@salesforce/webapp-template-feature-react-authentication-experimental 1.6.2 → 1.7.0

package/dist/CHANGELOG.md

@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [1.7.0](https://github.com/salesforce-experience-platform-emu/webapps/compare/v1.6.2...v1.7.0) (2026-02-04)
+
+**Note:** Version bump only for package @salesforce/webapp-template-base-sfdx-project-experimental
+
+
+
+
+
 ## [1.6.2](https://github.com/salesforce-experience-platform-emu/webapps/compare/v1.6.1...v1.6.2) (2026-02-04)
 
 **Note:** Version bump only for package @salesforce/webapp-template-base-sfdx-project-experimental

package/dist/force-app/main/default/classes/WebAppAuthUtils.cls

@@ -0,0 +1,56 @@
+/**
+ * Utility class for Web Application authentication REST endpoints.
+ */
+public without sharing class WebAppAuthUtils {
+
+    /**
+     * Exception for authentication errors with HTTP status code support.
+     */
+    public class AuthException extends Exception {
+        public Integer statusCode { get; private set; } // HTTP status code (e.g. 400, 500)
+        public List<String> messages { get; private set; } // List of error messages
+
+        public AuthException(Integer statusCode, String message) {
+            this.statusCode = statusCode;
+            this.messages = new List<String>{ message };
+        }
+
+        public AuthException(Integer statusCode, List<String> messages) {
+            this.statusCode = statusCode;
+            this.messages = new List<String>(messages);
+        }
+    }
+
+    /**
+     * Validates and sanitizes redirect URL to prevent open redirect vulnerabilities.
+     * @param url The URL to validate.
+     * @param defaultUrl Fallback URL if validation fails.
+     * @return Sanitized URL or defaultUrl if invalid.
+     */
+    public static String getSanitizedStartUrl(String url, String defaultUrl) {
+        if (String.isBlank(url) || url.equals('/')) { return defaultUrl; }
+        
+        String decoded; // Decode URL to catch encoded bypasses (%2f%2f -> //)
+        try {
+            decoded = EncodingUtil.urlDecode(url, 'UTF-8');
+        } catch (Exception e) {
+            return defaultUrl;
+        }
+        
+        // Must start with / but not // (protocol-relative)
+        if (!decoded.startsWith('/') || decoded.startsWith('//')) { return defaultUrl; }
+        // Reject backslashes (some browsers treat \ as /)
+        if (decoded.contains('\\')) { return defaultUrl; }
+        // Reject @ which can indicate user info in URL (//user@evil.com)
+        if (decoded.contains('@')) { return defaultUrl; }
+        // Reject : which could indicate protocol or port manipulation
+        if (decoded.contains(':')) { return defaultUrl; }
+        // Reject control characters (ASCII < 32) and DEL (127)
+        for (Integer i = 0; i < decoded.length(); i++) {
+            Integer charCode = decoded.charAt(i);
+            if (charCode < 32 || charCode == 127) { return defaultUrl; }
+        }
+        
+        return defaultUrl + url;
+    }
+}

package/dist/force-app/main/default/classes/WebAppAuthUtils.cls-meta.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
+    <apiVersion>66.0</apiVersion>
+    <status>Active</status>
+</ApexClass>

package/dist/force-app/main/default/classes/WebAppRegistration.cls

@@ -0,0 +1,161 @@
+/**
+ * REST endpoint for Web Applications for user self-registration.
+ * 
+ * Endpoint: POST /services/apexrest/auth/register/
+ * 
+ * Creates a new external user account, validates credentials against org password policy,
+ * and returns a login URL for automatic session creation.
+ * 
+ * Security: Uses 'without sharing' to allow guest users to check for duplicate usernames.
+ */
+@RestResource(urlMapping='/auth/register/')
+global without sharing class WebAppRegistration {
+
+    /**
+     * Registers a new external user and logs them in.
+     * @param request The registration request containing user details.
+     * @return SuccessResponse or ErrorResponse.
+     */
+    @HttpPost
+    global static RegistrationResponse registerUser(RegistrationRequest request) {
+        Savepoint sp = Database.setSavepoint();
+        try {
+            request.validate();
+            
+            User u = new User(
+                Username = request.email,
+                Email = request.email,
+                FirstName = request.firstName,
+                LastName = request.lastName,
+                // Generate unique nickname: first initial + up to 20 chars of last name + 4 random digits
+                CommunityNickname = request.firstName.left(1) + request.lastName.left(20) +
+                    String.valueOf(Crypto.getRandomInteger()).left(4)
+            );
+
+            validatePassword(u, request.password);
+            createUser(u, request.password);
+
+            String startUrl = WebAppAuthUtils.getSanitizedStartUrl(request.startUrl, Site.getPathPrefix());
+            PageReference pageRef = Site.login(request.email, request.password, startUrl);
+
+            return new SuccessRegistrationResponse(pageRef?.getUrl());
+        } catch (WebAppAuthUtils.AuthException ex) {
+            Database.rollback(sp);
+            RestContext.response.statusCode = ex.statusCode;
+            return new ErrorRegistrationResponse(ex.messages);
+        } catch (Exception ex) {
+            Database.rollback(sp);
+            RestContext.response.statusCode = 500;
+            return new ErrorRegistrationResponse(ex.getMessage());
+        }
+    }
+
+    /**
+     * Base response class for registration.
+     */
+    global abstract class RegistrationResponse {
+    }
+
+    /**
+     * Success response with login URL.
+     */
+    global class SuccessRegistrationResponse extends RegistrationResponse {
+        global String loginUrl;
+        
+        global SuccessRegistrationResponse(String loginUrl) {
+            this.loginUrl = loginUrl;
+        }
+    }
+
+    /**
+     * Error response with error messages.
+     */
+    global class ErrorRegistrationResponse extends RegistrationResponse {
+        global List<String> errors;
+        
+        global ErrorRegistrationResponse(List<String> errors) {
+            this.errors = new List<String>(errors);
+        }
+
+        global ErrorRegistrationResponse(String error) {
+            this.errors = new List<String>{ error };
+        }
+    }
+
+    /**
+     * Request payload for user registration.
+     */
+    global class RegistrationRequest {
+        global String email;
+        global String firstName;
+        global String lastName;
+        global String password;
+        global String startUrl;
+
+        /**
+         * Trims fields and validates required fields and business rules.
+         * @throws WebAppAuthUtils.AuthException if validation fails.
+         */
+        public void validate() {
+            email = email?.trim()?.toLowerCase();
+            firstName = firstName?.trim();
+            lastName = lastName?.trim();
+            startUrl = startUrl?.trim();
+
+            List<String> errors = new List<String>();
+            if (String.isBlank(firstName)) { errors.add('First name is required.'); }
+            if (String.isBlank(lastName)) { errors.add('Last name is required.'); }
+            if (String.isBlank(password)) { errors.add('Password is required.'); }
+            if (!Site.isValidUserName(email)) { errors.add('Email is invalid.'); }
+            else if (!isUserUnique(email)) {
+                errors.add('A user with this email already exists.');
+            }
+            if (!errors.isEmpty()) {
+                throw new WebAppAuthUtils.AuthException(400, errors);
+            }
+        }
+    }
+
+    /**
+     * Validates password against org password policy.
+     * @param user The user record.
+     * @param password The password to validate.
+     * @throws WebAppAuthUtils.AuthException if password does not meet requirements.
+     */
+    private static void validatePassword(User user, String password) {
+        try {
+            Site.validatePassword(user, password, password);
+        } catch (System.SecurityException ex) {
+            throw new WebAppAuthUtils.AuthException(400, ex.getMessage());
+        }
+    }
+
+    /**
+     * Creates the external user account.
+     * @param u The user record.
+     * @param password The password for the new user.
+     * @return The new user's ID.
+     * @throws WebAppAuthUtils.AuthException if user creation fails.
+     */
+    private static String createUser(User u, String password) {
+        String userId;
+        try {
+            userId = Site.createExternalUser(u, null, password);
+        } catch (Site.ExternalUserCreateException ex) {
+            throw new WebAppAuthUtils.AuthException(500, ex.getDisplayMessages());
+        }
+        if (userId == null) {
+            throw new WebAppAuthUtils.AuthException(500, 'Could not register new user.');
+        }
+        return userId;
+    }
+
+    /**
+     * Checks if a username is unique (not already taken).
+     * @param username The username to check.
+     * @return {@code true} if unique, {@code false} if already exists.
+     */
+    private static Boolean isUserUnique(String username) {
+        return [SELECT Id FROM User WHERE Username = :username LIMIT 1].isEmpty();
+    }
+}

package/dist/force-app/main/default/classes/WebAppRegistration.cls-meta.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<ApexClass xmlns="http://soap.sforce.com/2006/04/metadata">
+    <apiVersion>66.0</apiVersion>
+    <status>Active</status>
+</ApexClass>

package/dist/force-app/main/default/webapplications/feature-react-authentication/src/pages/Register.tsx

@@ -14,6 +14,10 @@ import {
 	getErrorMessage,
 } from "../utils/helpers";
 
+interface RegistrationResponse {
+	loginUrl: string | null;
+}
+
 const registerSchema = z
 	.object({
 		firstName: z.string().trim().min(1, "First name is required"),
@@ -21,6 +25,7 @@ const registerSchema = z
 		email: emailSchema,
 		password: passwordSchema,
 		confirmPassword: z.string().min(1, "Please confirm your password"),
+		startUrl: z.string(),
 	})
 	.refine((data) => data.password === data.confirmPassword, {
 		message: "Passwords do not match",
@@ -33,21 +38,35 @@ export default function Register() {
 	const [submitError, setSubmitError] = useState<string | null>(null);
 
 	const form = useAppForm({
-		defaultValues: { firstName: "", lastName: "", email: "", password: "", confirmPassword: "" },
+		defaultValues: {
+			firstName: "",
+			lastName: "",
+			email: "",
+			password: "",
+			confirmPassword: "",
+			startUrl: getStartUrl(searchParams) || "",
+		},
 		validators: { onChange: registerSchema, onSubmit: registerSchema },
-		onSubmit: async ({ value }) => {
+		onSubmit: async ({ value: formFieldValues }) => {
 			setSubmitError(null);
 			try {
 				// [Dev Note] Calls the custom Apex REST endpoint for user registration.
 				// Ensure your Apex logic handles duplicate checks and user creation (e.g., Site.createExternalUser).
-				const response = await baseClient.post("/services/apexrest/auth/register", {
-					firstName: value.firstName.trim(),
-					lastName: value.lastName.trim(),
-					email: value.email.trim().toLowerCase(),
-					password: value.password,
+				const { confirmPassword, ...request } = formFieldValues;
+				const response = await baseClient.post("/sfdcapi/services/apexrest/auth/register/", {
+					request,
 				});
-				await handleApiResponse(response, "Registration failed");
-				navigate(getStartUrl(searchParams), { replace: true });
+				const result = await handleApiResponse<RegistrationResponse>(
+					response,
+					"Registration failed",
+				);
+				if (result?.loginUrl) {
+					// Hard navigate to the URL which logs the new user in
+					window.location.replace(result.loginUrl);
+				} else {
+					// In case loginUrl is null, redirect to the login page
+					navigate(ROUTES.LOGIN.PATH, { replace: true });
+				}
 			} catch (err) {
 				setSubmitError(getErrorMessage(err, "Registration failed"));
 			}

package/dist/force-app/main/default/webapplications/feature-react-authentication/src/utils/helpers.ts

@@ -155,7 +155,22 @@ function parseApiResponseError(
 	data: any,
 	fallbackError: string = "An unknown error occurred",
 ): string {
-	return (
-		data?.message || data?.error || (Array.isArray(data) ? data[0]?.message : null) || fallbackError
-	);
+	if (data?.message) {
+		return data.message;
+	}
+	if (data?.error) {
+		return data.error;
+	}
+	if (data?.errors && Array.isArray(data.errors) && data.errors.length > 0) {
+		return data.errors.join(" ") || fallbackError;
+	}
+	if (Array.isArray(data) && data.length > 0) {
+		return (
+			data
+				.map((e) => e?.message)
+				.filter(Boolean)
+				.join(" ") || fallbackError
+		);
+	}
+	return fallbackError;
 }

package/dist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/webapp-template-base-sfdx-project-experimental",
-  "version": "1.6.2",
+  "version": "1.7.0",
   "description": "Base SFDX project template",
   "private": true,
   "files": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/webapp-template-feature-react-authentication-experimental",
-  "version": "1.6.2",
+  "version": "1.7.0",
   "description": "Authentication feature for web applications",
   "license": "ISC",
   "author": "",
@@ -19,7 +19,7 @@
     "watch": "npx tsx ../../cli/src/index.ts watch-patches packages/template/feature/feature-react-authentication packages/template/base-app/base-react-app packages/template/feature/feature-react-authentication/dist"
   },
   "devDependencies": {
-    "@salesforce/webapp-experimental": "^1.6.2",
+    "@salesforce/webapp-experimental": "^1.7.0",
     "@tanstack/react-form": "^1.27.7",
     "@types/react": "^19.2.7",
     "@types/react-dom": "^19.2.3",
@@ -27,5 +27,5 @@
     "react-router": "^7.10.1",
     "vite": "^7.3.1"
   },
-  "gitHead": "3eb79262b3c2c37339863ab1b51e54bcb1ecf07f"
+  "gitHead": "a54d5cb1ebbbd4671fbbe097750e8b53f172b796"
 }