@sitecore-jss/sitecore-jss-nextjs 22.1.0-canary.3 → 22.1.0-canary.30

package/dist/esm/components/Link.js

@@ -14,7 +14,7 @@ import PropTypes from 'prop-types';
 import NextLink from 'next/link';
 import { Link as ReactLink, LinkPropTypes, } from '@sitecore-jss/sitecore-jss-react';
 export const Link = forwardRef((props, ref) => {
-    const { field, editable, children, internalLinkMatcher = /^\//g, showLinkTextWithChildrenPresent } = props, htmlLinkProps = __rest(props, ["field", "editable", "children", "internalLinkMatcher", "showLinkTextWithChildrenPresent"]);
+    const { field, editable = true, children, internalLinkMatcher = /^\//g, showLinkTextWithChildrenPresent } = props, htmlLinkProps = __rest(props, ["field", "editable", "children", "internalLinkMatcher", "showLinkTextWithChildrenPresent"]);
     if (!field ||
         (!field.editable && !field.value && !field.href)) {
         return null;
@@ -23,7 +23,7 @@ export const Link = forwardRef((props, ref) => {
         ? field
         : field.value);
     const { href, querystring, anchor } = value;
-    const isEditing = editable && field.editable;
+    const isEditing = editable && (field.editable || field.metadata);
     if (href && !isEditing) {
         const text = showLinkTextWithChildrenPresent || !children ? value.text || value.href : null;
         // determine if a link is a route or not.
@@ -38,8 +38,5 @@ export const Link = forwardRef((props, ref) => {
     delete reactLinkProps.internalLinkMatcher;
     return React.createElement(ReactLink, Object.assign({}, reactLinkProps, { ref: ref }));
 });
-Link.defaultProps = {
-    editable: true,
-};
 Link.displayName = 'NextLink';
 Link.propTypes = Object.assign({ internalLinkMatcher: PropTypes.instanceOf(RegExp) }, LinkPropTypes);

package/dist/esm/components/NextImage.js

@@ -12,10 +12,10 @@ var __rest = (this && this.__rest) || function (s, e) {
 import { mediaApi } from '@sitecore-jss/sitecore-jss/media';
 import PropTypes from 'prop-types';
 import React from 'react';
-import { getEEMarkup, } from '@sitecore-jss/sitecore-jss-react';
+import { getEEMarkup, withFieldMetadata, } from '@sitecore-jss/sitecore-jss-react';
 import Image from 'next/image';
-export const NextImage = (_a) => {
-    var { editable, imageParams, field, mediaUrlPrefix, fill, priority } = _a, otherProps = __rest(_a, ["editable", "imageParams", "field", "mediaUrlPrefix", "fill", "priority"]);
+export const NextImage = withFieldMetadata((_a) => {
+    var { editable = true, imageParams, field, mediaUrlPrefix, fill, priority } = _a, otherProps = __rest(_a, ["editable", "imageParams", "field", "mediaUrlPrefix", "fill", "priority"]);
     // next handles src and we use a custom loader,
     // throw error if these are present
     if (otherProps.src) {
@@ -53,7 +53,7 @@ export const NextImage = (_a) => {
         return React.createElement(Image, Object.assign({ alt: "" }, imageProps));
     }
     return null; // we can't handle the truth
-};
+});
 NextImage.propTypes = {
     field: PropTypes.oneOfType([
         PropTypes.shape({
@@ -68,7 +68,4 @@ NextImage.propTypes = {
     mediaUrlPrefix: PropTypes.instanceOf(RegExp),
     imageParams: PropTypes.objectOf(PropTypes.oneOfType([PropTypes.number.isRequired, PropTypes.string.isRequired]).isRequired),
 };
-NextImage.defaultProps = {
-    editable: true,
-};
 NextImage.displayName = 'NextImage';

package/dist/esm/components/RichText.js

@@ -15,9 +15,9 @@ import { useRouter } from 'next/router';
 import { RichText as ReactRichText, RichTextPropTypes, } from '@sitecore-jss/sitecore-jss-react';
 const prefetched = {};
 export const RichText = (props) => {
-    const { internalLinksSelector = 'a[href^="/"]', prefetchLinks = true } = props, rest = __rest(props, ["internalLinksSelector", "prefetchLinks"]);
+    const { internalLinksSelector = 'a[href^="/"]', prefetchLinks = true, editable = true } = props, rest = __rest(props, ["internalLinksSelector", "prefetchLinks", "editable"]);
     const hasText = props.field && props.field.value;
-    const isEditing = props.editable && props.field && props.field.editable;
+    const isEditing = editable && props.field && props.field.editable;
     const router = useRouter();
     const richTextRef = useRef(null);
     useEffect(() => {
@@ -52,8 +52,4 @@ export const RichText = (props) => {
     return React.createElement(ReactRichText, Object.assign({ ref: richTextRef }, rest));
 };
 RichText.propTypes = Object.assign({ internalLinksSelector: PropTypes.string }, RichTextPropTypes);
-RichText.defaultProps = {
-    tag: 'div',
-    editable: true,
-};
 RichText.displayName = 'NextRichText';

package/dist/esm/editing/constants.js

@@ -1,3 +1,7 @@
 export const QUERY_PARAM_EDITING_SECRET = 'secret';
 export const QUERY_PARAM_PROTECTION_BYPASS_SITECORE = 'x-sitecore-protection-bypass';
 export const QUERY_PARAM_PROTECTION_BYPASS_VERCEL = 'x-vercel-protection-bypass';
+/**
+ * Default allowed origins for editing requests. This is used to enforce CORS, CSP headers.
+ */
+export const EDITING_ALLOWED_ORIGINS = ['https://pages*.cloud', 'https://pages.sitecorecloud.io'];

package/dist/esm/editing/editing-config-middleware.js

@@ -7,9 +7,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-import { QUERY_PARAM_EDITING_SECRET } from './constants';
+import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
 import { getJssEditingSecret } from '../utils/utils';
 import { debug } from '@sitecore-jss/sitecore-jss';
+import { EditMode } from '@sitecore-jss/sitecore-jss/layout';
+import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
 /**
  * Middleware / handler used in the editing config API route in xmcloud add on (e.g. '/api/editing/config')
  * provides configuration information to determine feature compatibility on Pages side.
@@ -22,6 +24,10 @@ export class EditingConfigMiddleware {
         this.config = config;
         this.handler = (_req, res) => __awaiter(this, void 0, void 0, function* () {
             const secret = _req.query[QUERY_PARAM_EDITING_SECRET];
+            if (!enforceCors(_req, res, EDITING_ALLOWED_ORIGINS)) {
+                debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                return res.status(401).json({ message: 'Invalid origin' });
+            }
             if (secret !== getJssEditingSecret()) {
                 debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
                 return res.status(401).json({ message: 'Missing or invalid editing secret' });
@@ -29,9 +35,11 @@ export class EditingConfigMiddleware {
             const components = Array.isArray(this.config.components)
                 ? this.config.components
                 : Array.from(this.config.components.keys());
+            const editMode = this.config.pagesEditMode || EditMode.Metadata;
             return res.status(200).json({
                 components,
                 packages: this.config.metadata.packages,
+                editMode,
             });
         });
     }

package/dist/esm/editing/editing-data-middleware.js

@@ -9,8 +9,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 import { editingDataDiskCache } from './editing-data-cache';
 import { isEditingData } from './editing-data';
-import { QUERY_PARAM_EDITING_SECRET } from './constants';
+import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
 import { getJssEditingSecret } from '../utils/utils';
+import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
+import { debug } from '@sitecore-jss/sitecore-jss';
 /**
  * Middleware / handler for use in the editing data Next.js API dynamic route (e.g. '/api/editing/data/[key]')
  * which is required for Sitecore editing support.
@@ -25,6 +27,10 @@ export class EditingDataMiddleware {
             const { method, query, body } = req;
             const secret = query[QUERY_PARAM_EDITING_SECRET];
             const key = query[this.queryParamKey];
+            if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
+                debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                return res.status(401).json({ message: 'Invalid origin' });
+            }
             // Validate secret
             if (secret !== getJssEditingSecret()) {
                 res.status(401).end('Missing or invalid secret');

package/dist/esm/editing/editing-render-middleware.js

@@ -9,51 +9,58 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 import { STATIC_PROPS_ID, SERVER_PROPS_ID } from 'next/constants';
 import { AxiosDataFetcher, debug } from '@sitecore-jss/sitecore-jss';
-import { EDITING_COMPONENT_ID, RenderingType } from '@sitecore-jss/sitecore-jss/layout';
+import { EDITING_COMPONENT_ID, EditMode, RenderingType, } from '@sitecore-jss/sitecore-jss/layout';
 import { parse } from 'node-html-parser';
 import { editingDataService } from './editing-data-service';
-import { QUERY_PARAM_EDITING_SECRET } from './constants';
+import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
 import { getJssEditingSecret } from '../utils/utils';
 import { RenderMiddlewareBase } from './render-middleware';
+import { enforceCors, getAllowedOriginsFromEnv } from '@sitecore-jss/sitecore-jss/utils';
 /**
- * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
- * which is required for Sitecore editing support.
+ * Handler for the Editing Chromes POST requests.
+ * This handler is responsible for rendering the page and returning the HTML content that is provided via request.
  */
-export class EditingRenderMiddleware extends RenderMiddlewareBase {
-    /**
-     * @param {EditingRenderMiddlewareConfig} [config] Editing render middleware config
-     */
+export class ChromesHandler extends RenderMiddlewareBase {
     constructor(config) {
         var _a, _b, _c, _d;
         super();
-        this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
-            var _e, _f;
-            const { method, query, body, headers } = req;
+        this.config = config;
+        /**
+         * Default page URL resolution.
+         * @param {Object} args Arguments for resolving the page URL
+         * @param {string} args.serverUrl The root server URL e.g. 'http://localhost:3000'
+         * @param {string} args.itemPath The Sitecore relative item path e.g. '/styleguide'
+         * @returns {string} The URL to render
+         */
+        this.defaultResolvePageUrl = ({ serverUrl, itemPath, }) => {
+            return `${serverUrl}${itemPath}`;
+        };
+        /**
+         * Default server URL resolution.
+         * Note we use https protocol on Vercel due to serverless function architecture.
+         * In all other scenarios, including localhost (with or without a proxy e.g. ngrok)
+         * and within a nodejs container, http protocol should be used.
+         *
+         * For information about the VERCEL environment variable, see
+         * https://vercel.com/docs/environment-variables#system-environment-variables
+         * @param {NextApiRequest} req
+         */
+        this.defaultResolveServerUrl = (req) => {
+            return `${process.env.VERCEL ? 'https' : 'http'}://${req.headers.host}`;
+        };
+        this.editingDataService = (_a = config === null || config === void 0 ? void 0 : config.editingDataService) !== null && _a !== void 0 ? _a : editingDataService;
+        this.dataFetcher = (_b = config === null || config === void 0 ? void 0 : config.dataFetcher) !== null && _b !== void 0 ? _b : new AxiosDataFetcher({ debugger: debug.editing });
+        this.resolvePageUrl = (_c = config === null || config === void 0 ? void 0 : config.resolvePageUrl) !== null && _c !== void 0 ? _c : this.defaultResolvePageUrl;
+        this.resolveServerUrl = (_d = config === null || config === void 0 ? void 0 : config.resolveServerUrl) !== null && _d !== void 0 ? _d : this.defaultResolveServerUrl;
+    }
+    render(req, res) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            const { query } = req;
             const startTimestamp = Date.now();
-            debug.editing('editing render middleware start: %o', {
-                method,
-                query,
-                headers,
-                body,
-            });
-            if (method !== 'POST') {
-                debug.editing('invalid method - sent %s expected POST', method);
-                res.setHeader('Allow', 'POST');
-                return res.status(405).json({
-                    html: `<html><body>Invalid request method '${method}'</body></html>`,
-                });
-            }
-            // Validate secret
-            const secret = (_e = query[QUERY_PARAM_EDITING_SECRET]) !== null && _e !== void 0 ? _e : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
-            if (secret !== getJssEditingSecret()) {
-                debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
-                return res.status(401).json({
-                    html: '<html><body>Missing or invalid secret</body></html>',
-                });
-            }
             try {
                 // Extract data from EE payload
-                const editingData = extractEditingData(req);
+                const editingData = this.extractEditingData(req);
                 // Resolve server URL
                 const serverUrl = this.resolveServerUrl(req);
                 // Get query string parameters to propagate on subsequent requests (e.g. for deployment protection bypass)
@@ -69,7 +76,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
                 // Make actual render request for page route, passing on preview cookies as well as any approved query string parameters.
                 // Note timestamp effectively disables caching the request in Axios (no amount of cache headers seemed to do it)
                 debug.editing('fetching page route for %s', editingData.path);
-                const requestUrl = new URL(this.resolvePageUrl(serverUrl, editingData.path));
+                const requestUrl = new URL(this.resolvePageUrl({ serverUrl, itemPath: editingData.path }));
                 for (const key in params) {
                     if ({}.hasOwnProperty.call(params, key)) {
                         requestUrl.searchParams.append(key, params[key]);
@@ -106,7 +113,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
                 html = html.replace(STATIC_PROPS_ID, SERVER_PROPS_ID);
                 if (editingData.layoutData.sitecore.context.renderingType === RenderingType.Component) {
                     // Handle component rendering. Extract component markup only
-                    html = (_f = parse(html).getElementById(EDITING_COMPONENT_ID)) === null || _f === void 0 ? void 0 : _f.innerHTML;
+                    html = (_a = parse(html).getElementById(EDITING_COMPONENT_ID)) === null || _a === void 0 ? void 0 : _a.innerHTML;
                     if (!html)
                         throw new Error(`Failed to render component for ${editingData.path}`);
                 }
@@ -132,72 +139,174 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
                 });
             }
         });
-        /**
-         * Default page URL resolution.
-         * @param {string} serverUrl
-         * @param {string} itemPath
-         */
-        this.defaultResolvePageUrl = (serverUrl, itemPath) => {
-            return `${serverUrl}${itemPath}`;
-        };
-        /**
-         * Default server URL resolution.
-         * Note we use https protocol on Vercel due to serverless function architecture.
-         * In all other scenarios, including localhost (with or without a proxy e.g. ngrok)
-         * and within a nodejs container, http protocol should be used.
-         *
-         * For information about the VERCEL environment variable, see
-         * https://vercel.com/docs/environment-variables#system-environment-variables
-         * @param {NextApiRequest} req
-         */
-        this.defaultResolveServerUrl = (req) => {
-            return `${process.env.VERCEL ? 'https' : 'http'}://${req.headers.host}`;
+    }
+    extractEditingData(req) {
+        // Sitecore editors will send the following body data structure,
+        // though we're only concerned with the "args".
+        // {
+        //   id: 'JSS app name',
+        //   args: ['path', 'serialized layout data object', 'serialized viewbag object'],
+        //   functionName: 'renderView',
+        //   moduleName: 'server.bundle'
+        // }
+        // The 'serialized viewbag object' structure:
+        // {
+        //   language: 'language',
+        //   dictionary: 'key-value representation of tokens and their corresponding translations',
+        //   httpContext: 'serialized request data'
+        // }
+        var _a;
+        // Note req.body _should_ have already been parsed as JSON at this point (via Next.js `bodyParser` API middleware)
+        const payload = req.body;
+        if (!payload || !payload.args || !Array.isArray(payload.args) || payload.args.length < 3) {
+            throw new Error('Unable to extract editing data from request. Ensure `bodyParser` middleware is enabled on your Next.js API route.');
+        }
+        const layoutData = JSON.parse(payload.args[1]);
+        const viewBag = JSON.parse(payload.args[2]);
+        // Keep backwards compatibility in case people use an older JSS version that doesn't send the path in the context
+        const path = (_a = layoutData.sitecore.context.itemPath) !== null && _a !== void 0 ? _a : viewBag.httpContext.request.path;
+        return {
+            path,
+            layoutData,
+            language: viewBag.language,
+            dictionary: viewBag.dictionary,
         };
-        this.editingDataService = (_a = config === null || config === void 0 ? void 0 : config.editingDataService) !== null && _a !== void 0 ? _a : editingDataService;
-        this.dataFetcher = (_b = config === null || config === void 0 ? void 0 : config.dataFetcher) !== null && _b !== void 0 ? _b : new AxiosDataFetcher({ debugger: debug.editing });
-        this.resolvePageUrl = (_c = config === null || config === void 0 ? void 0 : config.resolvePageUrl) !== null && _c !== void 0 ? _c : this.defaultResolvePageUrl;
-        this.resolveServerUrl = (_d = config === null || config === void 0 ? void 0 : config.resolveServerUrl) !== null && _d !== void 0 ? _d : this.defaultResolveServerUrl;
+    }
+}
+/**
+ * Type guard for EditingMetadataPreviewData
+ * @param {Object} data preview data to check
+ * @returns true if the data is EditingMetadataPreviewData
+ * @see EditingMetadataPreviewData
+ */
+export const isEditingMetadataPreviewData = (data) => {
+    return (typeof data === 'object' &&
+        data !== null &&
+        'editMode' in data &&
+        data.editMode === EditMode.Metadata);
+};
+/**
+ * Handler for the Editing Metadata GET requests.
+ * This handler is responsible for redirecting the request to the page route.
+ * The page fetches the layout, dictionary and renders the page.
+ */
+export class MetadataHandler {
+    constructor(config) {
+        this.config = config;
+    }
+    render(req, res) {
+        var _a, _b;
+        const { query } = req;
+        const startTimestamp = Date.now();
+        const requiredQueryParams = [
+            'sc_site',
+            'sc_itemid',
+            'sc_lang',
+            'sc_variant',
+            'sc_version',
+            'mode',
+        ];
+        const missingQueryParams = requiredQueryParams.filter((param) => !query[param]);
+        // Validate query parameters
+        if (missingQueryParams.length) {
+            debug.editing('missing required query parameters: %o', missingQueryParams);
+            return res.status(400).json({
+                html: `<html><body>Missing required query parameters: ${missingQueryParams.join(', ')}</body></html>`,
+            });
+        }
+        res.setPreviewData({
+            site: query.sc_site,
+            itemId: query.sc_itemid,
+            language: query.sc_lang,
+            // sc_variant is an array in the query params, but we only need the first value
+            variantId: query.sc_variant.split(',')[0],
+            version: query.sc_version,
+            editMode: EditMode.Metadata,
+            pageState: query.mode,
+        }, 
+        // Cache the preview data for 3 seconds to ensure the page is rendered with the correct preview data not the cached one
+        {
+            path: query.route,
+            maxAge: 3,
+        });
+        const route = ((_b = (_a = this.config).resolvePageUrl) === null || _b === void 0 ? void 0 : _b.call(_a, {
+            itemPath: query.route,
+        })) || query.route;
+        debug.editing('editing render middleware end in %dms: redirect %o', Date.now() - startTimestamp, {
+            status: 307,
+            route,
+        });
+        // Restrict the page to be rendered only within the allowed origins
+        res.setHeader('Content-Security-Policy', this.getSCPHeader());
+        res.redirect(route);
     }
     /**
-     * Gets the Next.js API route handler
-     * @returns route handler
+     * Gets the Content-Security-Policy header value
+     * @returns Content-Security-Policy header value
      */
-    getHandler() {
-        return this.handler;
+    getSCPHeader() {
+        return `frame-ancestors 'self' ${[getAllowedOriginsFromEnv(), ...EDITING_ALLOWED_ORIGINS].join(' ')}`;
     }
 }
 /**
- * @param {NextApiRequest} req
+ * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
+ * which is required for Sitecore editing support.
  */
-export function extractEditingData(req) {
-    // Sitecore editors will send the following body data structure,
-    // though we're only concerned with the "args".
-    // {
-    //   id: 'JSS app name',
-    //   args: ['path', 'serialized layout data object', 'serialized viewbag object'],
-    //   functionName: 'renderView',
-    //   moduleName: 'server.bundle'
-    // }
-    // The 'serialized viewbag object' structure:
-    // {
-    //   language: 'language',
-    //   dictionary: 'key-value representation of tokens and their corresponding translations',
-    //   httpContext: 'serialized request data'
-    // }
-    var _a;
-    // Note req.body _should_ have already been parsed as JSON at this point (via Next.js `bodyParser` API middleware)
-    const payload = req.body;
-    if (!payload || !payload.args || !Array.isArray(payload.args) || payload.args.length < 3) {
-        throw new Error('Unable to extract editing data from request. Ensure `bodyParser` middleware is enabled on your Next.js API route.');
+export class EditingRenderMiddleware extends RenderMiddlewareBase {
+    /**
+     * @param {EditingRenderMiddlewareConfig} [config] Editing render middleware config
+     */
+    constructor(config) {
+        super();
+        this.config = config;
+        this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c;
+            const { query, body, method, headers } = req;
+            debug.editing('editing render middleware start: %o', {
+                method,
+                query,
+                headers,
+                body,
+            });
+            if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
+                debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                return res.status(401).json({
+                    html: `<html><body>Requests from origin ${(_a = req.headers) === null || _a === void 0 ? void 0 : _a.origin} not allowed</body></html>`,
+                });
+            }
+            // Validate secret
+            const secret = (_b = query[QUERY_PARAM_EDITING_SECRET]) !== null && _b !== void 0 ? _b : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
+            if (secret !== getJssEditingSecret()) {
+                debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
+                return res.status(401).json({
+                    html: '<html><body>Missing or invalid secret</body></html>',
+                });
+            }
+            switch (req.method) {
+                case 'GET': {
+                    const handler = new MetadataHandler({ resolvePageUrl: (_c = this.config) === null || _c === void 0 ? void 0 : _c.resolvePageUrl });
+                    yield handler.render(req, res);
+                    break;
+                }
+                case 'POST': {
+                    const handler = new ChromesHandler(this.config);
+                    yield handler.render(req, res);
+                    break;
+                }
+                default:
+                    debug.editing('invalid method - sent %s expected GET/POST', req.method);
+                    res.setHeader('Allow', 'GET, POST');
+                    return res.status(405).json({
+                        html: `<html><body>Invalid request method '${req.method}'</body></html>`,
+                    });
+            }
+        });
+    }
+    /**
+     * Gets the Next.js API route handler
+     * @returns route handler
+     */
+    getHandler() {
+        return this.handler;
     }
-    const layoutData = JSON.parse(payload.args[1]);
-    const viewBag = JSON.parse(payload.args[2]);
-    // Keep backwards compatibility in case people use an older JSS version that doesn't send the path in the context
-    const path = (_a = layoutData.sitecore.context.itemPath) !== null && _a !== void 0 ? _a : viewBag.httpContext.request.path;
-    return {
-        path,
-        layoutData,
-        language: viewBag.language,
-        dictionary: viewBag.dictionary,
-    };
 }

package/dist/esm/editing/feaas-render-middleware.js

@@ -8,9 +8,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 import { debug } from '@sitecore-jss/sitecore-jss';
-import { QUERY_PARAM_EDITING_SECRET } from './constants';
+import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
 import { getJssEditingSecret } from '../utils/utils';
 import { RenderMiddlewareBase } from './render-middleware';
+import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
 /**
  * Middleware / handler for use in the feaas render Next.js API route (e.g. '/api/editing/feaas/render')
  * which is required for Sitecore editing support.
@@ -25,6 +26,7 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
         this.config = config;
         this.defaultPageUrl = '/feaas/render';
         this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
+            var _b;
             const { method, query, headers } = req;
             const startTimestamp = Date.now();
             debug.editing('feaas render middleware start: %o', {
@@ -32,6 +34,12 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
                 query,
                 headers,
             });
+            if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
+                debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
+                return res
+                    .status(401)
+                    .send(`<html><body>Requests from origin ${(_b = req.headers) === null || _b === void 0 ? void 0 : _b.origin} are not allowed</body></html>`);
+            }
             if (method !== 'GET') {
                 debug.editing('invalid method - sent %s expected GET', method);
                 res.setHeader('Allow', 'GET');

package/dist/esm/editing/index.js

@@ -1,6 +1,7 @@
+export { GraphQLEditingService } from '@sitecore-jss/sitecore-jss/editing';
 export { EditingDataDiskCache } from './editing-data-cache';
 export { EditingDataMiddleware } from './editing-data-middleware';
-export { EditingRenderMiddleware, } from './editing-render-middleware';
+export { EditingRenderMiddleware, isEditingMetadataPreviewData, } from './editing-render-middleware';
 export { BasicEditingDataService, ServerlessEditingDataService, editingDataService, } from './editing-data-service';
 export { VercelEditingDataCache } from './vercel-editing-data-cache';
 export { FEAASRenderMiddleware } from './feaas-render-middleware';

package/dist/esm/index.js

@@ -1,5 +1,5 @@
 export { constants, AxiosDataFetcher, NativeDataFetcher, enableDebug, debug, } from '@sitecore-jss/sitecore-jss';
-export { LayoutServicePageState, GraphQLLayoutService, RestLayoutService, getChildPlaceholder, getFieldValue, RenderingType, EDITING_COMPONENT_PLACEHOLDER, EDITING_COMPONENT_ID, getContentStylesheetLink, } from '@sitecore-jss/sitecore-jss/layout';
+export { LayoutServicePageState, GraphQLLayoutService, RestLayoutService, getChildPlaceholder, getFieldValue, RenderingType, EDITING_COMPONENT_PLACEHOLDER, EDITING_COMPONENT_ID, getContentStylesheetLink, EditMode, } from '@sitecore-jss/sitecore-jss/layout';
 export { mediaApi } from '@sitecore-jss/sitecore-jss/media';
 export { trackingApi, } from '@sitecore-jss/sitecore-jss/tracking';
 export { GraphQLDictionaryService, RestDictionaryService, } from '@sitecore-jss/sitecore-jss/i18n';
@@ -21,4 +21,4 @@ export { FEaaSWrapper };
 export { BYOCWrapper };
 export { ComponentBuilder } from './ComponentBuilder';
 export { Context } from './context';
-export { Image, Text, DateField, EditFrame, FEaaSComponent, fetchFEaaSComponentServerProps, BYOCComponent, getComponentLibraryStylesheetLinks, File, VisitorIdentification, SitecoreContext, SitecoreContextReactContext, withSitecoreContext, useSitecoreContext, withEditorChromes, withPlaceholder, withDatasourceCheck, } from '@sitecore-jss/sitecore-jss-react';
+export { Image, Text, DateField, EditFrame, FEaaSComponent, fetchFEaaSComponentServerProps, BYOCComponent, getComponentLibraryStylesheetLinks, File, VisitorIdentification, SitecoreContext, SitecoreContextReactContext, withSitecoreContext, useSitecoreContext, withEditorChromes, withPlaceholder, withDatasourceCheck, withFieldMetadata, EditingScripts, } from '@sitecore-jss/sitecore-jss-react';

package/dist/esm/utils/index.js

@@ -1,2 +1,3 @@
 export { getPublicUrl, handleEditorFastRefresh } from './utils';
-export { tryParseEnvValue, isEditorActive, resetEditorChromes, resolveUrl, } from '@sitecore-jss/sitecore-jss/utils';
+export { tryParseEnvValue, resolveUrl } from '@sitecore-jss/sitecore-jss/utils';
+export { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/editing';

package/dist/esm/utils/utils.js

@@ -1,4 +1,4 @@
-import { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/utils';
+import { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/editing';
 /**
  * Get the publicUrl.
  * This is used primarily to enable compatibility with Sitecore editors.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sitecore-jss/sitecore-jss-nextjs",
-  "version": "22.1.0-canary.3",
+  "version": "22.1.0-canary.30",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
   "sideEffects": false,
@@ -14,7 +14,7 @@
     "generate-docs": "npx typedoc --plugin typedoc-plugin-markdown --readme none --out ../../ref-docs/sitecore-jss-nextjs --entryPoints src/index.ts --entryPoints src/monitoring/index.ts --entryPoints src/editing/index.ts --entryPoints src/middleware/index.ts --entryPoints src/context/index.ts --entryPoints src/utils/index.ts --entryPoints src/site/index.ts --entryPoints src/graphql/index.ts --githubPages false"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "author": {
     "name": "Sitecore Corporation",
@@ -35,7 +35,7 @@
     "@types/chai-string": "^1.4.2",
     "@types/enzyme": "^3.10.12",
     "@types/mocha": "^10.0.1",
-    "@types/node": "~18.11.18",
+    "@types/node": "~20.14.2",
     "@types/prop-types": "^15.7.5",
     "@types/react": "^18.2.22",
     "@types/react-dom": "^18.0.10",
@@ -72,9 +72,9 @@
     "react-dom": "^18.2.0"
   },
   "dependencies": {
-    "@sitecore-jss/sitecore-jss": "^22.1.0-canary.3",
-    "@sitecore-jss/sitecore-jss-dev-tools": "^22.1.0-canary.3",
-    "@sitecore-jss/sitecore-jss-react": "^22.1.0-canary.3",
+    "@sitecore-jss/sitecore-jss": "^22.1.0-canary.30",
+    "@sitecore-jss/sitecore-jss-dev-tools": "^22.1.0-canary.30",
+    "@sitecore-jss/sitecore-jss-react": "^22.1.0-canary.30",
     "@vercel/kv": "^0.2.1",
     "node-html-parser": "^6.1.4",
     "prop-types": "^15.8.1",
@@ -83,7 +83,7 @@
   },
   "description": "",
   "types": "types/index.d.ts",
-  "gitHead": "4def962a4ba6dd75c257ee5df443cd0d3dfda3b4",
+  "gitHead": "c4bb65e67427a07c5f66ce83dc211550db9612a5",
   "files": [
     "dist",
     "types",

package/types/ComponentBuilder.d.ts

@@ -1,18 +1,16 @@
-/// <reference types="@types/react" />
-import { ComponentFactory } from '@sitecore-jss/sitecore-jss-react';
+import { ComponentFactory, JssComponentType } from '@sitecore-jss/sitecore-jss-react';
 import { Module, ModuleFactory } from './sharedTypes/module-factory';
-import { ComponentType } from 'react';
 /**
  * Represents a component that can be imported dynamically
  */
 export type LazyModule = {
     module: () => Promise<Module>;
-    element: (isEditing?: boolean) => ComponentType;
+    element: (isEditing?: boolean) => JssComponentType;
 };
 /**
  * Component is a module or a lazy module
  */
-type Component = Module | LazyModule | ComponentType;
+type Component = Module | LazyModule | JssComponentType;
 /**
  * Configuration for ComponentBuilder
  */