@sitecore-jss/sitecore-jss-nextjs 22.1.0-canary.4 → 22.1.0-canary.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/cjs/components/Link.js +1 -1
  2. package/dist/cjs/components/NextImage.js +2 -3
  3. package/dist/cjs/editing/constants.js +12 -3
  4. package/dist/cjs/editing/editing-config-middleware.js +8 -0
  5. package/dist/cjs/editing/editing-data-middleware.js +6 -0
  6. package/dist/cjs/editing/editing-render-middleware.js +208 -103
  7. package/dist/cjs/editing/feaas-render-middleware.js +8 -0
  8. package/dist/cjs/editing/index.js +4 -1
  9. package/dist/cjs/editing/render-middleware.js +18 -4
  10. package/dist/cjs/index.js +5 -7
  11. package/dist/cjs/utils/index.js +4 -3
  12. package/dist/cjs/utils/utils.js +3 -3
  13. package/dist/esm/components/Link.js +1 -1
  14. package/dist/esm/components/NextImage.js +3 -3
  15. package/dist/esm/editing/constants.js +11 -2
  16. package/dist/esm/editing/editing-config-middleware.js +9 -1
  17. package/dist/esm/editing/editing-data-middleware.js +7 -1
  18. package/dist/esm/editing/editing-render-middleware.js +206 -103
  19. package/dist/esm/editing/feaas-render-middleware.js +9 -1
  20. package/dist/esm/editing/index.js +2 -1
  21. package/dist/esm/editing/render-middleware.js +19 -5
  22. package/dist/esm/index.js +2 -3
  23. package/dist/esm/utils/index.js +2 -1
  24. package/dist/esm/utils/utils.js +1 -1
  25. package/package.json +7 -8
  26. package/types/ComponentBuilder.d.ts +3 -5
  27. package/types/components/Placeholder.d.ts +7 -2
  28. package/types/components/RichText.d.ts +3 -0
  29. package/types/editing/constants.d.ts +11 -2
  30. package/types/editing/editing-config-middleware.d.ts +7 -0
  31. package/types/editing/editing-data-service.d.ts +1 -0
  32. package/types/editing/editing-render-middleware.d.ts +111 -23
  33. package/types/editing/index.d.ts +2 -1
  34. package/types/editing/render-middleware.d.ts +9 -0
  35. package/types/index.d.ts +2 -3
  36. package/types/utils/index.d.ts +2 -1
  37. package/dist/cjs/components/EditingComponentPlaceholder.js +0 -12
  38. package/dist/esm/components/EditingComponentPlaceholder.js +0 -5
  39. package/types/components/EditingComponentPlaceholder.d.ts +0 -4
package/dist/cjs/utils/utils.js CHANGED
@@ -1,7 +1,7 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.getJssEditingSecret = exports.handleEditorFastRefresh = exports.getPublicUrl = void 0;
4
- const utils_1 = require("@sitecore-jss/sitecore-jss/utils");
4
+ const editing_1 = require("@sitecore-jss/sitecore-jss/editing");
5
5
  /**
6
6
  * Get the publicUrl.
7
7
  * This is used primarily to enable compatibility with Sitecore editors.
@@ -32,7 +32,7 @@ exports.getPublicUrl = getPublicUrl;
32
32
  * @default forceReload false
33
33
  */
34
34
  const handleEditorFastRefresh = (forceReload = false) => {
35
- if (process.env.NODE_ENV !== 'development' || !(0, utils_1.isEditorActive)()) {
35
+ if (process.env.NODE_ENV !== 'development' || !(0, editing_1.isEditorActive)()) {
36
36
  // Only run if development mode and editor is active
37
37
  return;
38
38
  }
@@ -50,7 +50,7 @@ const handleEditorFastRefresh = (forceReload = false) => {
50
50
  return window.location.reload();
51
51
  setTimeout(() => {
52
52
  console.log('[Sitecore Editor HMR Listener] Sitecore editor does not support Fast Refresh, reloading chromes...');
53
- (0, utils_1.resetEditorChromes)();
53
+ (0, editing_1.resetEditorChromes)();
54
54
  }, 500);
55
55
  };
56
56
  };
package/dist/esm/components/Link.js CHANGED
@@ -23,7 +23,7 @@ export const Link = forwardRef((props, ref) => {
23
23
  ? field
24
24
  : field.value);
25
25
  const { href, querystring, anchor } = value;
26
- const isEditing = editable && field.editable;
26
+ const isEditing = editable && (field.editable || field.metadata);
27
27
  if (href && !isEditing) {
28
28
  const text = showLinkTextWithChildrenPresent || !children ? value.text || value.href : null;
29
29
  // determine if a link is a route or not.
package/dist/esm/components/NextImage.js CHANGED
@@ -12,9 +12,9 @@ var __rest = (this && this.__rest) || function (s, e) {
12
12
  import { mediaApi } from '@sitecore-jss/sitecore-jss/media';
13
13
  import PropTypes from 'prop-types';
14
14
  import React from 'react';
15
- import { getEEMarkup, } from '@sitecore-jss/sitecore-jss-react';
15
+ import { getEEMarkup, withFieldMetadata, } from '@sitecore-jss/sitecore-jss-react';
16
16
  import Image from 'next/image';
17
- export const NextImage = (_a) => {
17
+ export const NextImage = withFieldMetadata((_a) => {
18
18
  var { editable = true, imageParams, field, mediaUrlPrefix, fill, priority } = _a, otherProps = __rest(_a, ["editable", "imageParams", "field", "mediaUrlPrefix", "fill", "priority"]);
19
19
  // next handles src and we use a custom loader,
20
20
  // throw error if these are present
@@ -53,7 +53,7 @@ export const NextImage = (_a) => {
53
53
  return React.createElement(Image, Object.assign({ alt: "" }, imageProps));
54
54
  }
55
55
  return null; // we can't handle the truth
56
- };
56
+ });
57
57
  NextImage.propTypes = {
58
58
  field: PropTypes.oneOfType([
59
59
  PropTypes.shape({
package/dist/esm/editing/constants.js CHANGED
@@ -1,3 +1,12 @@
1
1
  export const QUERY_PARAM_EDITING_SECRET = 'secret';
2
- export const QUERY_PARAM_PROTECTION_BYPASS_SITECORE = 'x-sitecore-protection-bypass';
3
- export const QUERY_PARAM_PROTECTION_BYPASS_VERCEL = 'x-vercel-protection-bypass';
2
+ export const QUERY_PARAM_VERCEL_PROTECTION_BYPASS = 'x-vercel-protection-bypass';
3
+ export const QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE = 'x-vercel-set-bypass-cookie';
4
+ /**
5
+ * Headers that should be passed along to (Editing Chromes handler) SSR request.
6
+ * Note these are in lowercase format to match expected `IncomingHttpHeaders`.
7
+ */
8
+ export const EDITING_PASS_THROUGH_HEADERS = ['authorization', 'cookie'];
9
+ /**
10
+ * Default allowed origins for editing requests. This is used to enforce CORS, CSP headers.
11
+ */
12
+ export const EDITING_ALLOWED_ORIGINS = ['https://pages*.cloud', 'https://pages.sitecorecloud.io'];
package/dist/esm/editing/editing-config-middleware.js CHANGED
@@ -7,9 +7,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
7
7
  step((generator = generator.apply(thisArg, _arguments || [])).next());
8
8
  });
9
9
  };
10
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
10
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
11
11
  import { getJssEditingSecret } from '../utils/utils';
12
12
  import { debug } from '@sitecore-jss/sitecore-jss';
13
+ import { EditMode } from '@sitecore-jss/sitecore-jss/layout';
14
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
13
15
  /**
14
16
  * Middleware / handler used in the editing config API route in xmcloud add on (e.g. '/api/editing/config')
15
17
  * provides configuration information to determine feature compatibility on Pages side.
@@ -22,6 +24,10 @@ export class EditingConfigMiddleware {
22
24
  this.config = config;
23
25
  this.handler = (_req, res) => __awaiter(this, void 0, void 0, function* () {
24
26
  const secret = _req.query[QUERY_PARAM_EDITING_SECRET];
27
+ if (!enforceCors(_req, res, EDITING_ALLOWED_ORIGINS)) {
28
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
29
+ return res.status(401).json({ message: 'Invalid origin' });
30
+ }
25
31
  if (secret !== getJssEditingSecret()) {
26
32
  debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
27
33
  return res.status(401).json({ message: 'Missing or invalid editing secret' });
@@ -29,9 +35,11 @@ export class EditingConfigMiddleware {
29
35
  const components = Array.isArray(this.config.components)
30
36
  ? this.config.components
31
37
  : Array.from(this.config.components.keys());
38
+ const editMode = this.config.pagesEditMode || EditMode.Metadata;
32
39
  return res.status(200).json({
33
40
  components,
34
41
  packages: this.config.metadata.packages,
42
+ editMode,
35
43
  });
36
44
  });
37
45
  }
package/dist/esm/editing/editing-data-middleware.js CHANGED
@@ -9,8 +9,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
9
9
  };
10
10
  import { editingDataDiskCache } from './editing-data-cache';
11
11
  import { isEditingData } from './editing-data';
12
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
12
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
13
13
  import { getJssEditingSecret } from '../utils/utils';
14
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
15
+ import { debug } from '@sitecore-jss/sitecore-jss';
14
16
  /**
15
17
  * Middleware / handler for use in the editing data Next.js API dynamic route (e.g. '/api/editing/data/[key]')
16
18
  * which is required for Sitecore editing support.
@@ -25,6 +27,10 @@ export class EditingDataMiddleware {
25
27
  const { method, query, body } = req;
26
28
  const secret = query[QUERY_PARAM_EDITING_SECRET];
27
29
  const key = query[this.queryParamKey];
30
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
31
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
32
+ return res.status(401).json({ message: 'Invalid origin' });
33
+ }
28
34
  // Validate secret
29
35
  if (secret !== getJssEditingSecret()) {
30
36
  res.status(401).end('Missing or invalid secret');
package/dist/esm/editing/editing-render-middleware.js CHANGED
@@ -9,55 +9,62 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
9
9
  };
10
10
  import { STATIC_PROPS_ID, SERVER_PROPS_ID } from 'next/constants';
11
11
  import { AxiosDataFetcher, debug } from '@sitecore-jss/sitecore-jss';
12
- import { EDITING_COMPONENT_ID, RenderingType } from '@sitecore-jss/sitecore-jss/layout';
13
- import { parse } from 'node-html-parser';
12
+ import { EditMode } from '@sitecore-jss/sitecore-jss/layout';
14
13
  import { editingDataService } from './editing-data-service';
15
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
14
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
16
15
  import { getJssEditingSecret } from '../utils/utils';
17
16
  import { RenderMiddlewareBase } from './render-middleware';
17
+ import { enforceCors, getAllowedOriginsFromEnv } from '@sitecore-jss/sitecore-jss/utils';
18
18
  /**
19
- * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
20
- * which is required for Sitecore editing support.
19
+ * Handler for the Editing Chromes POST requests.
20
+ * This handler is responsible for rendering the page and returning the HTML content that is provided via request.
21
21
  */
22
- export class EditingRenderMiddleware extends RenderMiddlewareBase {
23
- /**
24
- * @param {EditingRenderMiddlewareConfig} [config] Editing render middleware config
25
- */
22
+ export class ChromesHandler extends RenderMiddlewareBase {
26
23
  constructor(config) {
27
24
  var _a, _b, _c, _d;
28
25
  super();
29
- this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
30
- var _e, _f;
31
- const { method, query, body, headers } = req;
26
+ this.config = config;
27
+ /**
28
+ * Default page URL resolution.
29
+ * @param {Object} args Arguments for resolving the page URL
30
+ * @param {string} args.serverUrl The root server URL e.g. 'http://localhost:3000'
31
+ * @param {string} args.itemPath The Sitecore relative item path e.g. '/styleguide'
32
+ * @returns {string} The URL to render
33
+ */
34
+ this.defaultResolvePageUrl = ({ serverUrl, itemPath, }) => {
35
+ return `${serverUrl}${itemPath}`;
36
+ };
37
+ /**
38
+ * Default server URL resolution.
39
+ * Note we use https protocol on Vercel due to serverless function architecture.
40
+ * In all other scenarios, including localhost (with or without a proxy e.g. ngrok)
41
+ * and within a nodejs container, http protocol should be used.
42
+ *
43
+ * For information about the VERCEL environment variable, see
44
+ * https://vercel.com/docs/environment-variables#system-environment-variables
45
+ * @param {NextApiRequest} req
46
+ */
47
+ this.defaultResolveServerUrl = (req) => {
48
+ return `${process.env.VERCEL ? 'https' : 'http'}://${req.headers.host}`;
49
+ };
50
+ this.editingDataService = (_a = config === null || config === void 0 ? void 0 : config.editingDataService) !== null && _a !== void 0 ? _a : editingDataService;
51
+ this.dataFetcher = (_b = config === null || config === void 0 ? void 0 : config.dataFetcher) !== null && _b !== void 0 ? _b : new AxiosDataFetcher({ debugger: debug.editing });
52
+ this.resolvePageUrl = (_c = config === null || config === void 0 ? void 0 : config.resolvePageUrl) !== null && _c !== void 0 ? _c : this.defaultResolvePageUrl;
53
+ this.resolveServerUrl = (_d = config === null || config === void 0 ? void 0 : config.resolveServerUrl) !== null && _d !== void 0 ? _d : this.defaultResolveServerUrl;
54
+ }
55
+ render(req, res) {
56
+ return __awaiter(this, void 0, void 0, function* () {
57
+ const { query, headers: incomingHeaders } = req;
32
58
  const startTimestamp = Date.now();
33
- debug.editing('editing render middleware start: %o', {
34
- method,
35
- query,
36
- headers,
37
- body,
38
- });
39
- if (method !== 'POST') {
40
- debug.editing('invalid method - sent %s expected POST', method);
41
- res.setHeader('Allow', 'POST');
42
- return res.status(405).json({
43
- html: `<html><body>Invalid request method '${method}'</body></html>`,
44
- });
45
- }
46
- // Validate secret
47
- const secret = (_e = query[QUERY_PARAM_EDITING_SECRET]) !== null && _e !== void 0 ? _e : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
48
- if (secret !== getJssEditingSecret()) {
49
- debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
50
- return res.status(401).json({
51
- html: '<html><body>Missing or invalid secret</body></html>',
52
- });
53
- }
54
59
  try {
55
60
  // Extract data from EE payload
56
- const editingData = extractEditingData(req);
61
+ const editingData = this.extractEditingData(req);
57
62
  // Resolve server URL
58
63
  const serverUrl = this.resolveServerUrl(req);
59
64
  // Get query string parameters to propagate on subsequent requests (e.g. for deployment protection bypass)
60
65
  const params = this.getQueryParamsForPropagation(query);
66
+ // Get headers to propagate on subsequent requests
67
+ const headers = this.getHeadersForPropagation(incomingHeaders);
61
68
  // Stash for use later on (i.e. within getStatic/ServerSideProps).
62
69
  // Note we can't set this directly in setPreviewData since it's stored as a cookie (2KB limit)
63
70
  // https://nextjs.org/docs/advanced-features/preview-mode#previewdata-size-limits)
@@ -66,10 +73,11 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
66
73
  res.setPreviewData(previewData);
67
74
  // Grab the Next.js preview cookies to send on to the render request
68
75
  const cookies = res.getHeader('Set-Cookie');
76
+ headers.cookie = `${headers.cookie ? headers.cookie + ';' : ''}${cookies.join(';')}`;
69
77
  // Make actual render request for page route, passing on preview cookies as well as any approved query string parameters.
70
78
  // Note timestamp effectively disables caching the request in Axios (no amount of cache headers seemed to do it)
71
79
  debug.editing('fetching page route for %s', editingData.path);
72
- const requestUrl = new URL(this.resolvePageUrl(serverUrl, editingData.path));
80
+ const requestUrl = new URL(this.resolvePageUrl({ serverUrl, itemPath: editingData.path }));
73
81
  for (const key in params) {
74
82
  if ({}.hasOwnProperty.call(params, key)) {
75
83
  requestUrl.searchParams.append(key, params[key]);
@@ -78,9 +86,7 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
78
86
  requestUrl.searchParams.append('timestamp', Date.now().toString());
79
87
  const pageRes = yield this.dataFetcher
80
88
  .get(requestUrl.toString(), {
81
- headers: {
82
- Cookie: cookies.join(';'),
83
- },
89
+ headers,
84
90
  })
85
91
  .catch((err) => {
86
92
  // We need to handle not found error provided by Vercel
@@ -104,12 +110,6 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
104
110
  // certain route configurations (e.g. multiple catch-all routes).
105
111
  // The following line will trick it into thinking we're SSR, thus avoiding any router.replace.
106
112
  html = html.replace(STATIC_PROPS_ID, SERVER_PROPS_ID);
107
- if (editingData.layoutData.sitecore.context.renderingType === RenderingType.Component) {
108
- // Handle component rendering. Extract component markup only
109
- html = (_f = parse(html).getElementById(EDITING_COMPONENT_ID)) === null || _f === void 0 ? void 0 : _f.innerHTML;
110
- if (!html)
111
- throw new Error(`Failed to render component for ${editingData.path}`);
112
- }
113
113
  const body = { html };
114
114
  // Return expected JSON result
115
115
  debug.editing('editing render middleware end in %dms: %o', Date.now() - startTimestamp, {
@@ -132,72 +132,175 @@ export class EditingRenderMiddleware extends RenderMiddlewareBase {
132
132
  });
133
133
  }
134
134
  });
135
- /**
136
- * Default page URL resolution.
137
- * @param {string} serverUrl
138
- * @param {string} itemPath
139
- */
140
- this.defaultResolvePageUrl = (serverUrl, itemPath) => {
141
- return `${serverUrl}${itemPath}`;
142
- };
143
- /**
144
- * Default server URL resolution.
145
- * Note we use https protocol on Vercel due to serverless function architecture.
146
- * In all other scenarios, including localhost (with or without a proxy e.g. ngrok)
147
- * and within a nodejs container, http protocol should be used.
148
- *
149
- * For information about the VERCEL environment variable, see
150
- * https://vercel.com/docs/environment-variables#system-environment-variables
151
- * @param {NextApiRequest} req
152
- */
153
- this.defaultResolveServerUrl = (req) => {
154
- return `${process.env.VERCEL ? 'https' : 'http'}://${req.headers.host}`;
135
+ }
136
+ extractEditingData(req) {
137
+ // Sitecore editors will send the following body data structure,
138
+ // though we're only concerned with the "args".
139
+ // {
140
+ // id: 'JSS app name',
141
+ // args: ['path', 'serialized layout data object', 'serialized viewbag object'],
142
+ // functionName: 'renderView',
143
+ // moduleName: 'server.bundle'
144
+ // }
145
+ // The 'serialized viewbag object' structure:
146
+ // {
147
+ // language: 'language',
148
+ // dictionary: 'key-value representation of tokens and their corresponding translations',
149
+ // httpContext: 'serialized request data'
150
+ // }
151
+ var _a;
152
+ // Note req.body _should_ have already been parsed as JSON at this point (via Next.js `bodyParser` API middleware)
153
+ const payload = req.body;
154
+ if (!payload || !payload.args || !Array.isArray(payload.args) || payload.args.length < 3) {
155
+ throw new Error('Unable to extract editing data from request. Ensure `bodyParser` middleware is enabled on your Next.js API route.');
156
+ }
157
+ const layoutData = JSON.parse(payload.args[1]);
158
+ const viewBag = JSON.parse(payload.args[2]);
159
+ // Keep backwards compatibility in case people use an older JSS version that doesn't send the path in the context
160
+ const path = (_a = layoutData.sitecore.context.itemPath) !== null && _a !== void 0 ? _a : viewBag.httpContext.request.path;
161
+ return {
162
+ path,
163
+ layoutData,
164
+ language: viewBag.language,
165
+ dictionary: viewBag.dictionary,
155
166
  };
156
- this.editingDataService = (_a = config === null || config === void 0 ? void 0 : config.editingDataService) !== null && _a !== void 0 ? _a : editingDataService;
157
- this.dataFetcher = (_b = config === null || config === void 0 ? void 0 : config.dataFetcher) !== null && _b !== void 0 ? _b : new AxiosDataFetcher({ debugger: debug.editing });
158
- this.resolvePageUrl = (_c = config === null || config === void 0 ? void 0 : config.resolvePageUrl) !== null && _c !== void 0 ? _c : this.defaultResolvePageUrl;
159
- this.resolveServerUrl = (_d = config === null || config === void 0 ? void 0 : config.resolveServerUrl) !== null && _d !== void 0 ? _d : this.defaultResolveServerUrl;
167
+ }
168
+ }
169
+ /**
170
+ * Type guard for EditingMetadataPreviewData
171
+ * @param {Object} data preview data to check
172
+ * @returns true if the data is EditingMetadataPreviewData
173
+ * @see EditingMetadataPreviewData
174
+ */
175
+ export const isEditingMetadataPreviewData = (data) => {
176
+ return (typeof data === 'object' &&
177
+ data !== null &&
178
+ 'editMode' in data &&
179
+ data.editMode === EditMode.Metadata);
180
+ };
181
+ /**
182
+ * Handler for the Editing Metadata GET requests.
183
+ * This handler is responsible for redirecting the request to the page route.
184
+ * The page fetches the layout, dictionary and renders the page.
185
+ */
186
+ export class MetadataHandler {
187
+ constructor(config) {
188
+ this.config = config;
189
+ }
190
+ render(req, res) {
191
+ var _a, _b;
192
+ const { query } = req;
193
+ const startTimestamp = Date.now();
194
+ const requiredQueryParams = [
195
+ 'sc_site',
196
+ 'sc_itemid',
197
+ 'sc_lang',
198
+ 'sc_variant',
199
+ 'sc_version',
200
+ 'route',
201
+ 'mode',
202
+ ];
203
+ const missingQueryParams = requiredQueryParams.filter((param) => !query[param]);
204
+ // Validate query parameters
205
+ if (missingQueryParams.length) {
206
+ debug.editing('missing required query parameters: %o', missingQueryParams);
207
+ return res.status(400).json({
208
+ html: `<html><body>Missing required query parameters: ${missingQueryParams.join(', ')}</body></html>`,
209
+ });
210
+ }
211
+ res.setPreviewData({
212
+ site: query.sc_site,
213
+ itemId: query.sc_itemid,
214
+ language: query.sc_lang,
215
+ // sc_variant is an array in the query params, but we only need the first value
216
+ variantId: query.sc_variant.split(',')[0],
217
+ version: query.sc_version,
218
+ editMode: EditMode.Metadata,
219
+ pageState: query.mode,
220
+ },
221
+ // Cache the preview data for 3 seconds to ensure the page is rendered with the correct preview data not the cached one
222
+ {
223
+ path: query.route,
224
+ maxAge: 3,
225
+ });
226
+ const route = ((_b = (_a = this.config).resolvePageUrl) === null || _b === void 0 ? void 0 : _b.call(_a, {
227
+ itemPath: query.route,
228
+ })) || query.route;
229
+ debug.editing('editing render middleware end in %dms: redirect %o', Date.now() - startTimestamp, {
230
+ status: 307,
231
+ route,
232
+ });
233
+ // Restrict the page to be rendered only within the allowed origins
234
+ res.setHeader('Content-Security-Policy', this.getSCPHeader());
235
+ res.redirect(route);
160
236
  }
161
237
  /**
162
- * Gets the Next.js API route handler
163
- * @returns route handler
238
+ * Gets the Content-Security-Policy header value
239
+ * @returns Content-Security-Policy header value
164
240
  */
165
- getHandler() {
166
- return this.handler;
241
+ getSCPHeader() {
242
+ return `frame-ancestors 'self' ${[getAllowedOriginsFromEnv(), ...EDITING_ALLOWED_ORIGINS].join(' ')}`;
167
243
  }
168
244
  }
169
245
  /**
170
- * @param {NextApiRequest} req
246
+ * Middleware / handler for use in the editing render Next.js API route (e.g. '/api/editing/render')
247
+ * which is required for Sitecore editing support.
171
248
  */
172
- export function extractEditingData(req) {
173
- // Sitecore editors will send the following body data structure,
174
- // though we're only concerned with the "args".
175
- // {
176
- // id: 'JSS app name',
177
- // args: ['path', 'serialized layout data object', 'serialized viewbag object'],
178
- // functionName: 'renderView',
179
- // moduleName: 'server.bundle'
180
- // }
181
- // The 'serialized viewbag object' structure:
182
- // {
183
- // language: 'language',
184
- // dictionary: 'key-value representation of tokens and their corresponding translations',
185
- // httpContext: 'serialized request data'
186
- // }
187
- var _a;
188
- // Note req.body _should_ have already been parsed as JSON at this point (via Next.js `bodyParser` API middleware)
189
- const payload = req.body;
190
- if (!payload || !payload.args || !Array.isArray(payload.args) || payload.args.length < 3) {
191
- throw new Error('Unable to extract editing data from request. Ensure `bodyParser` middleware is enabled on your Next.js API route.');
249
+ export class EditingRenderMiddleware extends RenderMiddlewareBase {
250
+ /**
251
+ * @param {EditingRenderMiddlewareConfig} [config] Editing render middleware config
252
+ */
253
+ constructor(config) {
254
+ super();
255
+ this.config = config;
256
+ this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
257
+ var _a, _b, _c;
258
+ const { query, body, method, headers } = req;
259
+ debug.editing('editing render middleware start: %o', {
260
+ method,
261
+ query,
262
+ headers,
263
+ body,
264
+ });
265
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
266
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
267
+ return res.status(401).json({
268
+ html: `<html><body>Requests from origin ${(_a = req.headers) === null || _a === void 0 ? void 0 : _a.origin} not allowed</body></html>`,
269
+ });
270
+ }
271
+ // Validate secret
272
+ const secret = (_b = query[QUERY_PARAM_EDITING_SECRET]) !== null && _b !== void 0 ? _b : body === null || body === void 0 ? void 0 : body.jssEditingSecret;
273
+ if (secret !== getJssEditingSecret()) {
274
+ debug.editing('invalid editing secret - sent "%s" expected "%s"', secret, getJssEditingSecret());
275
+ return res.status(401).json({
276
+ html: '<html><body>Missing or invalid secret</body></html>',
277
+ });
278
+ }
279
+ switch (req.method) {
280
+ case 'GET': {
281
+ const handler = new MetadataHandler({ resolvePageUrl: (_c = this.config) === null || _c === void 0 ? void 0 : _c.resolvePageUrl });
282
+ yield handler.render(req, res);
283
+ break;
284
+ }
285
+ case 'POST': {
286
+ const handler = new ChromesHandler(this.config);
287
+ yield handler.render(req, res);
288
+ break;
289
+ }
290
+ default:
291
+ debug.editing('invalid method - sent %s expected GET/POST', req.method);
292
+ res.setHeader('Allow', 'GET, POST');
293
+ return res.status(405).json({
294
+ html: `<html><body>Invalid request method '${req.method}'</body></html>`,
295
+ });
296
+ }
297
+ });
298
+ }
299
+ /**
300
+ * Gets the Next.js API route handler
301
+ * @returns route handler
302
+ */
303
+ getHandler() {
304
+ return this.handler;
192
305
  }
193
- const layoutData = JSON.parse(payload.args[1]);
194
- const viewBag = JSON.parse(payload.args[2]);
195
- // Keep backwards compatibility in case people use an older JSS version that doesn't send the path in the context
196
- const path = (_a = layoutData.sitecore.context.itemPath) !== null && _a !== void 0 ? _a : viewBag.httpContext.request.path;
197
- return {
198
- path,
199
- layoutData,
200
- language: viewBag.language,
201
- dictionary: viewBag.dictionary,
202
- };
203
306
  }
package/dist/esm/editing/feaas-render-middleware.js CHANGED
@@ -8,9 +8,10 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
8
8
  });
9
9
  };
10
10
  import { debug } from '@sitecore-jss/sitecore-jss';
11
- import { QUERY_PARAM_EDITING_SECRET } from './constants';
11
+ import { EDITING_ALLOWED_ORIGINS, QUERY_PARAM_EDITING_SECRET } from './constants';
12
12
  import { getJssEditingSecret } from '../utils/utils';
13
13
  import { RenderMiddlewareBase } from './render-middleware';
14
+ import { enforceCors } from '@sitecore-jss/sitecore-jss/utils';
14
15
  /**
15
16
  * Middleware / handler for use in the feaas render Next.js API route (e.g. '/api/editing/feaas/render')
16
17
  * which is required for Sitecore editing support.
@@ -25,6 +26,7 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
25
26
  this.config = config;
26
27
  this.defaultPageUrl = '/feaas/render';
27
28
  this.handler = (req, res) => __awaiter(this, void 0, void 0, function* () {
29
+ var _b;
28
30
  const { method, query, headers } = req;
29
31
  const startTimestamp = Date.now();
30
32
  debug.editing('feaas render middleware start: %o', {
@@ -32,6 +34,12 @@ export class FEAASRenderMiddleware extends RenderMiddlewareBase {
32
34
  query,
33
35
  headers,
34
36
  });
37
+ if (!enforceCors(req, res, EDITING_ALLOWED_ORIGINS)) {
38
+ debug.editing('invalid origin host - set allowed origins in JSS_ALLOWED_ORIGINS environment variable');
39
+ return res
40
+ .status(401)
41
+ .send(`<html><body>Requests from origin ${(_b = req.headers) === null || _b === void 0 ? void 0 : _b.origin} are not allowed</body></html>`);
42
+ }
35
43
  if (method !== 'GET') {
36
44
  debug.editing('invalid method - sent %s expected GET', method);
37
45
  res.setHeader('Allow', 'GET');
package/dist/esm/editing/index.js CHANGED
@@ -1,6 +1,7 @@
1
+ export { GraphQLEditingService } from '@sitecore-jss/sitecore-jss/editing';
1
2
  export { EditingDataDiskCache } from './editing-data-cache';
2
3
  export { EditingDataMiddleware } from './editing-data-middleware';
3
- export { EditingRenderMiddleware, } from './editing-render-middleware';
4
+ export { EditingRenderMiddleware, isEditingMetadataPreviewData, } from './editing-render-middleware';
4
5
  export { BasicEditingDataService, ServerlessEditingDataService, editingDataService, } from './editing-data-service';
5
6
  export { VercelEditingDataCache } from './vercel-editing-data-cache';
6
7
  export { FEAASRenderMiddleware } from './feaas-render-middleware';
package/dist/esm/editing/render-middleware.js CHANGED
@@ -1,4 +1,4 @@
1
- import { QUERY_PARAM_PROTECTION_BYPASS_SITECORE, QUERY_PARAM_PROTECTION_BYPASS_VERCEL, } from './constants';
1
+ import { QUERY_PARAM_VERCEL_PROTECTION_BYPASS, QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE, EDITING_PASS_THROUGH_HEADERS, } from './constants';
2
2
  /**
3
3
  * Base class for middleware that handles pages and components rendering in Sitecore Editors.
4
4
  */
@@ -11,13 +11,27 @@ export class RenderMiddlewareBase {
11
11
  */
12
12
  this.getQueryParamsForPropagation = (query) => {
13
13
  const params = {};
14
- if (query[QUERY_PARAM_PROTECTION_BYPASS_SITECORE]) {
15
- params[QUERY_PARAM_PROTECTION_BYPASS_SITECORE] = query[QUERY_PARAM_PROTECTION_BYPASS_SITECORE];
14
+ if (query[QUERY_PARAM_VERCEL_PROTECTION_BYPASS]) {
15
+ params[QUERY_PARAM_VERCEL_PROTECTION_BYPASS] = query[QUERY_PARAM_VERCEL_PROTECTION_BYPASS];
16
16
  }
17
- if (query[QUERY_PARAM_PROTECTION_BYPASS_VERCEL]) {
18
- params[QUERY_PARAM_PROTECTION_BYPASS_VERCEL] = query[QUERY_PARAM_PROTECTION_BYPASS_VERCEL];
17
+ if (query[QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE]) {
18
+ params[QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE] = query[QUERY_PARAM_VERCEL_SET_BYPASS_COOKIE];
19
19
  }
20
20
  return params;
21
21
  };
22
+ /**
23
+ * Get headers that should be passed along to subsequent requests
24
+ * @param {IncomingHttpHeaders} headers Incoming HTTP Headers
25
+ * @returns Object of approved headers
26
+ */
27
+ this.getHeadersForPropagation = (headers) => {
28
+ const result = {};
29
+ EDITING_PASS_THROUGH_HEADERS.forEach((header) => {
30
+ if (headers[header]) {
31
+ result[header] = headers[header];
32
+ }
33
+ });
34
+ return result;
35
+ };
22
36
  }
23
37
  }
package/dist/esm/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  export { constants, AxiosDataFetcher, NativeDataFetcher, enableDebug, debug, } from '@sitecore-jss/sitecore-jss';
2
- export { LayoutServicePageState, GraphQLLayoutService, RestLayoutService, getChildPlaceholder, getFieldValue, RenderingType, EDITING_COMPONENT_PLACEHOLDER, EDITING_COMPONENT_ID, getContentStylesheetLink, } from '@sitecore-jss/sitecore-jss/layout';
2
+ export { LayoutServicePageState, GraphQLLayoutService, RestLayoutService, getChildPlaceholder, getFieldValue, getContentStylesheetLink, EditMode, } from '@sitecore-jss/sitecore-jss/layout';
3
3
  export { mediaApi } from '@sitecore-jss/sitecore-jss/media';
4
4
  export { trackingApi, } from '@sitecore-jss/sitecore-jss/tracking';
5
5
  export { GraphQLDictionaryService, RestDictionaryService, } from '@sitecore-jss/sitecore-jss/i18n';
@@ -13,7 +13,6 @@ export { ComponentPropsReactContext, ComponentPropsContext, useComponentProps, }
13
13
  export { Link } from './components/Link';
14
14
  export { RichText } from './components/RichText';
15
15
  export { Placeholder } from './components/Placeholder';
16
- export { EditingComponentPlaceholder } from './components/EditingComponentPlaceholder';
17
16
  export { NextImage } from './components/NextImage';
18
17
  import * as FEaaSWrapper from './components/FEaaSWrapper';
19
18
  import * as BYOCWrapper from './components/BYOCWrapper';
@@ -21,4 +20,4 @@ export { FEaaSWrapper };
21
20
  export { BYOCWrapper };
22
21
  export { ComponentBuilder } from './ComponentBuilder';
23
22
  export { Context } from './context';
24
- export { Image, Text, DateField, EditFrame, FEaaSComponent, fetchFEaaSComponentServerProps, BYOCComponent, getComponentLibraryStylesheetLinks, File, VisitorIdentification, SitecoreContext, SitecoreContextReactContext, withSitecoreContext, useSitecoreContext, withEditorChromes, withPlaceholder, withDatasourceCheck, } from '@sitecore-jss/sitecore-jss-react';
23
+ export { Image, Text, DateField, EditFrame, FEaaSComponent, fetchFEaaSComponentServerProps, BYOCComponent, getComponentLibraryStylesheetLinks, File, VisitorIdentification, SitecoreContext, SitecoreContextReactContext, withSitecoreContext, useSitecoreContext, withEditorChromes, withPlaceholder, withDatasourceCheck, withFieldMetadata, EditingScripts, } from '@sitecore-jss/sitecore-jss-react';
package/dist/esm/utils/index.js CHANGED
@@ -1,2 +1,3 @@
1
1
  export { getPublicUrl, handleEditorFastRefresh } from './utils';
2
- export { tryParseEnvValue, isEditorActive, resetEditorChromes, resolveUrl, } from '@sitecore-jss/sitecore-jss/utils';
2
+ export { tryParseEnvValue, resolveUrl } from '@sitecore-jss/sitecore-jss/utils';
3
+ export { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/editing';
package/dist/esm/utils/utils.js CHANGED
@@ -1,4 +1,4 @@
1
- import { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/utils';
1
+ import { isEditorActive, resetEditorChromes } from '@sitecore-jss/sitecore-jss/editing';
2
2
  /**
3
3
  * Get the publicUrl.
4
4
  * This is used primarily to enable compatibility with Sitecore editors.