2. Optional characters in route pattern with groups ie. (c)?
+    // 3. Optional characters in route pattern with path parameters ie. (:param?)
+    // 4. Wildcards ie. '*'
+    app.get('/callba(c)?k?*/:param?', (req, res) => {
+      res.status(200).json({
+        message: 'test'
+      });
+    });
+    return (0, _supertest.default)(app).get('/basepath/callback').then(response => {
+      expect(response.status).toBe(200);
+      expect(response.body.message).toBe('test');
+    });
+  }), 15000);
 });

package/utils/ssr-namespace-paths.js

@@ -38,10 +38,31 @@ const getEnvBasePath = () => {
   const config = (0, _ssrConfig.getConfig)();
   let basePath = (config === null || config === void 0 ? void 0 : config.envBasePath) || '';
   if (typeof basePath !== 'string') {
-    _loggerInstance.default.warn('Invalid envBasePath configuration. No base path is applied.');
+    _loggerInstance.default.warn('Invalid envBasePath configuration. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
     return '';
   }
-  return basePath.replace(/\/$/, '');
+
+  // Normalize the base path
+  basePath = basePath.trim().replace(/^\/?/, '/') // Ensure leading slash
+  .replace(/\/+/g, '/') // Normalize multiple slashes
+  .replace(/\/$/, ''); // Remove trailing slash
+
+  // Return empty string for root path or empty result
+  if (basePath === '/' || !basePath) {
+    return '';
+  }
+
+  // only allow simple, safe characters
+  // eslint-disable-next-line no-useless-escape
+  if (!/^\/[a-zA-Z0-9\-_\/]*$/.test(basePath)) {
+    _loggerInstance.default.warn('Invalid envBasePath configuration. Only letters, numbers, hyphens, underscores, and slashes allowed. No base path is applied.', {
+      namespace: 'ssr-namespace-paths.getEnvBasePath'
+    });
+    return '';
+  }
+  return basePath;
 };
 exports.getEnvBasePath = getEnvBasePath;
 const proxyBasePath = exports.proxyBasePath = PROXY_PATH_BASE;

package/utils/ssr-namespace-paths.test.js

@@ -29,4 +29,28 @@ describe('ssr-namespace-paths tests', () => {
     });
     expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
   });
+  test('getEnvBasePath removes trailing slash', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample/'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath returns empty string if invalid cahracters are detected in envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '/sample.*'
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('');
+  });
+  test('getEnvBasePath normalizes envBasePath', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '  //sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/sample');
+  });
+  test('getEnvBasePath works with multiple part base path', () => {
+    jest.spyOn(ssrConfig, 'getConfig').mockReturnValue({
+      envBasePath: '//test/sample/  '
+    });
+    expect((0, _ssrNamespacePaths.getEnvBasePath)()).toBe('/test/sample');
+  });
 });

package/utils/ssr-server/convert-express-route.js

@@ -0,0 +1,126 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.convertExpressRouteToRegex = void 0;
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
+ */
+
+/**
+ * Utillty function that converts an express route pattern into a regex.
+ *
+ * This is used in build-remote-server's removeBasePathMiddleware to check
+ * whether an incoming request path will match a registered Express endpoint.
+ *
+ * @param {string} routePattern - The express route pattern to convert
+ * @returns {RegExp} - The regex that corresponds to the express route pattern
+ * @throws {Error} - If the route pattern is invalid
+ */
+const convertExpressRouteToRegex = routePattern => {
+  if (!routePattern) return null;
+  if (routePattern instanceof RegExp) return routePattern;
+  if (typeof routePattern !== 'string') return null;
+  try {
+    // If it's a string, it's an Express route pattern that needs conversion
+    // Express route patterns can contain:
+    // - Static paths: /users, /about
+    // - Route parameters: :id, :userId
+    // - Optional parameters: :id?
+    // - Regex constraints: :id(\d+)
+    // - Wildcards: *, /*
+    // - Optional characters: abc?
+    // - Optional groups: (abc)?
+
+    let regexPattern = routePattern;
+
+    // Step 1: Handle regex constraints in parameters like :param(regex)
+    // Example: /search/:query(\d+) -> /search/(\d+)
+    // Store the constraints to prevent them from being escaped later
+    const constraints = [];
+    regexPattern = regexPattern.replace(/:([^(/]+)\(([^)]+)\)/g, (match, paramName, constraint) => {
+      const constraintId = `__CONSTRAINT_${constraints.length}__`;
+      constraints.push(constraint);
+      return constraintId;
+    });
+
+    // Step 2: Handle complex optional parameter sequences first
+    // For patterns like /api/:version?/users/:id?/posts/:postId?
+    // We need to make literal segments optional when they're followed by optional parameters
+    regexPattern = regexPattern.replace(/\/([a-zA-Z0-9_-]+)\/:([^(/]+)\?/g, (match, segment, param) => `(?:/${segment}(?:/[^/]+)?)?`);
+
+    // Step 3: Handle remaining optional parameters :param?
+    // For /users/:id?, we want to match both /users and /users/123
+    // So we need to replace the entire pattern, not just the parameter
+    regexPattern = regexPattern.replace(/\/:([^(/]+)\?/g, '(?:/[^/]+)?');
+
+    // Step 4: Handle regular parameters :param
+    regexPattern = regexPattern.replace(/:([^(/]+)/g, '[^/]+');
+
+    // Step 5: Handle wildcards
+    // Express wildcards * should be converted to .* which matches everything including slashes
+    // Handle /* first, then handle standalone * (but not if it's already been converted)
+    regexPattern = regexPattern.replace(/\/\*/g, '/.*');
+    // Handle standalone * that hasn't been converted yet
+    regexPattern = regexPattern.replace(/(?<!\.)\*(?!\*)/g, '.*');
+
+    // Step 6: Handle wildcard + optional parameter combinations
+    // For example /users*/:id?
+    regexPattern = regexPattern.replace(
+    // eslint-disable-next-line no-useless-escape
+    /\.\*\/\(\?\:\/\[(\^\/)\]\+\)\?/g, '.*(?:/(?:[^/]+)?)?');
+
+    // Step 7: Handle optional groups (user|admin) -> (?:user|admin)
+    regexPattern = regexPattern.replace(/\(([^)]*\|[^)]*)\)/g, '(?:$1)');
+
+    // Step 8: Handle optional characters in literal strings
+    // For patterns like /favori?te, /colou?r, /analy?se
+    // The ? makes the preceding character optional
+    regexPattern = regexPattern.replace(/([a-zA-Z0-9])\?/g, (match, char) => `(?:${char})?`);
+
+    // Step 9: Fix double slashes that may have been created
+    regexPattern = regexPattern.replace(/\/\//g, '/');
+
+    // Step 10: Restore regex constraints without escaping
+    constraints.forEach((constraint, index) => {
+      const constraintId = `__CONSTRAINT_${index}__`;
+      regexPattern = regexPattern.replace(constraintId, `(${constraint})`);
+    });
+
+    // Step 10.5: Handle optional parameters with regex constraints
+    // For patterns like /users/:id(\d+)?, we need to make the entire constraint group optional
+    // This step must be applied after the constraints are restored but before root path handling
+    // Only apply to actual constraint groups, not already processed optional groups
+    regexPattern = regexPattern.replace(/\(([^)]+)\)\?/g, (match, content) => {
+      // Only convert if this looks like a regex constraint (contains regex patterns like \d, \w, etc.)
+      // and is not already an optional group (doesn't start with ?:)
+      if ((/\\[dwDsS]/.test(content) || /[^a-zA-Z0-9\s]/.test(content)) && !content.startsWith('?:')) {
+        return `(?:${content})?`;
+      }
+      return match;
+    });
+
+    // Step 11: Only escape literal characters that need escaping, but not regex constraints
+    // Don't escape curly braces {} as they're used in regex quantifiers
+    // eslint-disable-next-line no-useless-escape
+    regexPattern = regexPattern.replace(/[\$]/g, '\\$&');
+
+    // Step 12: Handle root path optional parameters
+    // For patterns like /:id? or /*, we need to handle the root path correctly
+    if (regexPattern === '^(?:/[^/]+)?$') {
+      // This is a root optional parameter, should match both / and /something
+      regexPattern = '^(?:/|/[^/]+)$';
+    } else if (regexPattern === '^/.*$') {
+      // This is a root wildcard, should match everything including /
+      regexPattern = '^/.*$';
+    }
+    return new RegExp(`^${regexPattern}$`);
+  } catch (error) {
+    throw new Error(`Invalid route pattern: ${routePattern}`);
+  }
+};
+exports.convertExpressRouteToRegex = convertExpressRouteToRegex;