@shopify/hydrogen 2026.1.3 → 2026.1.4

package/dist/development/index.cjs

@@ -610,7 +610,7 @@ function getPrivacyBanner() {
 }
 
 // package.json
-var version = "2026.1.3";
+var version = "2026.1.4";
 
 // src/analytics-manager/ShopifyAnalytics.tsx
 function getCustomerPrivacyRequired() {
@@ -1326,6 +1326,7 @@ function getStorefrontHeaders(request) {
   };
 }
 var SFAPI_RE = /^\/api\/(unstable|2\d{3}-\d{2})\/graphql\.json$/;
+var MCP_RE = /^\/api\/mcp$/;
 var getSafePathname = (url) => {
   try {
     return new URL(url, "http://e.c").pathname;
@@ -2005,7 +2006,7 @@ function generateUUID() {
 }
 
 // src/version.ts
-var LIB_VERSION = "2026.1.3";
+var LIB_VERSION = "2026.1.4";
 
 // src/utils/graphql.ts
 function minifyQuery(string) {
@@ -2430,6 +2431,70 @@ function createStorefrontClient(options) {
         );
         return new Response(sfapiResponse.body, sfapiResponse);
       },
+      /**
+       * Checks if the request is targeting the Storefront MCP endpoint.
+       */
+      isMcpUrl(request) {
+        return MCP_RE.test(getSafePathname(request.url ?? ""));
+      },
+      /**
+       * Forwards the request to the Storefront MCP endpoint.
+       * CORS headers are intentionally omitted — the Storefront MCP
+       * server is server-to-server only (OPTIONS preflight returns 404).
+       */
+      async forwardMcp(request) {
+        const forwardedHeaders = new Headers([
+          ...extractHeaders(
+            (key) => request.headers.get(key),
+            [
+              "accept",
+              "accept-encoding",
+              "accept-language",
+              "content-type",
+              "cookie",
+              "origin",
+              "referer",
+              "user-agent"
+            ]
+          ),
+          ...extractHeaders(
+            (key) => defaultHeaders[key],
+            [
+              SHOPIFY_CLIENT_IP_HEADER,
+              SHOPIFY_CLIENT_IP_SIG_HEADER,
+              STOREFRONT_ACCESS_TOKEN_HEADER,
+              STOREFRONT_REQUEST_GROUP_ID_HEADER,
+              hydrogenReact.SHOPIFY_STOREFRONT_ID_HEADER
+            ]
+          )
+        ]);
+        if (storefrontHeaders?.buyerIp) {
+          forwardedHeaders.set("x-forwarded-for", storefrontHeaders.buyerIp);
+        }
+        const mcpUrl = `${getShopifyDomain()}/api/mcp`;
+        try {
+          const mcpResponse = await fetch(mcpUrl, {
+            method: request.method,
+            body: request.body,
+            headers: forwardedHeaders
+          });
+          return new Response(mcpResponse.body, mcpResponse);
+        } catch (error) {
+          const JSON_RPC_INTERNAL_ERROR = -32603;
+          const message = error instanceof Error ? error.message : "Internal proxy error";
+          return new Response(
+            JSON.stringify({
+              jsonrpc: "2.0",
+              error: { code: JSON_RPC_INTERNAL_ERROR, message },
+              id: null
+            }),
+            {
+              status: 502,
+              headers: { "content-type": "application/json" }
+            }
+          );
+        }
+      },
       setCollectedSubrequestHeaders: (response) => {
         if (collectedSubrequestHeaders) {
           for (const value of collectedSubrequestHeaders.setCookie) {
@@ -3923,29 +3988,32 @@ function createCustomerAccountHelper(customerApiVersion, shopId) {
 
 // src/customer/customer.ts
 var HYDROGEN_TUNNEL_DOMAIN_SUFFIX = ".tryhydrogen.dev";
-function throwIfNotTunnelled(hostname) {
-  {
-    if (!hostname.endsWith(HYDROGEN_TUNNEL_DOMAIN_SUFFIX)) {
-      throw new Response(
-        [
-          "Customer Account API OAuth requires a Hydrogen tunnel in local development.",
-          "Run the development server with the `--customer-account-push` flag,",
-          `then open the tunnel URL shown in your terminal (\`https://*${HYDROGEN_TUNNEL_DOMAIN_SUFFIX}\`) instead of localhost.`
-        ].join("\n\n"),
-        {
-          status: 400,
-          headers: {
-            "Content-Type": "text/plain; charset=utf-8"
-          }
-        }
-      );
-    }
+function checkTunnelDomain(hostname, useCustomAuthDomain, redirectUri) {
+  if (hostname.endsWith(HYDROGEN_TUNNEL_DOMAIN_SUFFIX)) return;
+  if (useCustomAuthDomain) {
+    const redirectHint = redirectUri ? ` (${redirectUri})` : "";
+    warnOnce(
+      `[h2:warn:customerAccount] You are using a custom domain (${hostname}) instead of a Hydrogen dev tunnel. Make sure you have manually registered your redirect_uri${redirectHint} in your Customer Account API settings in the Shopify admin. See https://shopify.dev/docs/api/customer for details.`
+    );
+    return;
   }
+  throw new Response(
+    [
+      "Customer Account API OAuth requires a Hydrogen tunnel in local development.",
+      "Run the development server with the `--customer-account-push` flag,",
+      `then open the tunnel URL shown in your terminal (\`https://*${HYDROGEN_TUNNEL_DOMAIN_SUFFIX}\`) instead of localhost.`
+    ].join("\n\n"),
+    {
+      status: 400,
+      headers: {
+        "Content-Type": "text/plain; charset=utf-8"
+      }
+    }
+  );
 }
 function defaultAuthStatusHandler(request, defaultLoginUrl) {
   if (!request.url) return defaultLoginUrl;
-  const { hostname, pathname } = new URL(request.url);
-  throwIfNotTunnelled(hostname);
+  const { pathname } = new URL(request.url);
   const cleanedPathname = pathname.replace(/\.data$/, "").replace(/\/_root$/, "/").replace(/(.+)\/$/, "$1");
   const redirectTo = defaultLoginUrl + `?${new URLSearchParams({ return_to: cleanedPathname }).toString()}`;
   return redirect(redirectTo);
@@ -3963,7 +4031,8 @@ function createCustomerAccountClient({
   loginPath = "/account/login",
   authorizePath = "/account/authorize",
   defaultRedirectPath = "/account",
-  language
+  language,
+  useCustomAuthDomain
 }) {
   if (customerApiVersion !== DEFAULT_CUSTOMER_API_VERSION) {
     console.warn(
@@ -3980,7 +4049,6 @@ function createCustomerAccountClient({
       "[h2:error:createCustomerAccountClient] The request object does not contain a URL."
     );
   }
-  const authStatusHandler = customAuthStatusHandler ? customAuthStatusHandler : () => defaultAuthStatusHandler(request, loginPath);
   const requestUrl = new URL(request.url);
   const httpsOrigin = requestUrl.protocol === "http:" ? requestUrl.origin.replace("http", "https") : requestUrl.origin;
   const redirectUri = ensureLocalRedirectUrl({
@@ -3988,6 +4056,11 @@ function createCustomerAccountClient({
     defaultUrl: authorizePath,
     redirectUrl: authUrl
   });
+  const ensureTunnel = (hostname) => checkTunnelDomain(hostname, useCustomAuthDomain, redirectUri);
+  const authStatusHandler = customAuthStatusHandler ? customAuthStatusHandler : () => {
+    ensureTunnel(requestUrl.hostname);
+    return defaultAuthStatusHandler(request, loginPath);
+  };
   const getCustomerAccountUrl = createCustomerAccountHelper(
     customerApiVersion,
     shopId
@@ -4109,7 +4182,7 @@ function createCustomerAccountClient({
       return session.get(CUSTOMER_ACCOUNT_SESSION_KEY)?.accessToken;
   }
   async function mutate(mutation, options) {
-    throwIfNotTunnelled(requestUrl.hostname);
+    ensureTunnel(requestUrl.hostname);
     ifInvalidCredentialThrowError();
     mutation = minifyQuery(mutation);
     assertMutation(mutation, "customer.mutate");
@@ -4119,7 +4192,7 @@ function createCustomerAccountClient({
     );
   }
   async function query(query2, options) {
-    throwIfNotTunnelled(requestUrl.hostname);
+    ensureTunnel(requestUrl.hostname);
     ifInvalidCredentialThrowError();
     query2 = minifyQuery(query2);
     assertQuery(query2, "customer.query");
@@ -4143,7 +4216,7 @@ function createCustomerAccountClient({
   return {
     i18n: { language: language ?? "EN" },
     login: async (options) => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const loginUrl = new URL(getCustomerAccountUrl("AUTH" /* AUTH */));
       const state = generateState();
@@ -4195,7 +4268,7 @@ function createCustomerAccountClient({
       return redirect(loginUrl.toString());
     },
     logout: async (options) => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const idToken = session.get(CUSTOMER_ACCOUNT_SESSION_KEY)?.idToken;
       const postLogoutRedirectUri = ensureLocalRedirectUrl({
@@ -4230,7 +4303,7 @@ function createCustomerAccountClient({
     mutate,
     query,
     authorize: async () => {
-      throwIfNotTunnelled(requestUrl.hostname);
+      ensureTunnel(requestUrl.hostname);
       ifInvalidCredentialThrowError();
       const code = requestUrl.searchParams.get("code");
       const state = requestUrl.searchParams.get("state");
@@ -4436,6 +4509,7 @@ function createHydrogenContext(options, additionalContext) {
     customerApiVersion: customerAccountOptions?.apiVersion,
     authUrl: customerAccountOptions?.authUrl,
     customAuthStatusHandler: customerAccountOptions?.customAuthStatusHandler,
+    useCustomAuthDomain: customerAccountOptions?.useCustomAuthDomain,
     // locale - i18n.language is a union of StorefrontLanguageCode | CustomerLanguageCode
     // We cast here because createCustomerAccountClient expects CustomerLanguageCode specifically,
     // but the union type is compatible since most language codes overlap between the two APIs
@@ -4548,6 +4622,11 @@ function createRequestHandler({
         appendPoweredByHeader?.(response2);
         return response2;
       }
+      if (storefront?.isMcpUrl(request)) {
+        const response2 = await storefront.forwardMcp(request);
+        appendPoweredByHeader?.(response2);
+        return response2;
+      }
     }
     const response = await handleRequest(request, context);
     if (storefront && proxyStandardRoutes) {