@zengenti/contensis-react-base 4.0.0-beta.6 → 4.0.0-beta.61

package/cjs/contensis-react-base.js

@@ -2,23 +2,25 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var SSRContext = require('./SSRContext-DVj_QAC1.js');
+var ContensisDeliveryApi = require('./ContensisDeliveryApi-gN3_MHEl.js');
 var contensisDeliveryApi = require('contensis-delivery-api');
 var React = require('react');
 var reactRedux = require('react-redux');
+var slice = require('./slice-5xJMH24n.js');
 var mapJson = require('jsonpath-mapper');
-var sagas = require('./sagas-CbZhaRNd.js');
+var sagas = require('./sagas-OfBUtx74.js');
 require('reselect');
 require('immer');
 require('deep-equal');
 require('deepmerge');
 require('query-string');
 var contensisCoreApi = require('contensis-core-api');
-var VersionInfo = require('./VersionInfo-B_dKCubg.js');
+var urls = require('./urls-DGZlAs0y.js');
 require('isomorphic-fetch');
 var express = require('express');
 var http = require('http');
 var httpProxy = require('http-proxy');
+var App = require('./App-TTUKj85f.js');
 var fs = require('fs');
 var path = require('path');
 var appRootPath = require('app-root-path');
@@ -29,31 +31,38 @@ var styled = require('styled-components');
 var serialize = require('serialize-javascript');
 var lodash = require('lodash');
 var lodashClean = require('lodash-clean');
-var CookieHelper_class = require('./CookieHelper.class-C3Eqoze9.js');
+var CookieHelper_class = require('./CookieHelper.class-Det3qfdU.js');
 var cookiesMiddleware = require('universal-cookie-express');
-var store = require('./store-D07FOXvM.js');
-var App = require('./App-vZrUfVgQ.js');
-var version = require('./version-B7XFkBhY.js');
-var selectors = require('./selectors-wCs5fHD4.js');
-var RouteLoader = require('./RouteLoader-D5Yg7EB5.js');
+var store = require('./store-Dn7vP6G0.js');
+var version = require('./version-2FamXHhj.js');
+var selectors = require('./selectors-BrxJ8-F8.js');
+var RouteLoader = require('./RouteLoader-BM8DyfcF.js');
 var stream = require('stream');
 var server$2 = require('@loadable/server');
 var chalk = require('chalk');
 var minifyCssString = require('minify-css-string');
 var reactCookie = require('react-cookie');
+var reactHelmetAsync = require('react-helmet-async');
 var server$3 = require('react-router-dom/server');
+var SSRContext = require('./SSRContext-DotLlTQc.js');
+require('./VersionInfo-zFPsvS8q.js');
+require('./CookieConstants-DfPiWCRZ.js');
+require('@reduxjs/toolkit');
 require('loglevel');
 require('@redux-saga/core/effects');
+require('./version-rFG9Y6_B.js');
+require('./util-wQwG9vit.js');
+require('./selectors-DAQR0uZa.js');
 require('./_commonjsHelpers-BJu3ubxk.js');
-require('./version-CM-bJ62L.js');
+require('history');
+require('await-to-js');
+require('./ChangePassword.container-C4Du3Wb1.js');
+require('./matchGroups-dqONU-vY.js');
+require('./ToJs-BsWqWjdm.js');
 require('redux');
 require('redux-thunk');
 require('redux-saga');
 require('redux-injectors-19');
-require('history');
-require('await-to-js');
-require('./ChangePassword.container-ECjEXixF.js');
-require('./ToJs-C9jwV7YB.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
@@ -64,6 +73,7 @@ var http__default = /*#__PURE__*/_interopDefault(http);
 var httpProxy__default = /*#__PURE__*/_interopDefault(httpProxy);
 var fs__default = /*#__PURE__*/_interopDefault(fs);
 var path__default = /*#__PURE__*/_interopDefault(path);
+var appRootPath__default = /*#__PURE__*/_interopDefault(appRootPath);
 var serialize__default = /*#__PURE__*/_interopDefault(serialize);
 var cookiesMiddleware__default = /*#__PURE__*/_interopDefault(cookiesMiddleware);
 var chalk__default = /*#__PURE__*/_interopDefault(chalk);
@@ -240,7 +250,7 @@ const resolveParentEntries = async (parentContentTypeIds, replaceContentTypeIds,
   });
   query.fields = params.fields ? [...JSON.parse(params.fields), parentFieldId] : [];
   if (debug) console.log(`\nResolve parent entries query: \n${JSON.stringify(query.toJSON()).substring(0, 1000)}`);
-  const parentResults = await SSRContext.cachedSearch.searchUsingPost(query, Number(params.linkDepth || 0), params.projectId);
+  const parentResults = await ContensisDeliveryApi.cachedSearch.searchUsingPost(query, Number(params.linkDepth || 0), params.projectId);
   return mergeResults(results, Util.GetItems(parentResults), replaceContentTypeIds, parentFieldId);
 };
 
@@ -286,7 +296,7 @@ class QueryLevelResults {
       }
       if (runFirstQuery) {
         if (this.debug) console.log(`\nLevel ${this.level} - First query: \n${JSON.stringify(query.toJSON()).substring(0, 1000)}`);
-        this.firstResults = await SSRContext.cachedSearch.searchUsingPost(query, 0, params.projectId);
+        this.firstResults = await ContensisDeliveryApi.cachedSearch.searchUsingPost(query, 0, params.projectId);
 
         // mapResultsToValidatedLinks
         for (const linkFieldId of this.linkFieldIds) {
@@ -323,7 +333,7 @@ class QueryLevelResults {
       }
       if (runFinalQuery) {
         if (this.debug) console.log(`\nLevel ${this.level} - Final query: \n${JSON.stringify(query.toJSON()).substring(0, 1000)}`);
-        this.finalResults = await SSRContext.cachedSearch.searchUsingPost(query, Number(params.linkDepth) || 0, params.projectId);
+        this.finalResults = await ContensisDeliveryApi.cachedSearch.searchUsingPost(query, Number(params.linkDepth) || 0, params.projectId);
         if (this.parent) this.parent.runFinalQuery = true;
 
         // mapResultsToValidatedLinks
@@ -464,7 +474,7 @@ class LinkDepthSearchService {
           };
         })) || []);
         if (this.debug) console.log(`\nFinal query: ${derivedIds.reduce((accumulator, object) => accumulator + object.entryIds.length, 0)} derived ids \n${JSON.stringify(query.toJSON()).substring(0, 1000)}`);
-        const finalQueryResult = await SSRContext.cachedSearch.searchUsingPost(query, Number(params.linkDepth) || 0, params.projectId);
+        const finalQueryResult = await ContensisDeliveryApi.cachedSearch.searchUsingPost(query, Number(params.linkDepth) || 0, params.projectId);
 
         // Resolve any parent entries
 
@@ -591,7 +601,7 @@ const makeLinkDepthMiddleware = ({
     const linkDepthMiddleware = async (req, res) => {
       try {
         // Short cache duration copied from canterbury project
-        VersionInfo.setCachingHeaders(res, {
+        urls.setCachingHeaders(res, {
           cacheControl: 'private',
           surrogateControl: '10'
         });
@@ -627,42 +637,66 @@ const makeLinkDepthMiddleware = ({
   }
 };
 
+/**
+ * Development proxy for Subsite PoC
+ * Catch all routes before they hit CRB handlers
+ * and rewrite them to include the subsite base path,
+ * this allows us to run the subsite in a subfolder in development
+ * In production we will handle this with a path rewrite in the Cloud Dashboard site configuration,
+ * @param subsitePath the content base path we will rewrite to
+ * @param exceptions an array of path prefixes to ignore when rewriting, useful for ignoring assets that do not live in the subsite base path
+ */
+const subsiteDebugMiddleware = (subsitePath, exceptions = []) => (req, res, next) => {
+  if (!subsitePath || req.hostname !== 'localhost' || req.path.startsWith('/api/') || exceptions.some(exception => req.path.startsWith(exception))) return next();
+  if (!req.path.startsWith(`${subsitePath}/`)) {
+    console.warn(`[subsite-debug-middleware] Rewriting (${subsitePath})${req.url}`);
+    if (req.path === '/' || req.path === subsitePath) req.url = subsitePath;else req.url = `${subsitePath}${req.url}`;
+    res.setHeader('x-crb-subsite-content-path', req.url);
+
+    // Important to set the subsite_path header as this drives the subsite-scoped routing logic
+    req.headers['subsite_path'] = subsitePath;
+  }
+  next();
+};
+
 const servers$1 = SERVERS; /* global SERVERS */
 const project = PROJECT; /* global PROJECT */
 const alias$1 = ALIAS; /* global ALIAS */
-const deliveryApiHostname = VersionInfo.url(alias$1, project).api;
+const deliveryApiHostname = urls.urls(alias$1, project).api;
+const proxyTimeoutMs = 45_000;
 const assetProxy = httpProxy__default.default.createProxyServer();
 const deliveryProxy = httpProxy__default.default.createProxyServer();
 const reverseProxies = (app, reverseProxyPaths = []) => {
   deliveryApiProxy(deliveryProxy, app);
-  app.all(reverseProxyPaths, (req, res) => {
-    const target = req.hostname.indexOf('preview-') || req.hostname.indexOf('preview.') || req.hostname === 'localhost' ? servers$1.previewIis || servers$1.iis : servers$1.iis;
+  app.all(reverseProxyPaths.map(proxyPath =>
+  // Patch to update paths for express v5
+  proxyPath.endsWith('/*') ? `${proxyPath.slice(0, -2)}/{*splat}` : proxyPath.endsWith('/**') ? `${proxyPath.slice(0, -3)}/{*splat}` : proxyPath), (req, res) => {
+    const target = req.hostname.includes('preview-') || req.hostname.includes('preview.') || req.hostname === 'localhost' ? servers$1.previewIis || servers$1.iis : servers$1.iis;
     assetProxy.web(req, res, {
       target,
-      changeOrigin: true
-    });
-    assetProxy.on('error', e => {
-      /* eslint-disable no-console */
-      console.log(`Proxy Request for ${req.path} HostName:${req.hostname} failed with ${e}`);
-      /* eslint-enable no-console */
+      changeOrigin: true,
+      proxyTimeout: proxyTimeoutMs,
+      timeout: proxyTimeoutMs
     });
   });
+  assetProxy.on('error', (e, req) => {
+    console.log(`[assetProxy] "${req.method} ${req.url}" host: ${req.headers.host} failed with ${e}`);
+  });
 };
 const deliveryApiProxy = (apiProxy, app) => {
   // This is just here to stop cors requests on localhost. In Production this is mapped using varnish.
-  app.all(['/api/delivery/*', '/api/forms/*', '/api/image/*', '/authenticate/*'], (req, res) => {
-    /* eslint-disable no-console */
-    console.log(`Proxying api request to ${servers$1.alias}`);
+  app.all(['/api/delivery/{*splat}', '/api/forms/{*splat}', '/api/image/{*splat}', '/authenticate/{*splat}'], (req, res) => {
+    console.log(`[apiProxy] "${req.method} ${App.shorten(req.url)}" target: ${servers$1.alias}`);
     apiProxy.web(req, res, {
       target: deliveryApiHostname,
-      changeOrigin: true
-    });
-    apiProxy.on('error', e => {
-      /* eslint-disable no-console */
-      console.log(`Proxy request for ${req.path} HostName:${req.hostname} failed with ${e}`);
-      /* eslint-enable no-console */
+      changeOrigin: true,
+      proxyTimeout: proxyTimeoutMs,
+      timeout: proxyTimeoutMs
     });
   });
+  apiProxy.on('error', (e, req) => {
+    console.log(`[apiProxy] "${req.method} ${req.url}" host: ${req.headers.host} failed with ${e}`);
+  });
 };
 
 const CacheDuration = {
@@ -737,9 +771,8 @@ const resolveStartupMiddleware = ({
       if (maxage) res.set('Cache-Control', `public, max-age=${maxage}`);
       res.sendFile(startupFileLocation);
     } catch (sendFileError) {
-      // eslint-disable-next-line no-console
       console.log(`Unable to send file startup.js at '${startupFileLocation}'`, sendFileError);
-      next();
+      res.status(404).send();
     }
   } else {
     next();
@@ -747,8 +780,11 @@ const resolveStartupMiddleware = ({
 };
 
 // Serving static assets
+const {
+  path: appPath
+} = appRootPath__default.default;
 const staticAssets = (app, {
-  appRootPath: appRootPath$1 = appRootPath.path,
+  appRootPath = appPath,
   scripts = {},
   startupScriptFilename = 'startup.js',
   staticFolderPath = 'static',
@@ -756,20 +792,18 @@ const staticAssets = (app, {
   staticRoutePaths = []
 }) => {
   app.use([`/${staticRoutePath}`, ...staticRoutePaths.map(p => `/${p}`), `/${staticFolderPath}`], bundleManipulationMiddleware({
-    appRootPath: appRootPath$1,
+    appRootPath,
     // these maxage values are different in config but the same in runtime,
     // this one is the true value in seconds
     maxage: CacheDuration.static,
     staticFolderPath,
     staticRoutePath
   }), resolveStartupMiddleware({
-    appRootPath: appRootPath$1,
+    appRootPath,
     maxage: CacheDuration.static,
     startupScriptFilename: scripts.startup || startupScriptFilename,
     staticFolderPath
-  }),
-  // eslint-disable-next-line import/no-named-as-default-member
-  express__default.default.static(`dist/${staticFolderPath}`, {
+  }), express__default.default.static(`dist/${staticFolderPath}`, {
     // these maxage values are different in config but the same in runtime,
     // this one is somehow converted and should end up being the same as CacheDuration.static
     maxAge: CacheDuration.expressStatic
@@ -819,32 +853,59 @@ const handleResponse = (request, response, content, send = 'send') => {
  * @param response the express Response object
  * @param stream all chunks are piped to this stream to add additional style elements to each streamed chunk
  */
-const renderStream = (getContextHtml, jsx, response, stream) => {
-  let header = '';
-  let footer = '';
+const renderStream = (getContextHtml, jsx, request, response, stream) => {
+  // Store timeout reference for cleanup on normal or abnormal termination
+  let timeoutId = null;
+  const disposeTimeout = () => {
+    if (timeoutId) {
+      clearTimeout(timeoutId);
+      timeoutId = null;
+    }
+  };
+
+  // Only used for abnormal termination
+  const abortCleanup = err => {
+    disposeTimeout();
+    stream.destroy(err instanceof Error ? err : undefined);
+    abort();
+  };
+
+  // Guard against client disconnect
+  request.on('close', () => abortCleanup());
+
+  // Guard against transform errors
+  stream.on('error', err => {
+    abortCleanup(err);
+    if (!response.headersSent) response.destroy(err);
+  });
   const {
     abort,
     pipe
   } = server$1.renderToPipeableStream(jsx, {
     onShellReady() {
-      const html = getContextHtml();
+      const html = getContextHtml(false);
       if (!html) {
         // this means we have finished with the response already
-        abort();
+        abortCleanup();
       } else {
-        [header, footer] = html.split('{{APP}}');
+        const header = html.split('{{APP}}')[0];
         response.setHeader('content-type', 'text/html; charset=utf-8');
         stream.write(header);
         pipe(stream);
       }
     },
     onAllReady() {
+      const footer = getContextHtml(true).split('{{APP}}')[1];
       stream.write(footer);
+      disposeTimeout(); // Clear the timeout, let stream end naturally
     },
     onShellError(error) {
-      response.statusCode = 500;
-      response.setHeader('content-type', 'text/html; charset=utf-8');
-      response.send('<h1>Something went wrong</h1>');
+      abortCleanup(error); // Abnormal - destroy everything
+      if (!response.headersSent) {
+        response.statusCode = 500;
+        response.setHeader('content-type', 'text/html; charset=utf-8');
+        response.send('<h1>Something went wrong</h1>');
+      }
       console.error(`[renderToPipeableStream:onShellError]`, error);
     },
     onError(error) {
@@ -852,10 +913,13 @@ const renderStream = (getContextHtml, jsx, response, stream) => {
     }
   });
 
-  // Abandon and switch to client rendering if enough time passes.
+  // Abandon and switch to client rendering after 30s.
   // Try lowering this to see the client recover.
-  setTimeout(() => abort(), 30 * 1000);
-  stream === null || stream === void 0 || stream.pipe(response);
+  timeoutId = setTimeout(() => {
+    timeoutId = null;
+    abortCleanup();
+  }, 30_000);
+  stream.pipe(response);
 };
 
 /**
@@ -895,6 +959,23 @@ const styledComponentsStream = sheet => {
         this.push(styledCSS + renderedHtml);
       }
       callback();
+    },
+    destroy(err, callback) {
+      // Called on both stream.destroy() and natural end
+      // Stops the sheet intercepting styles & releases its references
+
+      // try/catch is required if sheet.seal() throws for any reason,
+      // callback(err) must still be called, as Node.js stream internals depend
+      // on it to complete teardown. Omitting it causes the stream to hang.
+      try {
+        sheet.seal();
+      } catch (sealErr) {
+        // Catch any errors from sealing the sheet, we MUST always call the
+        // callback to prevent hanging the stream
+
+        console.error('[styledComponentsStream] sheet.seal() failed - styles may leak:', sealErr);
+      }
+      callback(err);
     }
   });
   return readerWriter;
@@ -947,7 +1028,8 @@ const loadableChunkExtractors = () => {
         statsFile: path__default.default.resolve('dist/legacy/loadable-stats.json')
       });
     } catch (e) {
-      console.info('@loadable/server legacy ChunkExtractor not available');
+      // legacy bundling deprecated in v4
+      // console.info('@loadable/server legacy ChunkExtractor not available');
     }
     commonLoadableExtractor.addChunk = chunk => {
       var _modern, _legacy, _legacy2;
@@ -1055,6 +1137,7 @@ const unhandledExceptionHandler = (handleExceptions = handleDefaultEvents) => {
   }
 };
 
+const logPrefix = '[addHeaders]';
 const addStandardHeaders = (state, response, packagejson, groups) => {
   if (state) {
     try {
@@ -1068,14 +1151,14 @@ const addStandardHeaders = (state, response, packagejson, groups) => {
       // - add `any-update` header that will indiscriminately
       //   invalidate the SSR page cache when any content is updated
       const addAnyUpdateHeader = routingSurrogateKeys.length >= 2000 || response.statusCode >= 400 || anyApiError;
-      console.info(`[addStandardHeaders] ${addAnyUpdateHeader ? anyUpdateHeader : routingSurrogateKeys.length} surrogate keys for ${response.req.url}`);
+      console.info(`${logPrefix} ${addAnyUpdateHeader ? anyUpdateHeader : routingSurrogateKeys.length} surrogate keys for ${response.req.url}`);
       const surrogateKeys = addAnyUpdateHeader ? anyUpdateHeader : routingSurrogateKeys.join(' ');
       const surrogateKeyHeader = `${packagejson.name}-app ${surrogateKeys}`;
       response.setHeader('surrogate-key', surrogateKeyHeader);
       addVarnishAuthenticationHeaders(state, response, groups);
       response.setHeader('surrogate-control', `max-age=${getCacheDuration(response.statusCode)}`);
     } catch (e) {
-      console.info('[addStandardHeaders] Error adding headers', e.message);
+      console.info(`${logPrefix} Error adding headers`, e.message);
     }
   }
 };
@@ -1088,14 +1171,13 @@ const addVarnishAuthenticationHeaders = (state, response, groups = {}) => {
         globalGroups,
         allowedGroups
       } = groups;
-      // console.info(globalGroups, allowedGroups);
       let allGroups = Array.from(globalGroups && globalGroups[project] || {});
       if (stateEntry && selectors.getImmutableOrJS(stateEntry, ['authentication', 'isLoginRequired']) && allowedGroups && allowedGroups[project]) {
         allGroups = [...allGroups, ...allowedGroups[project]];
       }
       response.header('x-contensis-viewer-groups', allGroups.join('|'));
     } catch (e) {
-      console.info('Error adding authentication header', e);
+      console.info(`${logPrefix} Error adding authentication header`, e);
     }
   }
 };
@@ -1121,14 +1203,17 @@ const replaceHtml = ({
   let responseHTML = '';
   // Serve a blank HTML page with client scripts to load the app in the browser
   if (accessMethod.DYNAMIC) {
-    responseHTML = templateHTML.replace('{{TITLE}}', '').replace('{{SEO_CRITICAL_METADATA}}', '').replace('{{CRITICAL_CSS}}', '').replace('{{APP}}', '').replace('{{LOADABLE_CHUNKS}}', bundleTags).replace('{{REDUX_DATA}}', state);
+    responseHTML = templateHTML.replace('{{TITLE}}', '').replace('{{SEO_CRITICAL_METADATA}}', '').replace('{{CRITICAL_CSS}}', '').replace('{{APP}}', '')
+    // .replace('{{LOADABLE_CHUNKS}}', bundleTags)
+    .replace('{{REDUX_DATA}}', state);
   }
 
   // Page fragment served with client scripts and redux data that hydrate the app client side
   else if (accessMethod.FRAGMENT && !accessMethod.STATIC) {
     responseHTML = templateHTMLFragment.replace('{{TITLE}}', title).replace('{{SEO_CRITICAL_METADATA}}', metadata).replace('{{CRITICAL_CSS}}', minifyCssString__default.default(styleTags))
     //.replace('{{APP}}', html)
-    .replace('{{LOADABLE_CHUNKS}}', bundleTags).replace('{{REDUX_DATA}}', state);
+    // .replace('{{LOADABLE_CHUNKS}}', bundleTags)
+    .replace('{{REDUX_DATA}}', state);
   }
 
   // Full HTML page served statically
@@ -1142,7 +1227,8 @@ const replaceHtml = ({
   else if (!accessMethod.FRAGMENT && !accessMethod.STATIC) {
     responseHTML = templateHTML.replace('{{TITLE}}', title).replace('{{SEO_CRITICAL_METADATA}}', metadata).replace('{{CRITICAL_CSS}}', styleTags)
     //.replace('{{APP}}', html)
-    .replace('{{LOADABLE_CHUNKS}}', bundleTags).replace('{{REDUX_DATA}}', state);
+    // .replace('{{LOADABLE_CHUNKS}}', bundleTags)
+    .replace('{{REDUX_DATA}}', state);
   }
 
   // If react-helmet htmlAttributes are being used,
@@ -1151,7 +1237,12 @@ const replaceHtml = ({
   if (htmlAttributes) {
     responseHTML = responseHTML.replace(/<html?.+?>/, `<html ${htmlAttributes}>`);
   }
-  return html ? responseHTML.replace('{{APP}}', html) : responseHTML;
+  responseHTML = html ? responseHTML.replace('{{APP}}', html) : responseHTML;
+
+  // Only replace bundle tags at the very end when we have rendered and are
+  // streaming out the HTML "footer"
+  if (bundleTags) responseHTML = responseHTML.replace('{{LOADABLE_CHUNKS}}', bundleTags);
+  return responseHTML;
 };
 
 /**
@@ -1163,13 +1254,15 @@ const replaceHtml = ({
  */
 const ssrJsxProducer = (ReactApp, {
   providers,
-  props,
-  ssrAssets
+  props
+  // ssrAssets,
 }) => {
   var _providers$styledComp;
   // Recast ChunkExtractorManager to avoid TS error `Property 'children' does not exist on type...`
   const ChunkExtractor = server$2.ChunkExtractorManager;
-  const jsx = /*#__PURE__*/React__default.default.createElement(ChunkExtractor, {
+  const jsx = /*#__PURE__*/React__default.default.createElement(reactHelmetAsync.HelmetProvider, {
+    context: providers.helmet
+  }, /*#__PURE__*/React__default.default.createElement(ChunkExtractor, {
     extractor: providers.loadable.extractor
   }, /*#__PURE__*/React__default.default.createElement(reactCookie.CookiesProvider, {
     cookies: providers.cookies
@@ -1178,16 +1271,20 @@ const ssrJsxProducer = (ReactApp, {
   }, /*#__PURE__*/React__default.default.createElement(RouteLoader.HttpContext.Provider, {
     value: providers.httpContext
   }, /*#__PURE__*/React__default.default.createElement(server$3.StaticRouter, {
-    location: providers.router.url
+    location: providers.router.url,
+    future: {
+      v7_startTransition: true,
+      v7_relativeSplatPath: true
+    }
   }, /*#__PURE__*/React__default.default.createElement(SSRContext.SSRContextProvider, {
     accessMethod: providers.ssrContext.accessMethod,
     request: providers.ssrContext.request,
-    response: providers.ssrContext.response,
-    ssrAssets: ssrAssets
+    response: providers.ssrContext.response
+    // ssrAssets={ssrAssets}
   }, /*#__PURE__*/React__default.default.createElement(ReactApp, {
     routes: props.routes,
     withEvents: props.withEvents
-  })))))));
+  }))))))));
 
   // Wrap the JSX in a StyleSheetManager if a ServerStyleSheet is provided
   return !((_providers$styledComp = providers.styledComponents) !== null && _providers$styledComp !== void 0 && _providers$styledComp.sheet) ? jsx : providers.styledComponents.sheet.collectStyles(jsx);
@@ -1195,7 +1292,7 @@ const ssrJsxProducer = (ReactApp, {
 
 const webApp = (app, ReactApp, config) => {
   const {
-    stateType = 'immutable',
+    stateType = 'js',
     routes,
     withReducers,
     withSagas,
@@ -1209,8 +1306,12 @@ const webApp = (app, ReactApp, config) => {
     disableSsrRedux,
     enableSsrCookies,
     handleResponses,
-    handleExceptions = true
+    handleExceptions = true,
+    i18n
   } = config;
+
+  // process locales in static routes for i18n
+  const localeRoutes = App.createLocaleRoutes(routes);
   const staticRoutePath = config.staticRoutePath || staticFolderPath;
   let isRenderingJsxToString = config.renderToString || false;
   const bundleData = getBundleData(config, staticRoutePath);
@@ -1224,8 +1325,16 @@ const webApp = (app, ReactApp, config) => {
   if (handleExceptions !== false) unhandledExceptionHandler(handleExceptions); // Create `process.on` event handlers for unhandled exceptions (Node v15+)
 
   const versionInfo = getVersionInfo(staticFolderPath);
-  app.get('/*', cookiesMiddleware__default.default(), async (request, response) => {
-    const url = encodeURI(request.url);
+  app.get('/{*splat}', cookiesMiddleware__default.default(), async (request, response) => {
+    /*
+     * Do not inject url directly into HTML as it can lead to XSS attacks
+     * CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+     * CWE-96: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
+     * Removed URL encoding as it causes inconsistencies when routes contain encoded characters in SSR
+     * e.g. /search?category=sport%20and%20wellbeing becomes /search?category=sport%2520and%2520wellbeing
+     * // const url = encodeURI(request.url);
+     */
+    const url = request.url;
     const matchedStaticRoute = reactRouterDom.matchRoutes(routes.StaticRoutes, request.path);
     const isStaticRoute = matchedStaticRoute && matchedStaticRoute.length > 0;
     if (isStaticRoute) {
@@ -1260,30 +1369,27 @@ const webApp = (app, ReactApp, config) => {
     }), stateType);
 
     // dispatch any global and non-saga related actions before calling our JSX
-    const versionStatus = SSRContext.deliveryApi.getServerSideVersionStatus(request);
+    const versionStatus = ContensisDeliveryApi.deliveryApi.getServerSideVersionStatus(request);
 
     // In server-side blocks world, the hostname requested by the client resides in the x-orig-host header
     // Because of this, we prioritize x-orig-host when setting our hostname
     const hostname = request.headers['x-orig-host'] || request.hostname;
-    console.info(`Request for ${request.path} hostname: ${hostname} versionStatus: ${versionStatus}`);
+    const subsitePath = SSRContext.getSubsitePath(request);
+    const subsitePathScript = subsitePath ? `window.subsitePath = ${serialize__default.default(subsitePath)};` : '';
+    console.info(`[webApp] "${request.method} ${request.path}" hostname: ${hostname} versionStatus: ${versionStatus}`);
     store$1.dispatch(version.setVersionStatus(versionStatus));
     store$1.dispatch(version.setVersion(versionInfo.commitRef, versionInfo.buildNo));
     const project = App.pickProject(hostname, request.query);
     const groups = allowedGroups && allowedGroups[project];
     store$1.dispatch(selectors.setCurrentProject(project, groups, hostname));
+    if (i18n) {
+      store$1.dispatch(slice.actions.INIT_LOCALES({
+        locales: {},
+        routes: localeRoutes,
+        ...i18n
+      }));
+    }
     const loadableExtractor = loadableChunkExtractors();
-
-    // type ChunkExtractorManagerPropsForReact18 = ChunkExtractorManagerProps & {
-    //   children?: React.ReactNode;
-    // };
-
-    // // Recast ChunkExtractorManager to avoid TS error `Property 'children' does not exist on type...`
-    // const ChunkExtractor = ChunkExtractorManager as ClassType<
-    //   ChunkExtractorManagerPropsForReact18,
-    //   Component<ChunkExtractorManagerPropsForReact18>,
-    //   ComponentClass<ChunkExtractorManagerPropsForReact18>
-    // >;
-
     const ssrCookies = enableSsrCookies ?
     // these cookies are managed by the cookiesMiddleware and contain listeners
     // when cookies are read or written in ssr can be added to the `set-cookie` response header
@@ -1298,12 +1404,17 @@ const webApp = (app, ReactApp, config) => {
     // and read back any context props set by the ReactApp
     const context = {};
 
+    // Per-request helmet context object — populated by HelmetProvider during renderToString
+    // Using a fresh object per request ensures thread safety under concurrent SSR requests
+    const helmetContext = {};
+
     // Amalgamate all props for the various Providers we wrap the ReactApp with
     const jsxProviderProps = {
       loadable: {
         extractor: loadableExtractor.commonLoadableExtractor
       },
       cookies: ssrCookies,
+      helmet: helmetContext,
       redux: store$1,
       httpContext: context,
       router: {
@@ -1333,13 +1444,10 @@ const webApp = (app, ReactApp, config) => {
       // Dynamic doesn't need sagas
       // or styles, or any split component bundles
       // nor are we streaming responses
-      const isDynamicHints = `<script ${attributes}>window.versionStatus = "${versionStatus}"; window.isDynamic = true;</script>`;
+      const isDynamicHints = `<script ${attributes}>window.isDynamic = true; ${subsitePathScript}</script>`;
       const jsx = ssrJsxProducer(ReactApp, {
         providers: jsxProviderProps,
-        props: jsxReactAppProps,
-        ssrAssets: {
-          serializedState: isDynamicHints
-        }
+        props: jsxReactAppProps
       });
       server$1.renderToString(jsx);
 
@@ -1398,40 +1506,16 @@ const webApp = (app, ReactApp, config) => {
             return true;
           }
           if (!disableSsrRedux) {
-            // window.versionStatus is not strictly required here and is added to support cases
-            // where a consumer may not be using the contensisVersionStatus in redux and calling
-            // the `getClientSideVersionStatus()` method directly
-            serialisedReduxData = `<script ${attributes}>window.versionStatus = "${versionStatus}"; window.REDUX_DATA = ${serialisedReduxData}</script>`;
+            serialisedReduxData = `<script ${attributes}>${subsitePathScript} window.__USE_HYDRATE__ = true; window.REDUX_DATA = ${serialisedReduxData}</script>`;
           }
         }
 
         // Responses
-
-        const helmet = reactHelmet.Helmet.renderStatic();
-        reactHelmet.Helmet.rewind();
-        const htmlAttributes = helmet.htmlAttributes.toString();
-        let title = helmet.title.toString();
-        const metadata = helmet.meta.toString().concat(helmet.base.toString()).concat(helmet.link.toString()).concat(helmet.script.toString()).concat(helmet.noscript.toString());
         addStandardHeaders(reduxState, response, packagejson, {
           allowedGroups,
           globalGroups
         });
-
-        // After running rootSaga there should be an additional react-loadable
-        // code-split bundles for any page components as well as core app bundles
-        const bundleTags = getBundleTags(loadableExtractor, scripts, staticRoutePath);
         const sheet = new styled.ServerStyleSheet();
-        // Produce the ssr jsx one time so we can get any style tags to pass back in
-        ssrJsxProducer(ReactApp, {
-          providers: {
-            ...jsxProviderProps,
-            styledComponents: {
-              sheet
-            }
-          },
-          props: jsxReactAppProps
-        });
-        let styleTags = sheet.getStyleTags();
         const styledJsx = ssrJsxProducer(ReactApp, {
           providers: {
             ...jsxProviderProps,
@@ -1439,14 +1523,31 @@ const webApp = (app, ReactApp, config) => {
               sheet
             }
           },
-          props: jsxReactAppProps,
-          ssrAssets: {
-            bundleTags,
-            htmlAttributes,
-            metadata,
-            title
-          }
+          props: jsxReactAppProps
         });
+
+        // We have to call renderToString() in order for all components to have
+        // had chance to set the helmet metadata
+        const html = server$1.renderToString(styledJsx);
+        // Helmet.renderStatic() has to be called synchronously immediately after calling renderToString()
+        // as it is not thread-safe (or specifically scoped to only this request)
+        // TODO: deprecate `react-helmet`
+        const helmet = reactHelmet.Helmet.renderStatic();
+
+        // helmetContext is populated synchronously by HelmetProvider during renderToString()
+        // It is scoped per-request via the helmetContext object, making this thread-safe
+        // under concurrent SSR requests (unlike the previous Helmet.renderStatic() global singleton)
+        const {
+          helmet: helmetAsync
+        } = helmetContext;
+
+        // Because we have had to call renderToString() here to reliably gather all helmet metadata
+        // We could potentially call sheet.getStyleTags() here too and avoid piping a react-rendered
+        // stream to a second stream to inject styled-components CSS
+
+        const htmlAttributes = helmetAsync.htmlAttributes.toString() || helmet.htmlAttributes.toString();
+        let title = helmet.title.toString().includes('><') ? helmetAsync.title.toString() : helmet.title.toString();
+        const metadata = helmetAsync.meta.toString().concat(helmetAsync.base.toString()).concat(helmetAsync.priority.toString()).concat(helmetAsync.link.toString()).concat(helmetAsync.script.toString()).concat(helmetAsync.noscript.toString()).concat(helmet.meta.toString()).concat(helmet.base.toString()).concat(helmet.link.toString()).concat(helmet.script.toString()).concat(helmet.noscript.toString());
         try {
           /**
            * Loads all page assets into the provided templateHTML
@@ -1457,7 +1558,8 @@ const webApp = (app, ReactApp, config) => {
            * we render the page as STATIC or render nothing
            * if the context has requested a redirect
            * */
-          const getContextHtml = renderedJsx => {
+          const getContextHtml = (isFinal = false, styleTags, renderedJsxMarkup) => {
+            var _loadableExtractor$mo;
             if (context.url) {
               response.redirect(context.statusCode || 302, context.url);
               return '';
@@ -1471,13 +1573,19 @@ const webApp = (app, ReactApp, config) => {
 
             // Set response.status from React StaticRouter
             if (typeof context.statusCode === 'number') response.status(context.statusCode);
+            const bundleTags = isFinal ? getBundleTags(loadableExtractor, scripts, staticRoutePath) : '';
+
+            // Getting style tags generated by "CSS Modules" because they will be
+            // available to loadable stats if we have built parts of the app with CSS
+            // plugins that are not within styled-components
+            const styles = loadableExtractor === null || loadableExtractor === void 0 || (_loadableExtractor$mo = loadableExtractor.modern) === null || _loadableExtractor$mo === void 0 ? void 0 : _loadableExtractor$mo.getStyleTags();
             const html = replaceHtml({
               bundleTags,
-              html: renderedJsx,
+              html: renderedJsxMarkup,
               htmlAttributes,
               metadata,
               state: serialisedReduxData,
-              styleTags,
+              styleTags: `${styleTags || ''}${styles || ''}`,
               title,
               templateHTML,
               templateHTMLFragment,
@@ -1486,12 +1594,14 @@ const webApp = (app, ReactApp, config) => {
             return html;
           };
           if (isRenderingJsxToString) {
-            const html = server$1.renderToString(styledJsx);
-            styleTags = sheet.getStyleTags();
-            const responseHTML = getContextHtml(html);
+            // We have already (begrudgingly) rendered the JSX to a string above
+            // so we can get all of the Helmet metadata out from any rendered component
+            // const html = renderToString(styledJsx);
+            const styleTags = sheet.getStyleTags();
+            const responseHTML = getContextHtml(true, styleTags, html);
             responseHandler(request, response, responseHTML);
           } else {
-            renderStream(getContextHtml, styledJsx, response, styledComponentsStream(sheet));
+            renderStream(getContextHtml, styledJsx, request, response, styledComponentsStream(sheet));
           }
         } catch (err) {
           console.info(err.message);
@@ -1554,6 +1664,7 @@ var internalServer = {
 };
 
 exports.ReactApp = App.AppRoot;
+exports.DO_NOT_COMMIT_subsiteDebugMiddleware = subsiteDebugMiddleware;
 exports.default = internalServer;
 exports.linkDepthApi = makeLinkDepthApi;
 //# sourceMappingURL=contensis-react-base.js.map