@sitecore-jss/sitecore-jss-nextjs 22.1.0-canary.12 → 22.1.0-canary.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/dist/cjs/editing/constants.js +2 -1
  2. package/dist/cjs/editing/editing-config-middleware.js +5 -0
  3. package/dist/cjs/editing/editing-data-middleware.js +6 -0
  4. package/dist/cjs/editing/editing-render-middleware.js +10 -3
  5. package/dist/cjs/editing/feaas-render-middleware.js +8 -0
  6. package/dist/esm/editing/constants.js +1 -0
  7. package/dist/esm/editing/editing-config-middleware.js +6 -1
  8. package/dist/esm/editing/editing-data-middleware.js +7 -1
  9. package/dist/esm/editing/editing-render-middleware.js +11 -4
  10. package/dist/esm/editing/feaas-render-middleware.js +9 -1
  11. package/package.json +5 -5
  12. package/types/editing/constants.d.ts +1 -0
package/dist/cjs/editing/constants.js CHANGED
@@ -1,6 +1,7 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.QUERY_PARAM_PROTECTION_BYPASS_VERCEL = exports.QUERY_PARAM_PROTECTION_BYPASS_SITECORE = exports.QUERY_PARAM_EDITING_SECRET = void 0;
3
+ exports.EDITING_ALLOWED_ORIGINS = exports.QUERY_PARAM_PROTECTION_BYPASS_VERCEL = exports.QUERY_PARAM_PROTECTION_BYPASS_SITECORE = exports.QUERY_PARAM_EDITING_SECRET = void 0;
4
4
  exports.QUERY_PARAM_EDITING_SECRET = 'secret';
5
5
  exports.QUERY_PARAM_PROTECTION_BYPASS_SITECORE = 'x-sitecore-protection-bypass';
6
6
  exports.QUERY_PARAM_PROTECTION_BYPASS_VERCEL = 'x-vercel-protection-bypass';
7
+ exports.EDITING_ALLOWED_ORIGINS = ['https://pages*.cloud/', 'https://pages.sitecorecloud.io/'];
package/dist/cjs/editing/editing-config-middleware.js CHANGED
@@ -13,6 +13,7 @@ exports.EditingConfigMiddleware = void 0;
13
13
  const constants_1 = require("./constants");
14
14
  const utils_1 = require("../utils/utils");
15
15
  const sitecore_jss_1 = require("@sitecore-jss/sitecore-jss");
16
+ const utils_2 = require("@sitecore-jss/sitecore-jss/utils");
16
17
  /**
17
18
  * Middleware / handler used in the editing config API route in xmcloud add on (e.g. '/api/editing/config')
18
19
  * provides configuration information to determine feature compatibility on Pages side.
@@ -25,6 +26,10 @@ class EditingConfigMiddleware {
25
26
  this.config = config;
26
27
  this.handler = (_req, res) => __awaiter(this, void 0, void 0, function* () {
27
28
  const secret = _req.query[constants_1.QUERY_PARAM_EDITING_SECRET];
29
+ if (!(0, utils_2.enforceCors)(_req, res, constants_1.EDITING_ALLOWED_ORIGINS)) {
30
+ sitecore_jss_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
31
+ return res.status(401).json({ message: 'Invalid origin' });
32
+ }
28
33
  if (secret !== (0, utils_1.getJssEditingSecret)()) {
29
34
  sitecore_jss_1.debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, (0, utils_1.getJssEditingSecret)());
30
35
  return res.status(401).json({ message: 'Missing or invalid editing secret' });
package/dist/cjs/editing/editing-data-middleware.js CHANGED
@@ -14,6 +14,8 @@ const editing_data_cache_1 = require("./editing-data-cache");
14
14
  const editing_data_1 = require("./editing-data");
15
15
  const constants_1 = require("./constants");
16
16
  const utils_1 = require("../utils/utils");
17
+ const utils_2 = require("@sitecore-jss/sitecore-jss/utils");
18
+ const sitecore_jss_1 = require("@sitecore-jss/sitecore-jss");
17
19
  /**
18
20
  * Middleware / handler for use in the editing data Next.js API dynamic route (e.g. '/api/editing/data/[key]')
19
21
  * which is required for Sitecore editing support.
@@ -28,6 +30,10 @@ class EditingDataMiddleware {
28
30
  const { method, query, body } = req;
29
31
  const secret = query[constants_1.QUERY_PARAM_EDITING_SECRET];
30
32
  const key = query[this.queryParamKey];
33
+ if (!(0, utils_2.enforceCors)(req, res, constants_1.EDITING_ALLOWED_ORIGINS)) {
34
+ sitecore_jss_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
35
+ return res.status(401).json({ message: 'Invalid origin' });
36
+ }
31
37
  // Validate secret
32
38
  if (secret !== (0, utils_1.getJssEditingSecret)()) {
33
39
  res.status(401).end('Missing or invalid secret');
package/dist/cjs/editing/editing-render-middleware.js CHANGED
@@ -18,6 +18,7 @@ const editing_data_service_1 = require("./editing-data-service");
18
18
  const constants_2 = require("./constants");
19
19
  const utils_1 = require("../utils/utils");
20
20
  const render_middleware_1 = require("./render-middleware");
21
+ const utils_2 = require("@sitecore-jss/sitecore-jss/utils");
21
22
  /**
22
23
  * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
23
24
  * which is required for Sitecore editing support.
@@ -30,7 +31,7 @@ class EditingRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
30
31
  var _a, _b, _c, _d;
31
32
  super();
32
33
  this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
33
- var _e, _f;
34
+ var _e, _f, _g;
34
35
  const { method, query, body, headers } = req;
35
36
  const startTimestamp = Date.now();
36
37
  sitecore_jss_1.debug.editing('editing render middleware start: %o', {
@@ -39,6 +40,12 @@ class EditingRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
39
40
  headers,
40
41
  body,
41
42
  });
43
+ if (!(0, utils_2.enforceCors)(req, res, constants_2.EDITING_ALLOWED_ORIGINS)) {
44
+ sitecore_jss_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
45
+ return res.status(401).json({
46
+ html: `<html><body>Requests from origin ${(_e = req.headers) === null || _e === void 0 ? void 0 : _e.origin} not allowed</body></html>`,
47
+ });
48
+ }
42
49
  if (method !== 'POST') {
43
50
  sitecore_jss_1.debug.editing('invalid method - sent %s expected POST', method);
44
51
  res.setHeader('Allow', 'POST');
@@ -47,7 +54,7 @@ class EditingRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
47
54
  });
48
55
  }
49
56
  // Validate secret
50
- const secret = (_e = query[constants_2.QUERY_PARAM_EDITING_SECRET]) !== null && _e !== void 0 ? _e : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
57
+ const secret = (_f = query[constants_2.QUERY_PARAM_EDITING_SECRET]) !== null && _f !== void 0 ? _f : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
51
58
  if (secret !== (0, utils_1.getJssEditingSecret)()) {
52
59
  sitecore_jss_1.debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, (0, utils_1.getJssEditingSecret)());
53
60
  return res.status(401).json({
@@ -109,7 +116,7 @@ class EditingRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
109
116
  html = html.replace(constants_1.STATIC_PROPS_ID, constants_1.SERVER_PROPS_ID);
110
117
  if (editingData.layoutData.sitecore.context.renderingType === layout_1.RenderingType.Component) {
111
118
  // Handle component rendering. Extract component markup only
112
- html = (_f = (0, node_html_parser_1.parse)(html).getElementById(layout_1.EDITING_COMPONENT_ID)) === null || _f === void 0 ? void 0 : _f.innerHTML;
119
+ html = (_g = (0, node_html_parser_1.parse)(html).getElementById(layout_1.EDITING_COMPONENT_ID)) === null || _g === void 0 ? void 0 : _g.innerHTML;
113
120
  if (!html)
114
121
  throw new Error(`Failed to render component for ${editingData.path}`);
115
122
  }
package/dist/cjs/editing/feaas-render-middleware.js CHANGED
@@ -14,6 +14,7 @@ const sitecore_jss_1 = require("@sitecore-jss/sitecore-jss");
14
14
  const constants_1 = require("./constants");
15
15
  const utils_1 = require("../utils/utils");
16
16
  const render_middleware_1 = require("./render-middleware");
17
+ const utils_2 = require("@sitecore-jss/sitecore-jss/utils");
17
18
  /**
18
19
  * Middleware / handler for use in the feaas render Next.js API route (e.g. '/api/editing/feaas/render')
19
20
  * which is required for Sitecore editing support.
@@ -28,6 +29,7 @@ class FEAASRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
28
29
  this.config = config;
29
30
  this.defaultPageUrl = '/feaas/render';
30
31
  this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
32
+ var _b;
31
33
  const { method, query, headers } = req;
32
34
  const startTimestamp = Date.now();
33
35
  sitecore_jss_1.debug.editing('feaas render middleware start: %o', {
@@ -35,6 +37,12 @@ class FEAASRenderMiddleware extends render_middleware_1.RenderMiddlewareBase {
35
37
  query,
36
38
  headers,
37
39
  });
40
+ if (!(0, utils_2.enforceCors)(req, res, constants_1.EDITING_ALLOWED_ORIGINS)) {
41
+ sitecore_jss_1.debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
42
+ return res
43
+ .status(401)
44
+ .send(`<html><body>Requests from origin ${(_b = req.headers) === null || _b === void 0 ? void 0 : _b.origin} are not allowed</body></html>`);
45
+ }
38
46
  if (method !== 'GET') {
39
47
  sitecore_jss_1.debug.editing('invalid method - sent %s expected GET', method);
40
48
  res.setHeader('Allow', 'GET');
package/dist/esm/editing/constants.js CHANGED
@@ -1,3 +1,4 @@
1
1
  export const QUERY_PARAM_EDITING_SECRET = 'secret';
2
2
  export const QUERY_PARAM_PROTECTION_BYPASS_SITECORE = 'x-sitecore-protection-bypass';
3
3
  export const QUERY_PARAM_PROTECTION_BYPASS_VERCEL = 'x-vercel-protection-bypass';
4
+ export const EDITING_ALLOWED_ORIGINS = ['https://pages*.cloud/', 'https://pages.sitecorecloud.io/'];
package/dist/esm/editing/editing-config-middleware.js CHANGED
@@ -7,9 +7,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
7
7
  step((generator = generator.apply(thisArg, _arguments || [])).next());
8
8
  });
9
9
  };
10
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
10
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
11
11
  import { getJssEditingSecret } from '../utils/utils';
12
12
  import { debug } from '@sitecore-jss/sitecore-jss';
13
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
13
14
  /**
14
15
  * Middleware / handler used in the editing config API route in xmcloud add on (e.g. '/api/editing/config')
15
16
  * provides configuration information to determine feature compatibility on Pages side.
@@ -22,6 +23,10 @@ export class EditingConfigMiddleware {
22
23
  this.config = config;
23
24
  this.handler = (_req, res) => __awaiter(this, void 0, void 0, function* () {
24
25
  const secret = _req.query[QUERY_PARAM_EDITING_SECRET];
26
+ if (!enforceCors(_req, res, EDITING_ALLOWED_ORIGINS)) {
27
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
28
+ return res.status(401).json({ message: 'Invalid origin' });
29
+ }
25
30
  if (secret !== getJssEditingSecret()) {
26
31
  debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
27
32
  return res.status(401).json({ message: 'Missing or invalid editing secret' });
package/dist/esm/editing/editing-data-middleware.js CHANGED
@@ -9,8 +9,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
9
9
  };
10
10
  import { editingDataDiskCache } from './editing-data-cache';
11
11
  import { isEditingData } from './editing-data';
12
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
12
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
13
13
  import { getJssEditingSecret } from '../utils/utils';
14
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
15
+ import { debug } from '@sitecore-jss/sitecore-jss';
14
16
  /**
15
17
  * Middleware / handler for use in the editing data Next.js API dynamic route (e.g. '/api/editing/data/[key]')
16
18
  * which is required for Sitecore editing support.
@@ -25,6 +27,10 @@ export class EditingDataMiddleware {
25
27
  const { method, query, body } = req;
26
28
  const secret = query[QUERY_PARAM_EDITING_SECRET];
27
29
  const key = query[this.queryParamKey];
30
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
31
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
32
+ return res.status(401).json({ message: 'Invalid origin' });
33
+ }
28
34
  // Validate secret
29
35
  if (secret !== getJssEditingSecret()) {
30
36
  res.status(401).end('Missing or invalid secret');
package/dist/esm/editing/editing-render-middleware.js CHANGED
@@ -12,9 +12,10 @@ import { AxiosDataFetcher, debug } from '@sitecore-jss/sitecore-jss';
12
12
  import { EDITING_COMPONENT_ID, RenderingType } from '@sitecore-jss/sitecore-jss/layout';
13
13
  import { parse } from 'node-html-parser';
14
14
  import { editingDataService } from './editing-data-service';
15
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
15
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
16
16
  import { getJssEditingSecret } from '../utils/utils';
17
17
  import { RenderMiddlewareBase } from './render-middleware';
18
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
18
19
  /**
19
20
  * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
20
21
  * which is required for Sitecore editing support.
@@ -27,7 +28,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
27
28
  var _a, _b, _c, _d;
28
29
  super();
29
30
  this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
30
- var _e, _f;
31
+ var _e, _f, _g;
31
32
  const { method, query, body, headers } = req;
32
33
  const startTimestamp = Date.now();
33
34
  debug.editing('editing render middleware start: %o', {
@@ -36,6 +37,12 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
36
37
  headers,
37
38
  body,
38
39
  });
40
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
41
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
42
+ return res.status(401).json({
43
+ html: `<html><body>Requests from origin ${(_e = req.headers) === null || _e === void 0 ? void 0 : _e.origin} not allowed</body></html>`,
44
+ });
45
+ }
39
46
  if (method !== 'POST') {
40
47
  debug.editing('invalid method - sent %s expected POST', method);
41
48
  res.setHeader('Allow', 'POST');
@@ -44,7 +51,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
44
51
  });
45
52
  }
46
53
  // Validate secret
47
- const secret = (_e = query[QUERY_PARAM_EDITING_SECRET]) !== null && _e !== void 0 ? _e : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
54
+ const secret = (_f = query[QUERY_PARAM_EDITING_SECRET]) !== null && _f !== void 0 ? _f : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
48
55
  if (secret !== getJssEditingSecret()) {
49
56
  debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
50
57
  return res.status(401).json({
@@ -106,7 +113,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
106
113
  html = html.replace(STATIC_PROPS_ID, SERVER_PROPS_ID);
107
114
  if (editingData.layoutData.sitecore.context.renderingType === RenderingType.Component) {
108
115
  // Handle component rendering. Extract component markup only
109
- html = (_f = parse(html).getElementById(EDITING_COMPONENT_ID)) === null || _f === void 0 ? void 0 : _f.innerHTML;
116
+ html = (_g = parse(html).getElementById(EDITING_COMPONENT_ID)) === null || _g === void 0 ? void 0 : _g.innerHTML;
110
117
  if (!html)
111
118
  throw new Error(`Failed to render component for ${editingData.path}`);
112
119
  }
package/dist/esm/editing/feaas-render-middleware.js CHANGED
@@ -8,9 +8,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
8
8
  });
9
9
  };
10
10
  import { debug } from '@sitecore-jss/sitecore-jss';
11
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
11
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
12
12
  import { getJssEditingSecret } from '../utils/utils';
13
13
  import { RenderMiddlewareBase } from './render-middleware';
14
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
14
15
  /**
15
16
  * Middleware / handler for use in the feaas render Next.js API route (e.g. '/api/editing/feaas/render')
16
17
  * which is required for Sitecore editing support.
@@ -25,6 +26,7 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
25
26
  this.config = config;
26
27
  this.defaultPageUrl = '/feaas/render';
27
28
  this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
29
+ var _b;
28
30
  const { method, query, headers } = req;
29
31
  const startTimestamp = Date.now();
30
32
  debug.editing('feaas render middleware start: %o', {
@@ -32,6 +34,12 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
32
34
  query,
33
35
  headers,
34
36
  });
37
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
38
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
39
+ return res
40
+ .status(401)
41
+ .send(`<html><body>Requests from origin ${(_b = req.headers) === null || _b === void 0 ? void 0 : _b.origin} are not allowed</body></html>`);
42
+ }
35
43
  if (method !== 'GET') {
36
44
  debug.editing('invalid method - sent %s expected GET', method);
37
45
  res.setHeader('Allow', 'GET');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sitecore-jss/sitecore-jss-nextjs",
3
- "version": "22.1.0-canary.12",
3
+ "version": "22.1.0-canary.14",
4
4
  "main": "dist/cjs/index.js",
5
5
  "module": "dist/esm/index.js",
6
6
  "sideEffects": false,
@@ -72,9 +72,9 @@
72
72
  "react-dom": "^18.2.0"
73
73
  },
74
74
  "dependencies": {
75
- "@sitecore-jss/sitecore-jss": "^22.1.0-canary.12",
76
- "@sitecore-jss/sitecore-jss-dev-tools": "^22.1.0-canary.12",
77
- "@sitecore-jss/sitecore-jss-react": "^22.1.0-canary.12",
75
+ "@sitecore-jss/sitecore-jss": "^22.1.0-canary.14",
76
+ "@sitecore-jss/sitecore-jss-dev-tools": "^22.1.0-canary.14",
77
+ "@sitecore-jss/sitecore-jss-react": "^22.1.0-canary.14",
78
78
  "@vercel/kv": "^0.2.1",
79
79
  "node-html-parser": "^6.1.4",
80
80
  "prop-types": "^15.8.1",
@@ -83,7 +83,7 @@
83
83
  },
84
84
  "description": "",
85
85
  "types": "types/index.d.ts",
86
- "gitHead": "24b00de991d13bd8d10d3ff005f2315f21a4da45",
86
+ "gitHead": "c9af9f05c5b12981b625aeeec8b5f541924537ee",
87
87
  "files": [
88
88
  "dist",
89
89
  "types",
package/types/editing/constants.d.ts CHANGED
@@ -1,3 +1,4 @@
1
1
  export declare const QUERY_PARAM_EDITING_SECRET = "secret";
2
2
  export declare const QUERY_PARAM_PROTECTION_BYPASS_SITECORE = "x-sitecore-protection-bypass";
3
3
  export declare const QUERY_PARAM_PROTECTION_BYPASS_VERCEL = "x-vercel-protection-bypass";
4
+ export declare const EDITING_ALLOWED_ORIGINS: string[];