@sitecore-content-sdk/nextjs 2.1.0-canary.12 → 2.1.0-canary.13

package/dist/cjs/client/sitecore-nextjs-client.js

@@ -1,8 +1,20 @@
 "use strict";
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SitecoreNextjsClient = void 0;
 const client_1 = require("@sitecore-content-sdk/content/client");
 const component_props_service_1 = require("../services/component-props-service");
+const constants_1 = require("../editing/constants");
 const site_1 = require("@sitecore-content-sdk/content/site");
 const personalize_1 = require("@sitecore-content-sdk/content/personalize");
 /**
@@ -54,7 +66,8 @@ class SitecoreNextjsClient extends client_1.SitecoreClient {
      * @returns {Page} preview page for Design Library
      */
     async getDesignLibraryData(designLibData, fetchOptions) {
-        return super.getDesignLibraryData(designLibData, fetchOptions);
+        const merged = this.mergePreviewAuthorization(designLibData, fetchOptions);
+        return super.getDesignLibraryData(merged.previewData, merged.fetchOptions);
     }
     /**
      * Retrieves preview page and layout details
@@ -62,7 +75,31 @@ class SitecoreNextjsClient extends client_1.SitecoreClient {
      * @param {FetchOptions} [fetchOptions] Additional fetch fetch options to override GraphQL requests (like retries and fetch)
      */
     async getPreview(previewData, fetchOptions) {
-        return super.getPreview(previewData, fetchOptions);
+        const merged = this.mergePreviewAuthorization(previewData, fetchOptions);
+        return super.getPreview(merged.previewData, merged.fetchOptions);
+    }
+    /**
+     * **NOTE**: App Router only.
+     *
+     * Builds the inputs for the Preview mode based on incoming request headers.
+     *
+     * - Reads editing preview data from the `x-sitecore-editing-params` header.
+     * - Reads the `authorization` header from the request and merges it as
+     *   `Authorization` into `fetchOptions.headers`. The request value takes
+     *   precedence over any `Authorization` (case-insensitive) supplied via
+     *   `extra.headers`; existing case-variant keys are removed so the result
+     *   never contains duplicates. An empty `Authorization` is never emitted.
+     *
+     * Other headers present on the input are ignored. Non-`headers` fields of
+     * `extra` are preserved as-is. Extra headers are merged into `fetchOptions.headers`.
+     * @param {Headers} headers - The headers from the incoming request.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns The `previewData` and `fetchOptions` to forward
+     */
+    getPreviewInputs(headers, extra) {
+        const previewData = this.parsePreviewDataFromHeader(headers);
+        const fetchOptions = this.mergeAuthorizationHeader(headers, extra);
+        return { previewData, fetchOptions };
     }
     /**
      * Generates static params for the Next.js App Router from Sitecore routes.
@@ -145,5 +182,84 @@ class SitecoreNextjsClient extends client_1.SitecoreClient {
     getComponentPropsService() {
         return new component_props_service_1.ComponentPropsService();
     }
+    /**
+     * **NOTE**: Pages Router only.
+     *
+     * Merges the authorization header from the preview data into the fetch options.
+     * The `authorization` field is always stripped from the returned preview data
+     * to avoid leaking it back into request payloads.
+     *
+     * The value stashed in preview data takes precedence over any caller-supplied
+     * `Authorization` header. Existing `Authorization` keys are removed
+     * case-insensitively before the merged value is set, so the result never
+     * contains duplicate keys.
+     * @param {PreviewData} previewData - The preview data to merge the authorization header from.
+     * @param {FetchOptions} [fetchOptions] - The fetch options to merge the authorization header into.
+     * @returns The preview data and fetch options with the authorization header merged.
+     */
+    mergePreviewAuthorization(previewData, fetchOptions) {
+        if (!previewData || typeof previewData !== 'object') {
+            return { previewData: previewData, fetchOptions };
+        }
+        const _a = previewData, { authorization } = _a, rest = __rest(_a, ["authorization"]);
+        if (!authorization) {
+            return { previewData: rest, fetchOptions };
+        }
+        const mergedHeaders = this.applyAuthorizationHeader(fetchOptions === null || fetchOptions === void 0 ? void 0 : fetchOptions.headers, authorization);
+        return { previewData: rest, fetchOptions: Object.assign(Object.assign({}, fetchOptions), { headers: mergedHeaders }) };
+    }
+    /**
+     * Reads and JSON-parses the editing preview data propagated via
+     * `EDITING_PARAMS_HEADER`. Returns an empty object when the header is
+     * missing or its value is not valid JSON.
+     * @param {Headers} headers - The incoming request headers.
+     * @returns {PreviewData} The parsed preview data, or an empty object.
+     */
+    parsePreviewDataFromHeader(headers) {
+        const packed = headers.get(constants_1.EDITING_PARAMS_HEADER);
+        if (!packed)
+            return {};
+        try {
+            return JSON.parse(packed);
+        }
+        catch (_a) {
+            return {};
+        }
+    }
+    /**
+     * Builds `FetchOptions` by merging the `Authorization` header from the
+     * incoming request headers into `extra`. The request value takes precedence
+     * over any caller-supplied `Authorization` header (case-insensitive). An
+     * empty `Authorization` is never emitted.
+     * @param {Headers} headers - The incoming request headers.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns {FetchOptions} The merged fetch options.
+     */
+    mergeAuthorizationHeader(headers, extra) {
+        const authorization = headers.get('authorization');
+        const mergedHeaders = this.applyAuthorizationHeader(extra === null || extra === void 0 ? void 0 : extra.headers, authorization);
+        return Object.assign(Object.assign({}, extra), { headers: mergedHeaders });
+    }
+    /**
+     * Returns a shallow-cloned headers record with `Authorization` set to
+     * `authorization` (when truthy). Any pre-existing `Authorization` key is
+     * removed case-insensitively to avoid emitting both `authorization` and
+     * `Authorization` in the same record.
+     * @param {Record<string, string> | undefined} headers - Existing headers, if any.
+     * @param {string | null | undefined} authorization - The authorization value to apply, or null/undefined to leave headers unchanged.
+     * @returns {Record<string, string>} The merged headers.
+     */
+    applyAuthorizationHeader(headers, authorization) {
+        const merged = Object.assign({}, (headers !== null && headers !== void 0 ? headers : {}));
+        if (!authorization)
+            return merged;
+        for (const key of Object.keys(merged)) {
+            if (key.toLowerCase() === 'authorization') {
+                delete merged[key];
+            }
+        }
+        merged.Authorization = authorization;
+        return merged;
+    }
 }
 exports.SitecoreNextjsClient = SitecoreNextjsClient;

package/dist/cjs/editing/constants.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.EDITING_PASS_THROUGH_HEADERS = exports.QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = exports.QUERY_PARAM_VERCEL_PROTECTION_BYPASS = void 0;
+exports.EDITING_PARAMS_HEADER = exports.EDITING_PASS_THROUGH_HEADERS = exports.QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = exports.QUERY_PARAM_VERCEL_PROTECTION_BYPASS = void 0;
 exports.QUERY_PARAM_VERCEL_PROTECTION_BYPASS = 'x-vercel-protection-bypass';
 exports.QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = 'x-vercel-set-bypass-cookie';
 /**
@@ -8,3 +8,8 @@ exports.QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = 'x-vercel-set-bypass-cookie';
  * Note these are in lowercase format to match expected `IncomingHttpHeaders`.
  */
 exports.EDITING_PASS_THROUGH_HEADERS = ['authorization', 'cookie'];
+/**
+ * Header used to propagate editing preview parameters from the editing render
+ * route handler to the Next.js page when running in App Router.
+ */
+exports.EDITING_PARAMS_HEADER = 'x-sitecore-editing-params';

package/dist/cjs/editing/editing-render-middleware.js

@@ -87,7 +87,7 @@ class EditingRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
                 });
             }
             const previewDataParams = (0, utils_2.mapEditingParams)(query);
-            res.setPreviewData(Object.assign(Object.assign(Object.assign({}, previewDataParams), allowedQueryParams), { variantIds: (_c = previewDataParams.variantIds) === null || _c === void 0 ? void 0 : _c.split(',') }), {
+            res.setPreviewData(Object.assign(Object.assign(Object.assign({}, previewDataParams), allowedQueryParams), { variantIds: (_c = previewDataParams.variantIds) === null || _c === void 0 ? void 0 : _c.split(','), authorization: headers.authorization }), {
                 maxAge: 3,
             });
             // Set Preview mode identifier cookie, if the page is rendered in Sitecore Preview mode

package/dist/cjs/route-handler/editing-render-route-handler.js

@@ -12,6 +12,7 @@ const layout_1 = require("@sitecore-content-sdk/content/layout");
 const utils_1 = require("../utils/utils");
 const headers_1 = require("next/headers");
 const utils_2 = require("../editing/utils");
+const constants_1 = require("../editing/constants");
 const site_1 = require("@sitecore-content-sdk/content/site");
 const debug_1 = __importDefault(require("../debug"));
 /**
@@ -150,11 +151,17 @@ const createEditingRenderRouteHandlers = (options) => {
         const convertedCookies = cookieStore.getAll().map((c) => `${c.name}=${c.value}`);
         try {
             debug_1.default.editing('fetching page route for %s', query.route);
-            // Get query string parameters to propagate on subsequent requests (e.g. for deployment protection bypass)
-            // Additionally ,in app router preview data is passed through query string instead of preview data cookie
-            const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), (0, utils_2.mapEditingParams)(query)), allowedQueryParams);
-            // Get headers to propagate on subsequent requests
-            const propagatedHeaders = (0, utils_2.getHeadersForPropagation)(headers);
+            // Editing preview data, mapped from the incoming `sc_*` query parameters
+            // into the typed shape consumed by preview methods.
+            const editingPreviewData = Object.assign(Object.assign({}, (0, utils_2.mapEditingParams)(query)), allowedQueryParams);
+            // Query string parameters required by the runtime/platform itself
+            // (e.g. Vercel deployment protection bypass tokens). Editing preview
+            // data is also appended here for backward compatibility with apps that
+            // still read `searchParams` in the page; new code should consume the
+            // `EDITING_PARAMS_HEADER` instead via `client.getPreviewInputs`.
+            // TODO: Remove preview data from qs before next major release.
+            const propagatedQsParams = Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), editingPreviewData);
+            const propagatedHeaders = Object.assign(Object.assign({}, (0, utils_2.getHeadersForPropagation)(headers)), { [constants_1.EDITING_PARAMS_HEADER]: JSON.stringify(editingPreviewData) });
             const html = await (0, utils_2.getEditingRequestHtml)(requestUrl, propagatedQsParams, propagatedHeaders, convertedCookies, dataFetcher);
             // remove nextjs preview cookies to not leak them to the browser
             const filteredCookies = (0, utils_2.cleanupNextPreviewCookies)(convertedCookies);
@@ -211,7 +218,11 @@ const createEditingRenderRouteHandlers = (options) => {
         req.nextUrl.searchParams.forEach((value, key) => {
             query[key] = value;
         });
-        const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), (0, utils_2.mapEditingParams)(query)), (0, utils_2.getAllowedQueryParams)(query, options.allowedQueryParams).allowedQueryParams);
+        const editingPreviewData = Object.assign(Object.assign({}, (0, utils_2.mapEditingParams)(query)), (0, utils_2.getAllowedQueryParams)(query, options.allowedQueryParams).allowedQueryParams);
+        /**
+         * TODO: Remove preview data from qs before next major release.
+         */
+        const propagatedQsParams = Object.assign(Object.assign({}, (0, utils_2.getQueryParamsForPropagation)(query)), editingPreviewData);
         const base = (0, utils_2.resolveServerUrl)(req);
         const targetUrl = new URL('/', base);
         for (const key in propagatedQsParams) {
@@ -232,6 +243,7 @@ const createEditingRenderRouteHandlers = (options) => {
             : prerenderBypassCookie;
         const forwardHeaders = new Headers(req.headers);
         forwardHeaders.set('cookie', forwardCookie);
+        forwardHeaders.set(constants_1.EDITING_PARAMS_HEADER, JSON.stringify(editingPreviewData));
         const forwardedResponse = await dataFetcher.fetch(targetUrl.toString(), {
             method: req.method,
             headers: forwardHeaders,

package/dist/esm/client/sitecore-nextjs-client.js

@@ -1,5 +1,17 @@
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
 import { SitecoreClient, } from '@sitecore-content-sdk/content/client';
 import { ComponentPropsService } from '../services/component-props-service';
+import { EDITING_PARAMS_HEADER } from '../editing/constants';
 import { getSiteRewriteData, normalizeSiteRewrite } from '@sitecore-content-sdk/content/site';
 import { getPersonalizedRewriteData, normalizePersonalizedRewrite, } from '@sitecore-content-sdk/content/personalize';
 /**
@@ -51,7 +63,8 @@ export class SitecoreNextjsClient extends SitecoreClient {
      * @returns {Page} preview page for Design Library
      */
     async getDesignLibraryData(designLibData, fetchOptions) {
-        return super.getDesignLibraryData(designLibData, fetchOptions);
+        const merged = this.mergePreviewAuthorization(designLibData, fetchOptions);
+        return super.getDesignLibraryData(merged.previewData, merged.fetchOptions);
     }
     /**
      * Retrieves preview page and layout details
@@ -59,7 +72,31 @@ export class SitecoreNextjsClient extends SitecoreClient {
      * @param {FetchOptions} [fetchOptions] Additional fetch fetch options to override GraphQL requests (like retries and fetch)
      */
     async getPreview(previewData, fetchOptions) {
-        return super.getPreview(previewData, fetchOptions);
+        const merged = this.mergePreviewAuthorization(previewData, fetchOptions);
+        return super.getPreview(merged.previewData, merged.fetchOptions);
+    }
+    /**
+     * **NOTE**: App Router only.
+     *
+     * Builds the inputs for the Preview mode based on incoming request headers.
+     *
+     * - Reads editing preview data from the `x-sitecore-editing-params` header.
+     * - Reads the `authorization` header from the request and merges it as
+     *   `Authorization` into `fetchOptions.headers`. The request value takes
+     *   precedence over any `Authorization` (case-insensitive) supplied via
+     *   `extra.headers`; existing case-variant keys are removed so the result
+     *   never contains duplicates. An empty `Authorization` is never emitted.
+     *
+     * Other headers present on the input are ignored. Non-`headers` fields of
+     * `extra` are preserved as-is. Extra headers are merged into `fetchOptions.headers`.
+     * @param {Headers} headers - The headers from the incoming request.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns The `previewData` and `fetchOptions` to forward
+     */
+    getPreviewInputs(headers, extra) {
+        const previewData = this.parsePreviewDataFromHeader(headers);
+        const fetchOptions = this.mergeAuthorizationHeader(headers, extra);
+        return { previewData, fetchOptions };
     }
     /**
      * Generates static params for the Next.js App Router from Sitecore routes.
@@ -142,4 +179,83 @@ export class SitecoreNextjsClient extends SitecoreClient {
     getComponentPropsService() {
         return new ComponentPropsService();
     }
+    /**
+     * **NOTE**: Pages Router only.
+     *
+     * Merges the authorization header from the preview data into the fetch options.
+     * The `authorization` field is always stripped from the returned preview data
+     * to avoid leaking it back into request payloads.
+     *
+     * The value stashed in preview data takes precedence over any caller-supplied
+     * `Authorization` header. Existing `Authorization` keys are removed
+     * case-insensitively before the merged value is set, so the result never
+     * contains duplicate keys.
+     * @param {PreviewData} previewData - The preview data to merge the authorization header from.
+     * @param {FetchOptions} [fetchOptions] - The fetch options to merge the authorization header into.
+     * @returns The preview data and fetch options with the authorization header merged.
+     */
+    mergePreviewAuthorization(previewData, fetchOptions) {
+        if (!previewData || typeof previewData !== 'object') {
+            return { previewData: previewData, fetchOptions };
+        }
+        const _a = previewData, { authorization } = _a, rest = __rest(_a, ["authorization"]);
+        if (!authorization) {
+            return { previewData: rest, fetchOptions };
+        }
+        const mergedHeaders = this.applyAuthorizationHeader(fetchOptions === null || fetchOptions === void 0 ? void 0 : fetchOptions.headers, authorization);
+        return { previewData: rest, fetchOptions: Object.assign(Object.assign({}, fetchOptions), { headers: mergedHeaders }) };
+    }
+    /**
+     * Reads and JSON-parses the editing preview data propagated via
+     * `EDITING_PARAMS_HEADER`. Returns an empty object when the header is
+     * missing or its value is not valid JSON.
+     * @param {Headers} headers - The incoming request headers.
+     * @returns {PreviewData} The parsed preview data, or an empty object.
+     */
+    parsePreviewDataFromHeader(headers) {
+        const packed = headers.get(EDITING_PARAMS_HEADER);
+        if (!packed)
+            return {};
+        try {
+            return JSON.parse(packed);
+        }
+        catch (_a) {
+            return {};
+        }
+    }
+    /**
+     * Builds `FetchOptions` by merging the `Authorization` header from the
+     * incoming request headers into `extra`. The request value takes precedence
+     * over any caller-supplied `Authorization` header (case-insensitive). An
+     * empty `Authorization` is never emitted.
+     * @param {Headers} headers - The incoming request headers.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns {FetchOptions} The merged fetch options.
+     */
+    mergeAuthorizationHeader(headers, extra) {
+        const authorization = headers.get('authorization');
+        const mergedHeaders = this.applyAuthorizationHeader(extra === null || extra === void 0 ? void 0 : extra.headers, authorization);
+        return Object.assign(Object.assign({}, extra), { headers: mergedHeaders });
+    }
+    /**
+     * Returns a shallow-cloned headers record with `Authorization` set to
+     * `authorization` (when truthy). Any pre-existing `Authorization` key is
+     * removed case-insensitively to avoid emitting both `authorization` and
+     * `Authorization` in the same record.
+     * @param {Record<string, string> | undefined} headers - Existing headers, if any.
+     * @param {string | null | undefined} authorization - The authorization value to apply, or null/undefined to leave headers unchanged.
+     * @returns {Record<string, string>} The merged headers.
+     */
+    applyAuthorizationHeader(headers, authorization) {
+        const merged = Object.assign({}, (headers !== null && headers !== void 0 ? headers : {}));
+        if (!authorization)
+            return merged;
+        for (const key of Object.keys(merged)) {
+            if (key.toLowerCase() === 'authorization') {
+                delete merged[key];
+            }
+        }
+        merged.Authorization = authorization;
+        return merged;
+    }
 }

package/dist/esm/editing/constants.js

@@ -5,3 +5,8 @@ export const QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = 'x-vercel-set-bypass-cookie'
  * Note these are in lowercase format to match expected `IncomingHttpHeaders`.
  */
 export const EDITING_PASS_THROUGH_HEADERS = ['authorization', 'cookie'];
+/**
+ * Header used to propagate editing preview parameters from the editing render
+ * route handler to the Next.js page when running in App Router.
+ */
+export const EDITING_PARAMS_HEADER = 'x-sitecore-editing-params';

package/dist/esm/editing/editing-render-middleware.js

@@ -81,7 +81,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
                 });
             }
             const previewDataParams = mapEditingParams(query);
-            res.setPreviewData(Object.assign(Object.assign(Object.assign({}, previewDataParams), allowedQueryParams), { variantIds: (_c = previewDataParams.variantIds) === null || _c === void 0 ? void 0 : _c.split(',') }), {
+            res.setPreviewData(Object.assign(Object.assign(Object.assign({}, previewDataParams), allowedQueryParams), { variantIds: (_c = previewDataParams.variantIds) === null || _c === void 0 ? void 0 : _c.split(','), authorization: headers.authorization }), {
                 maxAge: 3,
             });
             // Set Preview mode identifier cookie, if the page is rendered in Sitecore Preview mode

package/dist/esm/route-handler/editing-render-route-handler.js

@@ -5,6 +5,7 @@ import { LayoutServicePageState } from '@sitecore-content-sdk/content/layout';
 import { getEditingSecret } from '../utils/utils';
 import { draftMode, cookies as nextCokies } from 'next/headers';
 import { mapEditingParams, getEditingRequestHtml, cleanupNextPreviewCookies, getHeadersForPropagation, getQueryParamsForPropagation, getRequiredEditingParamsList, getCSPHeader, resolveServerUrl, getAllowedQueryParams, } from '../editing/utils';
+import { EDITING_PARAMS_HEADER } from '../editing/constants';
 import { SITE_KEY } from '@sitecore-content-sdk/content/site';
 import debug from '../debug';
 /**
@@ -143,11 +144,17 @@ export const createEditingRenderRouteHandlers = (options) => {
         const convertedCookies = cookieStore.getAll().map((c) => `${c.name}=${c.value}`);
         try {
             debug.editing('fetching page route for %s', query.route);
-            // Get query string parameters to propagate on subsequent requests (e.g. for deployment protection bypass)
-            // Additionally ,in app router preview data is passed through query string instead of preview data cookie
-            const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, getQueryParamsForPropagation(query)), mapEditingParams(query)), allowedQueryParams);
-            // Get headers to propagate on subsequent requests
-            const propagatedHeaders = getHeadersForPropagation(headers);
+            // Editing preview data, mapped from the incoming `sc_*` query parameters
+            // into the typed shape consumed by preview methods.
+            const editingPreviewData = Object.assign(Object.assign({}, mapEditingParams(query)), allowedQueryParams);
+            // Query string parameters required by the runtime/platform itself
+            // (e.g. Vercel deployment protection bypass tokens). Editing preview
+            // data is also appended here for backward compatibility with apps that
+            // still read `searchParams` in the page; new code should consume the
+            // `EDITING_PARAMS_HEADER` instead via `client.getPreviewInputs`.
+            // TODO: Remove preview data from qs before next major release.
+            const propagatedQsParams = Object.assign(Object.assign({}, getQueryParamsForPropagation(query)), editingPreviewData);
+            const propagatedHeaders = Object.assign(Object.assign({}, getHeadersForPropagation(headers)), { [EDITING_PARAMS_HEADER]: JSON.stringify(editingPreviewData) });
             const html = await getEditingRequestHtml(requestUrl, propagatedQsParams, propagatedHeaders, convertedCookies, dataFetcher);
             // remove nextjs preview cookies to not leak them to the browser
             const filteredCookies = cleanupNextPreviewCookies(convertedCookies);
@@ -204,7 +211,11 @@ export const createEditingRenderRouteHandlers = (options) => {
         req.nextUrl.searchParams.forEach((value, key) => {
             query[key] = value;
         });
-        const propagatedQsParams = Object.assign(Object.assign(Object.assign({}, getQueryParamsForPropagation(query)), mapEditingParams(query)), getAllowedQueryParams(query, options.allowedQueryParams).allowedQueryParams);
+        const editingPreviewData = Object.assign(Object.assign({}, mapEditingParams(query)), getAllowedQueryParams(query, options.allowedQueryParams).allowedQueryParams);
+        /**
+         * TODO: Remove preview data from qs before next major release.
+         */
+        const propagatedQsParams = Object.assign(Object.assign({}, getQueryParamsForPropagation(query)), editingPreviewData);
         const base = resolveServerUrl(req);
         const targetUrl = new URL('/', base);
         for (const key in propagatedQsParams) {
@@ -225,6 +236,7 @@ export const createEditingRenderRouteHandlers = (options) => {
             : prerenderBypassCookie;
         const forwardHeaders = new Headers(req.headers);
         forwardHeaders.set('cookie', forwardCookie);
+        forwardHeaders.set(EDITING_PARAMS_HEADER, JSON.stringify(editingPreviewData));
         const forwardedResponse = await dataFetcher.fetch(targetUrl.toString(), {
             method: req.method,
             headers: forwardHeaders,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sitecore-content-sdk/nextjs",
-  "version": "2.1.0-canary.12",
+  "version": "2.1.0-canary.13",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
   "sideEffects": false,
@@ -32,8 +32,8 @@
     "url": "https://github.com/sitecore/content-sdk/issues"
   },
   "devDependencies": {
-    "@sitecore-content-sdk/analytics-core": "2.1.0-canary.12",
-    "@sitecore-content-sdk/personalize": "2.1.0-canary.12",
+    "@sitecore-content-sdk/analytics-core": "2.1.0-canary.13",
+    "@sitecore-content-sdk/personalize": "2.1.0-canary.13",
     "@stylistic/eslint-plugin": "^5.2.2",
     "@testing-library/dom": "^10.4.0",
     "@testing-library/react": "^16.3.0",
@@ -91,10 +91,10 @@
   },
   "dependencies": {
     "@babel/parser": "^7.27.2",
-    "@sitecore-content-sdk/content": "2.1.0-canary.12",
-    "@sitecore-content-sdk/core": "2.1.0-canary.12",
-    "@sitecore-content-sdk/events": "2.1.0-canary.12",
-    "@sitecore-content-sdk/react": "2.1.0-canary.12",
+    "@sitecore-content-sdk/content": "2.1.0-canary.13",
+    "@sitecore-content-sdk/core": "2.1.0-canary.13",
+    "@sitecore-content-sdk/events": "2.1.0-canary.13",
+    "@sitecore-content-sdk/react": "2.1.0-canary.13",
     "recast": "^0.23.11",
     "regex-parser": "^2.3.1",
     "sync-disk-cache": "^2.1.0"
@@ -178,7 +178,7 @@
   },
   "description": "",
   "types": "types/index.d.ts",
-  "gitHead": "608209f0b31dffb40d22f154843fbfe21fcd5f92",
+  "gitHead": "3bb3656cf04e432ead4005db696643c4b409b7a3",
   "files": [
     "dist",
     "types",

package/types/client/sitecore-nextjs-client.d.ts

@@ -46,6 +46,28 @@ export declare class SitecoreNextjsClient extends SitecoreClient {
      * @param {FetchOptions} [fetchOptions] Additional fetch fetch options to override GraphQL requests (like retries and fetch)
      */
     getPreview(previewData: PreviewData, fetchOptions?: FetchOptions): Promise<Page | null>;
+    /**
+     * **NOTE**: App Router only.
+     *
+     * Builds the inputs for the Preview mode based on incoming request headers.
+     *
+     * - Reads editing preview data from the `x-sitecore-editing-params` header.
+     * - Reads the `authorization` header from the request and merges it as
+     *   `Authorization` into `fetchOptions.headers`. The request value takes
+     *   precedence over any `Authorization` (case-insensitive) supplied via
+     *   `extra.headers`; existing case-variant keys are removed so the result
+     *   never contains duplicates. An empty `Authorization` is never emitted.
+     *
+     * Other headers present on the input are ignored. Non-`headers` fields of
+     * `extra` are preserved as-is. Extra headers are merged into `fetchOptions.headers`.
+     * @param {Headers} headers - The headers from the incoming request.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns The `previewData` and `fetchOptions` to forward
+     */
+    getPreviewInputs(headers: Headers, extra?: FetchOptions): {
+        previewData: PreviewData;
+        fetchOptions: FetchOptions;
+    };
     /**
      * Generates static params for the Next.js App Router from Sitecore routes.
      *
@@ -79,5 +101,49 @@ export declare class SitecoreNextjsClient extends SitecoreClient {
      */
     getComponentData(layoutData: LayoutServiceData, context: GetServerSidePropsContext | GetStaticPropsContext, components: ComponentMap<NextjsContentSdkComponent>): Promise<ComponentPropsCollection>;
     protected getComponentPropsService(): ComponentPropsService;
+    /**
+     * **NOTE**: Pages Router only.
+     *
+     * Merges the authorization header from the preview data into the fetch options.
+     * The `authorization` field is always stripped from the returned preview data
+     * to avoid leaking it back into request payloads.
+     *
+     * The value stashed in preview data takes precedence over any caller-supplied
+     * `Authorization` header. Existing `Authorization` keys are removed
+     * case-insensitively before the merged value is set, so the result never
+     * contains duplicate keys.
+     * @param {PreviewData} previewData - The preview data to merge the authorization header from.
+     * @param {FetchOptions} [fetchOptions] - The fetch options to merge the authorization header into.
+     * @returns The preview data and fetch options with the authorization header merged.
+     */
+    private mergePreviewAuthorization;
+    /**
+     * Reads and JSON-parses the editing preview data propagated via
+     * `EDITING_PARAMS_HEADER`. Returns an empty object when the header is
+     * missing or its value is not valid JSON.
+     * @param {Headers} headers - The incoming request headers.
+     * @returns {PreviewData} The parsed preview data, or an empty object.
+     */
+    private parsePreviewDataFromHeader;
+    /**
+     * Builds `FetchOptions` by merging the `Authorization` header from the
+     * incoming request headers into `extra`. The request value takes precedence
+     * over any caller-supplied `Authorization` header (case-insensitive). An
+     * empty `Authorization` is never emitted.
+     * @param {Headers} headers - The incoming request headers.
+     * @param {FetchOptions} [extra] - Optional base fetch options to merge with.
+     * @returns {FetchOptions} The merged fetch options.
+     */
+    private mergeAuthorizationHeader;
+    /**
+     * Returns a shallow-cloned headers record with `Authorization` set to
+     * `authorization` (when truthy). Any pre-existing `Authorization` key is
+     * removed case-insensitively to avoid emitting both `authorization` and
+     * `Authorization` in the same record.
+     * @param {Record<string, string> | undefined} headers - Existing headers, if any.
+     * @param {string | null | undefined} authorization - The authorization value to apply, or null/undefined to leave headers unchanged.
+     * @returns {Record<string, string>} The merged headers.
+     */
+    private applyAuthorizationHeader;
 }
 //# sourceMappingURL=sitecore-nextjs-client.d.ts.map

package/types/client/sitecore-nextjs-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sitecore-nextjs-client.d.ts","sourceRoot":"","sources":["../../src/client/sitecore-nextjs-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EACL,YAAY,EACZ,IAAI,EACJ,WAAW,EACX,cAAc,EACd,kBAAkB,EACnB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,wBAAwB,EAExB,yBAAyB,EAC1B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,yBAAyB,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;AAU5E,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAE3C;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,kBAAkB,GAAG,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AAE9F;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,cAAc;IAE1C,SAAS,CAAC,WAAW,EAAE,wBAAwB;IAD3D,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;gBACjC,WAAW,EAAE,wBAAwB;IAK3D;;;;OAIG;IACH,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;IAO3C;;;;OAIG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;IAK3B,OAAO,CACX,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,EACvB,WAAW,EAAE,WAAW,EACxB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAmBvB;;;;;OAKG;IACG,oBAAoB,CACxB,aAAa,EAAE,WAAW,EAC1B,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,IAAI,CAAC;IAOhB;;;;OAIG;IACG,UAAU,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAI7F;;;;;;;;;;;;;OAaG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,YAAY,EAAE,CAAC;IAmB1B;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,UAAU,EAAE,CAAC;IAaxB;;;;;;;OAOG;IACG,gBAAgB,CACpB,UAAU,EAAE,iBAAiB,EAC7B,OAAO,EAAE,yBAAyB,GAAG,qBAAqB,EAC1D,UAAU,EAAE,YAAY,CAAC,yBAAyB,CAAC,GAClD,OAAO,CAAC,wBAAwB,CAAC;IA2BpC,SAAS,CAAC,wBAAwB,IAAI,qBAAqB;CAG5D"}
+{"version":3,"file":"sitecore-nextjs-client.d.ts","sourceRoot":"","sources":["../../src/client/sitecore-nextjs-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAC3D,OAAO,EACL,YAAY,EACZ,IAAI,EACJ,WAAW,EACX,cAAc,EACd,kBAAkB,EACnB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,wBAAwB,EAExB,yBAAyB,EAC1B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,yBAAyB,EAAE,qBAAqB,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AACrF,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qCAAqC,CAAC;AAW5E,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAU3C;;;GAGG;AACH,MAAM,MAAM,wBAAwB,GAAG,kBAAkB,GAAG,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;AAE9F;;;GAGG;AACH,qBAAa,oBAAqB,SAAQ,cAAc;IAE1C,SAAS,CAAC,WAAW,EAAE,wBAAwB;IAD3D,SAAS,CAAC,qBAAqB,EAAE,qBAAqB,CAAC;gBACjC,WAAW,EAAE,wBAAwB;IAK3D;;;;OAIG;IACH,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;IAO3C;;;;OAIG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE;IAK3B,OAAO,CACX,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,EACvB,WAAW,EAAE,WAAW,EACxB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAmBvB;;;;;OAKG;IACG,oBAAoB,CACxB,aAAa,EAAE,WAAW,EAC1B,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,IAAI,CAAC;IAShB;;;;OAIG;IACG,UAAU,CAAC,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAM7F;;;;;;;;;;;;;;;;;OAiBG;IACH,gBAAgB,CACd,OAAO,EAAE,OAAO,EAChB,KAAK,CAAC,EAAE,YAAY,GACnB;QAAE,WAAW,EAAE,WAAW,CAAC;QAAC,YAAY,EAAE,YAAY,CAAA;KAAE;IAO3D;;;;;;;;;;;;;OAaG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,YAAY,EAAE,CAAC;IAmB1B;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,CAAC,EAAE,MAAM,EAAE,EACpB,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,UAAU,EAAE,CAAC;IAaxB;;;;;;;OAOG;IACG,gBAAgB,CACpB,UAAU,EAAE,iBAAiB,EAC7B,OAAO,EAAE,yBAAyB,GAAG,qBAAqB,EAC1D,UAAU,EAAE,YAAY,CAAC,yBAAyB,CAAC,GAClD,OAAO,CAAC,wBAAwB,CAAC;IA2BpC,SAAS,CAAC,wBAAwB,IAAI,qBAAqB;IAI3D;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;;;;OAMG;IACH,OAAO,CAAC,0BAA0B;IAUlC;;;;;;;;OAQG;IACH,OAAO,CAAC,wBAAwB;IAOhC;;;;;;;;OAQG;IACH,OAAO,CAAC,wBAAwB;CAiBjC"}

package/types/editing/constants.d.ts

@@ -5,4 +5,9 @@ export declare const QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = "x-vercel-set-bypass
  * Note these are in lowercase format to match expected `IncomingHttpHeaders`.
  */
 export declare const EDITING_PASS_THROUGH_HEADERS: string[];
+/**
+ * Header used to propagate editing preview parameters from the editing render
+ * route handler to the Next.js page when running in App Router.
+ */
+export declare const EDITING_PARAMS_HEADER = "x-sitecore-editing-params";
 //# sourceMappingURL=constants.d.ts.map

package/types/editing/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/editing/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,oCAAoC,+BAA+B,CAAC;AACjF,eAAO,MAAM,oCAAoC,+BAA+B,CAAC;AAEjF;;;GAGG;AACH,eAAO,MAAM,4BAA4B,UAA8B,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/editing/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,oCAAoC,+BAA+B,CAAC;AACjF,eAAO,MAAM,oCAAoC,+BAA+B,CAAC;AAEjF;;;GAGG;AACH,eAAO,MAAM,4BAA4B,UAA8B,CAAC;AAExE;;;GAGG;AACH,eAAO,MAAM,qBAAqB,8BAA8B,CAAC"}

package/types/editing/editing-render-middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"editing-render-middleware.d.ts","sourceRoot":"","sources":["../../src/editing/editing-render-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AAEvD,OAAO,EAIL,wBAAwB,EACzB,MAAM,uCAAuC,CAAC;AAG/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAe3D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElD;;;GAGG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C;;OAEG;IACH,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG;IACnD,KAAK,EAAE,wBAAwB,CAAC;CACjC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,oBAAoB;IAK5C,MAAM,CAAC,EAAE,6BAA6B;IAJzD,OAAO,CAAC,WAAW,CAAoB;IACvC;;OAEG;gBACgB,MAAM,CAAC,EAAE,6BAA6B,YAAA;IAKzD;;;OAGG;IACI,UAAU,IAAI,CAAC,GAAG,EAAE,qBAAqB,EAAE,GAAG,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC;IAIxF,OAAO,CAAC,OAAO,CA8Jb;CACH"}
+{"version":3,"file":"editing-render-middleware.d.ts","sourceRoot":"","sources":["../../src/editing/editing-render-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AAEvD,OAAO,EAIL,wBAAwB,EACzB,MAAM,uCAAuC,CAAC;AAG/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAe3D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElD;;;GAGG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C;;OAEG;IACH,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,cAAc,GAAG;IACnD,KAAK,EAAE,wBAAwB,CAAC;CACjC,CAAC;AAEF;;;;GAIG;AACH,qBAAa,uBAAwB,SAAQ,oBAAoB;IAK5C,MAAM,CAAC,EAAE,6BAA6B;IAJzD,OAAO,CAAC,WAAW,CAAoB;IACvC;;OAEG;gBACgB,MAAM,CAAC,EAAE,6BAA6B,YAAA;IAKzD;;;OAGG;IACI,UAAU,IAAI,CAAC,GAAG,EAAE,qBAAqB,EAAE,GAAG,EAAE,eAAe,KAAK,OAAO,CAAC,IAAI,CAAC;IAIxF,OAAO,CAAC,OAAO,CA+Jb;CACH"}

package/types/route-handler/editing-render-route-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"editing-render-route-handler.d.ts","sourceRoot":"","sources":["../../src/route-handler/editing-render-route-handler.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAiB1C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE3D;;;GAGG;AACH,wBAAsB,cAAc,iBAMnC;AAED,KAAK,qBAAqB,GAAG;IAC3B;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C;;OAEG;IACH,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,qBAAqB;eAwDrD,WAAW;gBAiKV,WAAW;mBAnLd,WAAW;CAgSlC,CAAC"}
+{"version":3,"file":"editing-render-route-handler.d.ts","sourceRoot":"","sources":["../../src/route-handler/editing-render-route-handler.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAkB1C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE3D;;;GAGG;AACH,wBAAsB,cAAc,iBAMnC;AAED,KAAK,qBAAqB,GAAG;IAC3B;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9C;;OAEG;IACH,8BAA8B,CAAC,EAAE,MAAM,CAAC;IACxC;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;CACzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,qBAAqB;eAwDrD,WAAW;gBA4KV,WAAW;mBA9Ld,WAAW;CAmTlC,CAAC"}