@sitecore-content-sdk/nextjs 1.5.0 → 2.0.0-canary.10

package/dist/cjs/{middleware/redirects-middleware.js → proxy/redirects-proxy.js}

@@ -12,31 +12,30 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RedirectsMiddleware = void 0;
-const core_1 = require("@sitecore-content-sdk/core");
-const site_1 = require("@sitecore-content-sdk/core/site");
-const utils_1 = require("@sitecore-content-sdk/core/utils");
+exports.RedirectsProxy = void 0;
+const site_1 = require("@sitecore-content-sdk/content/site");
+const tools_1 = require("@sitecore-content-sdk/core/tools");
 const server_1 = require("next/server");
 const regex_parser_1 = __importDefault(require("regex-parser"));
-const middleware_1 = require("./middleware");
+const proxy_1 = require("./proxy");
+const debug_1 = __importDefault(require("../debug"));
 const REGEXP_CONTEXT_SITE_LANG = new RegExp(/\$siteLang/, 'i');
 const REGEXP_ABSOLUTE_URL = new RegExp('^(?:[a-z]+:)?//', 'i');
 /**
- * Middleware / handler fetches all redirects from Sitecore instance by grapqhl service
+ * Proxy / handler fetches all redirects from Sitecore instance by grapqhl service
  * compares with current url and redirects to target url
  * @public
  */
-class RedirectsMiddleware extends middleware_1.MiddlewareBase {
+class RedirectsProxy extends proxy_1.ProxyBase {
     /**
-     * @param {RedirectsMiddlewareConfig} [config] redirects middleware config
+     * @param {RedirectsProxyConfig} [config] redirects proxy config
      */
     constructor(config) {
-        var _a;
         super(config);
         this.config = config;
         this.handle = (req, res) => __awaiter(this, void 0, void 0, function* () {
             if (!this.config.enabled) {
-                core_1.debug.redirects('skipped (redirects middleware is disabled globally)');
+                debug_1.default.redirects('skipped (redirects proxy is disabled globally)');
                 return res;
             }
             try {
@@ -45,124 +44,133 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
                 const hostname = this.getHostHeader(req) || this.defaultHostname;
                 let site;
                 const startTimestamp = Date.now();
-                core_1.debug.redirects('redirects middleware start: %o', {
+                debug_1.default.redirects('redirects proxy start: %o', {
                     pathname,
                     language,
                     hostname,
                 });
                 if (this.disabled(req, res)) {
-                    core_1.debug.redirects('skipped (redirects middleware is disabled)');
+                    debug_1.default.redirects('skipped (redirects proxy is disabled)');
                     return res;
                 }
                 const isAppRouterRequest = this.isAppRouter(res);
-                const createResponse = () => __awaiter(this, void 0, void 0, function* () {
-                    var _a;
+                const validateRequest = () => {
                     if (this.isPreview(req)) {
-                        core_1.debug.redirects('skipped (preview)');
-                        return res;
+                        debug_1.default.redirects('skipped (preview)');
+                        return false;
                     }
                     // Skip prefetch requests from Next.js, which are not original client requests
-                    // as they load unnecessary requests that burden the redirects middleware with meaningless traffic
+                    // as they load unnecessary requests that burden the redirects proxy with meaningless traffic
                     if (this.isPrefetch(req)) {
-                        core_1.debug.redirects('skipped (prefetch)');
-                        res.headers.set('x-middleware-cache', 'no-cache');
+                        debug_1.default.redirects('skipped (prefetch)');
+                        res.headers.set('x-proxy-cache', 'no-cache');
                         res.headers.set('Cache-Control', 'no-store, must-revalidate');
-                        return res;
+                        return false;
+                    }
+                    return true;
+                };
+                if (!validateRequest()) {
+                    return res;
+                }
+                site = this.getSite(req, res);
+                // Find the redirect from result of RedirectService
+                const existsRedirect = yield this.getExistsRedirect(req, site.name);
+                if (!existsRedirect) {
+                    debug_1.default.redirects('skipped (redirect does not exist)');
+                    return res;
+                }
+                debug_1.default.redirects('Matched redirect rule: %o', { existsRedirect });
+                const processAbsoluteUrlTarget = (url, existsRedirect) => {
+                    var _a;
+                    // Redirect logic for absolute (external or not) URLS. To avoid locale stripping: use plain string for external URLs to prevent Next.js rewriting.
+                    let targetUrl = existsRedirect.target;
+                    if (url.search && existsRedirect.isQueryStringPreserved) {
+                        const incomingQS = new URLSearchParams((_a = url.search) !== null && _a !== void 0 ? _a : '');
+                        const [targetMainUrl, targetQS] = targetUrl.split('?');
+                        const mergedQueryString = (0, tools_1.mergeURLSearchParams)(incomingQS, new URLSearchParams(targetQS || ''));
+                        targetUrl = `${targetMainUrl}?${mergedQueryString}`;
                     }
-                    site = this.getSite(req, res);
-                    // Find the redirect from result of RedirectService
-                    const existsRedirect = yield this.getExistsRedirect(req, site.name);
-                    if (!existsRedirect) {
-                        core_1.debug.redirects('skipped (redirect does not exist)');
-                        return res;
+                    return this.dispatchRedirect(targetUrl, existsRedirect.redirectType, req, res, true);
+                };
+                const processRelativeUrlTarget = (url, existsRedirect) => {
+                    var _a;
+                    let targetUrl = existsRedirect.target;
+                    const possiblyLocalePrefix = targetUrl.split('/')[1];
+                    let targetLocale = '';
+                    if (this.locales.includes(possiblyLocalePrefix)) {
+                        targetLocale = possiblyLocalePrefix;
+                        targetUrl = targetUrl.replace(`/${possiblyLocalePrefix}`, '');
                     }
-                    core_1.debug.redirects('Matched redirect rule: %o', { existsRedirect });
-                    // Find context site language and replace token
-                    if (REGEXP_CONTEXT_SITE_LANG.test(existsRedirect.target) &&
-                        !(REGEXP_ABSOLUTE_URL.test(existsRedirect.target) &&
-                            existsRedirect.target.includes(hostname))) {
-                        existsRedirect.target = existsRedirect.target.replace(REGEXP_CONTEXT_SITE_LANG, site.language);
-                        if (!isAppRouterRequest) {
-                            req.nextUrl.locale = site.language;
-                        }
+                    else if (existsRedirect.isLanguagePreserved) {
+                        targetLocale = language;
                     }
-                    const url = this.normalizeUrl(req.nextUrl.clone());
-                    // Redirect logic for external (absolute) URLS. To avoid locale stripping: use plain string for external URLs to prevent Next.js rewriting.
-                    if (REGEXP_ABSOLUTE_URL.test(existsRedirect.target)) {
-                        // Perform variable substitution for absolute URLs
-                        let finalTarget = existsRedirect.target;
-                        if ((0, utils_1.isRegexOrUrl)(existsRedirect.pattern) === 'regex') {
-                            const matched = url.pathname
-                                .replace(/\/*$/gi, '')
-                                .match((0, regex_parser_1.default)(existsRedirect.pattern));
-                            if (matched) {
-                                finalTarget = existsRedirect.target.replace(/\$(\d+)/g, (_, index) => {
-                                    return matched[parseInt(index, 10)] || '';
-                                });
-                            }
-                        }
-                        return this.dispatchRedirect(finalTarget, existsRedirect.redirectType, req, res, true);
+                    let [targetMainUrl, targetQS] = targetUrl.split('?');
+                    if (url.search && existsRedirect.isQueryStringPreserved) {
+                        const incomingQS = new URLSearchParams((_a = url.search) !== null && _a !== void 0 ? _a : '');
+                        targetQS = (0, tools_1.mergeURLSearchParams)(incomingQS, new URLSearchParams(targetQS || ''));
+                    }
+                    const prepareNewURL = new URL(`${targetMainUrl}${targetQS ? '?' + targetQS : ''}`, url.origin);
+                    const basePath = url.basePath; // setting NextUrl.href overrides basePath, so we need to store it
+                    url.href = prepareNewURL.href;
+                    url.pathname = prepareNewURL.pathname;
+                    url.search = prepareNewURL.search;
+                    // NextUrl setter sets '/' by default if basePath is empty
+                    // this causes issues when basePath is not configured so we need to set it only if exists
+                    if (basePath) {
+                        url.basePath = basePath;
+                    }
+                    if (!isAppRouterRequest) {
+                        // for pages router i18n implementation, apply default locale as backup
+                        url.locale = targetLocale || req.nextUrl.defaultLocale || 'en';
                     }
                     else {
-                        const isUrl = (0, utils_1.isRegexOrUrl)(existsRedirect.pattern) === 'url';
-                        const targetParts = existsRedirect.target.split('/');
-                        const urlFirstPart = targetParts[1];
-                        if (this.locales.includes(urlFirstPart)) {
-                            if (!isAppRouterRequest) {
-                                req.nextUrl.locale = urlFirstPart;
-                            }
-                            existsRedirect.target = existsRedirect.target.replace(`/${urlFirstPart}`, '');
-                        }
-                        const targetSegments = isUrl
-                            ? existsRedirect.target.split('?')
-                            : url.pathname.replace(/\/*$/gi, '') + existsRedirect.matchedQueryString;
-                        const [targetPath, targetQueryString] = isUrl
-                            ? targetSegments
-                            : targetSegments
-                                .replace((0, regex_parser_1.default)(existsRedirect.pattern), existsRedirect.target)
-                                .replace(/^\/\//, '/')
-                                .split('?');
-                        const mergedQueryString = existsRedirect.isQueryStringPreserved
-                            ? (0, utils_1.mergeURLSearchParams)(new URLSearchParams((_a = url.search) !== null && _a !== void 0 ? _a : ''), new URLSearchParams(targetQueryString || ''))
-                            : targetQueryString || '';
-                        const prepareNewURL = new URL(`${targetPath}${mergedQueryString ? '?' + mergedQueryString : ''}`, url.origin);
-                        const basePath = url.basePath; // setting NextUrl.href overrides basePath, so we need to store it
-                        url.href = prepareNewURL.href;
-                        url.pathname = prepareNewURL.pathname;
-                        url.search = prepareNewURL.search;
-                        // NextUrl setter sets '/' by default if basePath is empty
-                        // this causes issues when basePath is not configured so we need to set it only if exists
-                        if (basePath) {
-                            url.basePath = basePath;
-                        }
-                        if (!isAppRouterRequest) {
-                            url.locale = req.nextUrl.locale;
-                        }
+                        // In App Router, we need to set the locale in the pathname, if present
+                        if (targetLocale)
+                            url.pathname = `/${targetLocale}${url.pathname}`;
                     }
                     /** return Response redirect with http code of redirect type */
-                    return this.dispatchRedirect(url, existsRedirect.redirectType, req, res, false);
-                });
-                const response = yield createResponse();
-                core_1.debug.redirects('redirects middleware end in %dms: %o', Date.now() - startTimestamp, {
-                    redirected: response.redirected,
-                    status: response.status,
-                    url: response.url,
-                    headers: this.extractDebugHeaders(response.headers),
+                    return this.dispatchRedirect(this.normalizeUrl(url), existsRedirect.redirectType, req, res, false);
+                };
+                // replace $siteLang token in target if exists
+                existsRedirect.target = existsRedirect.target.replace(REGEXP_CONTEXT_SITE_LANG, site.language);
+                const reqUrl = this.normalizeUrl(req.nextUrl.clone());
+                // Apply regex replacements to the target URL if the pattern is a regex
+                const matched = reqUrl.pathname
+                    .replace(/\/*$/gi, '')
+                    .match((0, regex_parser_1.default)(existsRedirect.pattern));
+                if (matched) {
+                    existsRedirect.target = existsRedirect.target.replace(/\$(\d+)/g, (_, index) => {
+                        return matched[parseInt(index, 10)] || '';
+                    });
+                }
+                const redirectedResponse = REGEXP_ABSOLUTE_URL.test(existsRedirect.target)
+                    ? processAbsoluteUrlTarget(reqUrl, existsRedirect)
+                    : processRelativeUrlTarget(reqUrl, existsRedirect);
+                debug_1.default.redirects('redirects proxy end in %dms: %o', Date.now() - startTimestamp, {
+                    redirected: redirectedResponse.redirected,
+                    status: redirectedResponse.status,
+                    url: redirectedResponse.url,
+                    headers: this.extractDebugHeaders(redirectedResponse.headers),
                 });
-                return response;
+                return redirectedResponse;
             }
             catch (error) {
-                console.log('Redirect middleware failed:');
+                console.log('Redirect proxy failed:');
                 console.log(error);
                 return res;
             }
         });
         this.locales = config.locales;
+        // If redirectsService is provided directly (e.g., for testing), use it
+        if (this.config.redirectsService) {
+            this.redirectsService = this.config.redirectsService;
+            return;
+        }
         // Validate API config is present - redirects requires either Edge or local API configuration
         const hasEdgeConfig = !!(this.config.contextId || this.config.clientContextId);
         const hasLocalConfig = !!(this.config.apiHost && this.config.apiKey);
         if (!hasEdgeConfig && !hasLocalConfig) {
-            console.warn('[RedirectsMiddleware] Redirects middleware requires either Edge configuration (contextId/clientContextId) or local API configuration (apiHost/apiKey). ' +
+            console.warn('[RedirectsProxy] Redirects proxy requires either Edge configuration (contextId/clientContextId) or local API configuration (apiHost/apiKey). ' +
                 'Redirects features will be disabled. This is expected when API configuration is not available.');
             // Set to null to indicate service is disabled
             this.redirectsService = null;
@@ -185,16 +193,16 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
         };
         // NOTE: we provide native fetch for compatibility on Next.js Edge Runtime
         // (underlying default 'cross-fetch' is not currently compatible: https://github.com/lquixada/cross-fetch/issues/78)
-        this.redirectsService =
-            (_a = this.config.redirectsService) !== null && _a !== void 0 ? _a : new site_1.RedirectsService(Object.assign(Object.assign({}, config), { clientFactory: this.getClientFactory(graphQLOptions), fetch: fetch }));
+        this.redirectsService = new site_1.RedirectsService(Object.assign(Object.assign({}, config), { clientFactory: this.getClientFactory(graphQLOptions), fetch: fetch }));
     }
     disabled(req, res) {
-        // Check if API config is missing - if so, disable the middleware
+        // Check if API config is missing - if so, disable the proxy
         if (!this.redirectsService) {
-            core_1.debug.redirects('skipped (redirects service not configured - API config required)');
+            debug_1.default.redirects('skipped (redirects service not configured - API config required)');
             return true;
         }
-        return super.disabled(req, res);
+        // ignore files
+        return req.nextUrl.pathname.includes('.') || super.disabled(req, res);
     }
     /**
      * Method returns RedirectInfo when matches
@@ -212,14 +220,13 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
             const locale = this.getLanguage(req);
             const normalizedPath = incomingURL.replace(/\/*$/gi, '').toLowerCase();
             const redirects = yield this.redirectsService.fetchRedirects(siteName);
-            const language = this.getLanguage(req);
             const modifyRedirects = structuredClone(redirects);
             let matchedQueryString;
             const localePath = `/${locale.toLowerCase()}${normalizedPath}`;
             return modifyRedirects.length
                 ? modifyRedirects.find((redirect) => {
                     // process static URL (non-regex) rules
-                    if ((0, utils_1.isRegexOrUrl)(redirect.pattern) === 'url') {
+                    if ((0, tools_1.isRegexOrUrl)(redirect.pattern) === 'url') {
                         const urlArray = redirect.pattern.endsWith('/')
                             ? redirect.pattern.slice(0, -1).split('?')
                             : redirect.pattern.split('?');
@@ -234,12 +241,13 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
                         }
                         return ((patternPath === localePath || patternPath === normalizedPath) &&
                             (!patternQS ||
-                                (0, utils_1.areURLSearchParamsEqual)(new URLSearchParams(patternQS), new URLSearchParams(incomingQS))));
+                                (0, tools_1.areURLSearchParamsEqual)(new URLSearchParams(patternQS), new URLSearchParams(incomingQS))));
                     }
                     // process regex rules
                     // Modify the redirect pattern to ignore the language prefix in the path
                     // And escapes non-special "?" characters in a string or regex.
-                    redirect.pattern = (0, utils_1.escapeNonSpecialQuestionMarks)(redirect.pattern.replace(new RegExp(`^[^]?/${language}/`, 'gi'), ''));
+                    redirect.pattern = (0, tools_1.escapeNonSpecialQuestionMarks)('^' + redirect.pattern.replace(new RegExp(`^[^]?/${locale}/`, 'gi'), '') // ensure function thinks input is regex
+                    );
                     // Prepare the redirect pattern as a regular expression, making it more flexible for matching URLs
                     redirect.pattern = `/^\/${redirect.pattern
                         .replace(/^\/|\/$/g, '') // Removes leading and trailing slashes
@@ -283,7 +291,7 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
         /**
          * Remove special parameters(Next.JS)
          * Example: /about/contact/us
-         * When a user clicks on this link, Next.js should generate a link for the middleware, formatted like this:
+         * When a user clicks on this link, Next.js should generate a link for the proxy, formatted like this:
          * http://host/about/contact/us?path=about&path=contact&path=us
          */
         const newQueryString = url.search
@@ -341,7 +349,7 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
                 }
                 // Check if it has a site prefix
                 // If so, preserve it for the redirect target to maintain proper routing
-                const incomingRewrite = res === null || res === void 0 ? void 0 : res.headers.get(middleware_1.REWRITE_HEADER_NAME);
+                const incomingRewrite = res === null || res === void 0 ? void 0 : res.headers.get(proxy_1.REWRITE_HEADER_NAME);
                 if (incomingRewrite && !isExternal) {
                     // Extract locale from target path
                     const targetPathParts = rewritePath.split('/').filter(Boolean);
@@ -363,7 +371,7 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
         }
     }
     /**
-     * Helper function to create a redirect response and remove the x-middleware-next header.
+     * Helper function to create a redirect response and remove the x-proxy-next header.
      * @param {NextURL | string} url The URL to redirect to.
      * @param {Response} res The response object.
      * @param {number} status The HTTP status code of the redirect.
@@ -371,7 +379,9 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
      * @returns {NextResponse<unknown>} The redirect response.
      */
     createRedirectResponse(url, res, status, statusText) {
-        const redirect = server_1.NextResponse.redirect(url, {
+        // Convert NextURL to string if needed - NextResponse.redirect requires a string URL
+        const urlString = typeof url === 'string' ? url : url.href;
+        const redirect = server_1.NextResponse.redirect(urlString, {
             status,
             statusText,
             headers: res === null || res === void 0 ? void 0 : res.headers,
@@ -379,9 +389,9 @@ class RedirectsMiddleware extends middleware_1.MiddlewareBase {
         if (res === null || res === void 0 ? void 0 : res.headers) {
             redirect.headers.delete('x-middleware-next');
             redirect.headers.delete('x-middleware-rewrite');
-            redirect.headers.delete(middleware_1.REWRITE_HEADER_NAME);
+            redirect.headers.delete(proxy_1.REWRITE_HEADER_NAME);
         }
         return redirect;
     }
 }
-exports.RedirectsMiddleware = RedirectsMiddleware;
+exports.RedirectsProxy = RedirectsProxy;

package/dist/cjs/route-handler/editing-config-route-handler.js

@@ -8,13 +8,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createEditingConfigRouteHandler = void 0;
-const editing_1 = require("@sitecore-content-sdk/core/editing");
-const core_1 = require("@sitecore-content-sdk/core");
-const utils_1 = require("@sitecore-content-sdk/core/utils");
-const layout_1 = require("@sitecore-content-sdk/core/layout");
-const utils_2 = require("../utils/utils");
+const editing_1 = require("@sitecore-content-sdk/content/editing");
+const tools_1 = require("@sitecore-content-sdk/core/tools");
+const layout_1 = require("@sitecore-content-sdk/content/layout");
+const utils_1 = require("../utils/utils");
+const debug_1 = __importDefault(require("../debug"));
 /**
  * Creates a route handler for the editing config API route (e.g. '/api/editing/config')
  * Provides configuration information to determine feature compatibility on Pages side.
@@ -26,7 +29,7 @@ const createEditingConfigRouteHandler = (options) => {
     const { components, metadata, clientComponents } = options;
     const validateRequest = (req) => {
         const secret = req.nextUrl.searchParams.get(editing_1.QUERY_PARAM_EDITING_SECRET);
-        const corsHeaders = (0, utils_1.getEnforcedCorsHeaders)({
+        const corsHeaders = (0, tools_1.getEnforcedCorsHeaders)({
             requestMethod: req.method,
             headers: req.headers,
             presetCorsHeader: undefined,
@@ -37,10 +40,10 @@ const createEditingConfigRouteHandler = (options) => {
     const GET = (req) => __awaiter(void 0, void 0, void 0, function* () {
         try {
             const startTimestamp = Date.now();
-            core_1.debug.editing('editing config route handler start');
+            debug_1.default.editing('editing config route handler start');
             const { secret, corsHeaders } = validateRequest(req);
             if (!corsHeaders) {
-                core_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                debug_1.default.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
                 return new Response(JSON.stringify({ message: 'Invalid origin' }), {
                     status: 401,
                     headers: {
@@ -48,8 +51,8 @@ const createEditingConfigRouteHandler = (options) => {
                     },
                 });
             }
-            if (secret !== (0, utils_2.getEditingSecret)()) {
-                core_1.debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, (0, utils_2.getEditingSecret)());
+            if (secret !== (0, utils_1.getEditingSecret)()) {
+                debug_1.default.editing('invalid editing secret - sent "%s" expected "%s"', secret, (0, utils_1.getEditingSecret)());
                 return new Response(JSON.stringify({ message: 'Missing or invalid editing secret' }), {
                     status: 401,
                     headers: Object.assign({ 'Content-Type': 'application/json' }, corsHeaders),
@@ -64,7 +67,7 @@ const createEditingConfigRouteHandler = (options) => {
                 packages: metadata.packages,
                 editMode: layout_1.EditMode.Metadata,
             };
-            core_1.debug.editing('editing config route handler end in %dms', Date.now() - startTimestamp);
+            debug_1.default.editing('editing config route handler end in %dms', Date.now() - startTimestamp);
             return new Response(JSON.stringify(responseData), {
                 status: 200,
                 headers: Object.assign({ 'Content-Type': 'application/json' }, corsHeaders),
@@ -80,10 +83,10 @@ const createEditingConfigRouteHandler = (options) => {
     });
     const OPTIONS = (req) => __awaiter(void 0, void 0, void 0, function* () {
         try {
-            core_1.debug.editing('preflight request');
+            debug_1.default.editing('preflight request');
             const { corsHeaders } = validateRequest(req);
             if (!corsHeaders) {
-                core_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                debug_1.default.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
                 return new Response(JSON.stringify({ message: 'Invalid origin' }), {
                     status: 401,
                     headers: {

package/dist/cjs/route-handler/editing-render-route-handler.js

@@ -8,17 +8,21 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createEditingRenderRouteHandlers = void 0;
 exports.getNextCookies = getNextCookies;
 const core_1 = require("@sitecore-content-sdk/core");
-const editing_1 = require("@sitecore-content-sdk/core/editing");
-const utils_1 = require("@sitecore-content-sdk/core/utils");
-const layout_1 = require("@sitecore-content-sdk/core/layout");
-const utils_2 = require("../utils/utils");
+const editing_1 = require("@sitecore-content-sdk/content/editing");
+const tools_1 = require("@sitecore-content-sdk/core/tools");
+const layout_1 = require("@sitecore-content-sdk/content/layout");
+const utils_1 = require("../utils/utils");
 const headers_1 = require("next/headers");
-const utils_3 = require("../editing/utils");
-const site_1 = require("@sitecore-content-sdk/core/site");
+const utils_2 = require("../editing/utils");
+const site_1 = require("@sitecore-content-sdk/content/site");
+const debug_1 = __importDefault(require("../debug"));
 /**
  * Helper function to handle cookie operations - can be mocked for testing
  * @returns {Promise<NextCookies>} Next cookies
@@ -39,17 +43,17 @@ function getNextCookies() {
  * @public
  */
 const createEditingRenderRouteHandlers = (options) => {
-    const dataFetcher = new core_1.NativeDataFetcher({ debugger: core_1.debug.editing });
+    const dataFetcher = new core_1.NativeDataFetcher({ debugger: debug_1.default.editing });
     const getCorsHeaders = (req) => {
         var _a;
-        const expectedCorsHeaders = (0, utils_1.getEnforcedCorsHeaders)({
+        const expectedCorsHeaders = (0, tools_1.getEnforcedCorsHeaders)({
             requestMethod: req.method,
             headers: req.headers,
             presetCorsHeader: (_a = req.headers) === null || _a === void 0 ? void 0 : _a.get('Access-Control-Allow-Origin'),
             allowedOrigins: editing_1.EDITING_ALLOWED_ORIGINS,
         });
         if (!expectedCorsHeaders) {
-            core_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+            debug_1.default.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
         }
         return expectedCorsHeaders;
     };
@@ -57,10 +61,10 @@ const createEditingRenderRouteHandlers = (options) => {
         return `<html><body>Requests from origin ${origin} not allowed</body></html>`;
     };
     const validateEditingSecret = (receivedSecret) => {
-        const editingSecret = (0, utils_2.getEditingSecret)();
+        const editingSecret = (0, utils_1.getEditingSecret)();
         const secretIsvalid = editingSecret === receivedSecret;
         if (!secretIsvalid) {
-            core_1.debug.editing('invalid editing secret - sent "%s" expected "%s"', receivedSecret, editingSecret);
+            debug_1.default.editing('invalid editing secret - sent "%s" expected "%s"', receivedSecret, editingSecret);
         }
         return secretIsvalid;
     };
@@ -76,7 +80,7 @@ const createEditingRenderRouteHandlers = (options) => {
                 status: 401,
             });
         }
-        core_1.debug.editing('preflight request');
+        debug_1.default.editing('preflight request');
         return new Response(null, { status: 204, headers: expectedCorsHeaders });
     };
     const GET = (req) => __awaiter(void 0, void 0, void 0, function* () {
@@ -87,7 +91,7 @@ const createEditingRenderRouteHandlers = (options) => {
         req.nextUrl.searchParams.forEach((value, key) => {
             query[key] = value;
         });
-        core_1.debug.editing('editing render handler start: %o', {
+        debug_1.default.editing('editing render handler start: %o', {
             method,
             query,
             headers,
@@ -110,21 +114,28 @@ const createEditingRenderRouteHandlers = (options) => {
         draft.enable();
         const startTimestamp = Date.now();
         const mode = query.mode;
-        const requiredQueryParams = (0, utils_3.getRequiredEditingParamsList)(mode);
+        const requiredQueryParams = (0, utils_2.getRequiredEditingParamsList)(mode);
         const missingQueryParams = requiredQueryParams.filter((param) => !query[param]);
+        const { allowedQueryParams, missingAllowedParams } = (0, utils_2.getAllowedQueryParams)(query, options.allowedQueryParams);
         // Validate query parameters
-        if (missingQueryParams.length) {
-            core_1.debug.editing('missing required query parameters: %o', missingQueryParams);
+        if (missingQueryParams.length || missingAllowedParams.length) {
+            debug_1.default.editing('missing required query parameters: %o', [
+                ...missingQueryParams,
+                ...missingAllowedParams,
+            ]);
             return Response.json({
-                html: `<html><body>Missing required query parameters: ${missingQueryParams.join(', ')}</body></html>`,
+                html: `<html><body>Missing required query parameters: ${[
+                    ...missingQueryParams,
+                    ...missingAllowedParams,
+                ].join(', ')}</body></html>`,
             }, { status: 400, headers: responseHeaders });
         }
         const encodedRoute = encodeURI(query.route);
         const route = ((_a = options === null || options === void 0 ? void 0 : options.resolvePageUrl) === null || _a === void 0 ? void 0 : _a.call(options, encodedRoute)) || encodedRoute;
-        const base = (0, utils_3.resolveServerUrl)(req);
+        const base = (0, utils_2.resolveServerUrl)(req);
         const requestUrl = new URL(route, base);
         // Restrict the page to be rendered only within the allowed origins
-        responseHeaders['Content-Security-Policy'] = (0, utils_3.getCSPHeader)();
+        responseHeaders['Content-Security-Policy'] = (0, utils_2.getCSPHeader)();
         const cookieStore = yield getNextCookies();
         cookieStore.set("__prerender_bypass" /* PreviewCookies.PRERENDER_BYPASS */, ((_b = cookieStore.get("__prerender_bypass" /* PreviewCookies.PRERENDER_BYPASS */)) === null || _b === void 0 ? void 0 : _b.value) || '', {
             httpOnly: true,
@@ -149,17 +160,17 @@ const createEditingRenderRouteHandlers = (options) => {
         }
         const convertedCookies = cookieStore.getAll().map((c) => `${c.name}=${c.value}`);
         try {
-            core_1.debug.editing('fetching page route for %s', query.route);
+            debug_1.default.editing('fetching page route for %s', query.route);
             // Get query string parameters to propagate on subsequent requests (e.g. for deployment protection bypass)
             // Additionally ,in app router preview data is passed through query string instead of preview data cookie
-            const propagatedQsParams = Object.assign(Object.assign({}, (0, utils_3.getQueryParamsForPropagation)(query)), (0, utils_3.mapEditingParams)(query));
+            const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), (0, utils_2.mapEditingParams)(query)), allowedQueryParams);
             // Get headers to propagate on subsequent requests
-            const propagatedHeaders = (0, utils_3.getHeadersForPropagation)(headers);
-            const html = yield (0, utils_3.getEditingRequestHtml)(requestUrl, propagatedQsParams, propagatedHeaders, convertedCookies, dataFetcher);
+            const propagatedHeaders = (0, utils_2.getHeadersForPropagation)(headers);
+            const html = yield (0, utils_2.getEditingRequestHtml)(requestUrl, propagatedQsParams, propagatedHeaders, convertedCookies, dataFetcher);
             // remove nextjs preview cookies to not leak them to the browser
-            const filteredCookies = (0, utils_3.cleanupNextPreviewCookies)(convertedCookies);
+            const filteredCookies = (0, utils_2.cleanupNextPreviewCookies)(convertedCookies);
             responseHeaders['Set-Cookie'] = (filteredCookies === null || filteredCookies === void 0 ? void 0 : filteredCookies.join('; ')) || '';
-            core_1.debug.editing('editing render handler end in %dms: %o', Date.now() - startTimestamp, {
+            debug_1.default.editing('editing render handler end in %dms: %o', Date.now() - startTimestamp, {
                 status: 200,
                 route,
             });
@@ -167,9 +178,9 @@ const createEditingRenderRouteHandlers = (options) => {
             return new Response(html, { status: 200, headers: responseHeaders });
         }
         catch (err) {
-            core_1.debug.editing('error fetching page route %s: %o', requestUrl, err);
-            core_1.debug.editing('falling back to redirect method... ');
-            core_1.debug.editing('editing render handler end in %dms: redirect %o', Date.now() - startTimestamp, {
+            debug_1.default.editing('error fetching page route %s: %o', requestUrl, err);
+            debug_1.default.editing('falling back to redirect method... ');
+            debug_1.default.editing('editing render handler end in %dms: redirect %o', Date.now() - startTimestamp, {
                 status: 307,
                 route,
             });
@@ -211,8 +222,8 @@ const createEditingRenderRouteHandlers = (options) => {
         req.nextUrl.searchParams.forEach((value, key) => {
             query[key] = value;
         });
-        const propagatedQsParams = Object.assign(Object.assign({}, (0, utils_3.getQueryParamsForPropagation)(query)), (0, utils_3.mapEditingParams)(query));
-        const base = (0, utils_3.resolveServerUrl)(req);
+        const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), (0, utils_2.mapEditingParams)(query)), (0, utils_2.getAllowedQueryParams)(query, options.allowedQueryParams).allowedQueryParams);
+        const base = (0, utils_2.resolveServerUrl)(req);
         const targetUrl = new URL('/', base);
         for (const key in propagatedQsParams) {
             if ({}.hasOwnProperty.call(propagatedQsParams, key)) {
@@ -251,13 +262,13 @@ const createEditingRenderRouteHandlers = (options) => {
             }
         });
         // Restrict the page to be rendered only within the allowed origins
-        filteredHeaders.set('Content-Security-Policy', (0, utils_3.getCSPHeader)());
+        filteredHeaders.set('Content-Security-Policy', (0, utils_2.getCSPHeader)());
         // add expected CORS headers to response
         Object.entries(expectedCorsHeaders !== null && expectedCorsHeaders !== void 0 ? expectedCorsHeaders : {}).forEach(([key, value]) => {
             filteredHeaders.set(key, value);
         });
         // remove nextjs preview cookies to not leak them to the browser
-        const filteredCookies = (0, utils_3.cleanupNextPreviewCookies)(filteredHeaders.get('Set-Cookie'));
+        const filteredCookies = (0, utils_2.cleanupNextPreviewCookies)(filteredHeaders.get('Set-Cookie'));
         filteredHeaders.set('Set-Cookie', (filteredCookies === null || filteredCookies === void 0 ? void 0 : filteredCookies.join('; ')) || '');
         return new Response(forwardedResponse.data, {
             status: forwardedResponse.status,