create-brainerce-store 1.27.5 → 1.28.0

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.27.5",
+      version: "1.28.0",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"
@@ -96,6 +96,9 @@ function validateConnectionId(id) {
   if (id.length < 6) {
     return "Connection ID is too short";
   }
+  if (id.length > 100) {
+    return "Connection ID is too long (max 100 characters)";
+  }
   if (!/^vc_[a-zA-Z0-9]+$/.test(id)) {
     return "Connection ID contains invalid characters";
   }
@@ -119,6 +122,23 @@ function validateProjectName(name) {
   }
   return null;
 }
+function validateApiUrl(url) {
+  if (!url) return null;
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return `Invalid --api-url "${url}": not a valid URL`;
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    return `Invalid --api-url "${url}": protocol must be http(s)`;
+  }
+  const isLocal = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname.endsWith(".localhost");
+  if (parsed.protocol === "http:" && !isLocal) {
+    return `Invalid --api-url "${url}": http:// is only allowed for localhost`;
+  }
+  return null;
+}
 
 // src/utils/package-manager.ts
 var import_child_process = require("child_process");
@@ -138,14 +158,17 @@ function detectPackageManager() {
   }
   return "npm";
 }
+var ALLOWED_PACKAGE_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
 async function installDependencies(projectDir, pkgManager) {
+  if (!ALLOWED_PACKAGE_MANAGERS.includes(pkgManager)) {
+    throw new Error(`Unsupported package manager: ${pkgManager}`);
+  }
   return new Promise((resolve, reject) => {
-    const { spawn } = require("child_process");
+    const cmd = process.platform === "win32" ? `${pkgManager}.cmd` : pkgManager;
     const args = pkgManager === "yarn" ? [] : ["install"];
-    const child = spawn(pkgManager, args, {
+    const child = (0, import_child_process.spawn)(cmd, args, {
       cwd: projectDir,
-      stdio: "ignore",
-      shell: true
+      stdio: "ignore"
     });
     child.on("close", (code) => {
       if (code === 0) {
@@ -267,6 +290,19 @@ var import_ejs = __toESM(require("ejs"));
 function getDirection(language) {
   return language === "he" ? "rtl" : "ltr";
 }
+function stripControlChars(value) {
+  return value.replace(/\p{Cc}/gu, "");
+}
+function toJsStringLiteral(value) {
+  return JSON.stringify(value);
+}
+function toEnvLiteral(value) {
+  const clean = stripControlChars(value).replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\$/g, "\\$");
+  return `"${clean}"`;
+}
+function isValidLocale(locale) {
+  return typeof locale === "string" && /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})?$/.test(locale);
+}
 function getFontConfig(language, theme) {
   const isHebrew = language === "he";
   if (theme === "luxury") {
@@ -312,20 +348,30 @@ async function scaffold(options) {
   const direction = getDirection(options.language);
   const fontConfig = getFontConfig(options.language, theme);
   const ogLocale = options.language === "he" ? "he_IL" : "en_US";
-  const isMultiLocale = options.i18n?.enabled === true && options.i18n.supportedLocales.length > 1;
-  const supportedLocales = options.i18n?.supportedLocales || [options.language];
-  const defaultLocale = options.i18n?.defaultLocale || options.language;
+  const rawSupportedLocales = options.i18n?.supportedLocales || [options.language];
+  const supportedLocales = rawSupportedLocales.filter(isValidLocale);
+  if (supportedLocales.length === 0) {
+    throw new Error("No valid locales provided");
+  }
+  const rawDefaultLocale = options.i18n?.defaultLocale || options.language;
+  const defaultLocale = isValidLocale(rawDefaultLocale) ? rawDefaultLocale : options.language;
+  const isMultiLocale = options.i18n?.enabled === true && supportedLocales.length > 1;
+  const cleanStoreName = stripControlChars(options.storeName);
+  const cleanCurrency = stripControlChars(options.currency);
+  const cleanApiBaseUrl = stripControlChars(options.apiBaseUrl || "https://api.brainerce.com");
   const templateVars = {
     projectName: options.projectName,
     connectionId: options.connectionId,
-    storeName: options.storeName,
-    currency: options.currency,
+    storeNameJs: toJsStringLiteral(cleanStoreName),
+    titleTemplateJs: toJsStringLiteral(`%s | ${cleanStoreName}`),
+    storeNameEnv: toEnvLiteral(cleanStoreName),
+    currencyEnv: toEnvLiteral(cleanCurrency),
+    apiBaseUrlEnv: toEnvLiteral(cleanApiBaseUrl),
     language: options.language,
     direction,
     fontImport: fontConfig.fontImport,
     fontVariable: fontConfig.fontVariable,
     ogLocale,
-    apiBaseUrl: options.apiBaseUrl || "https://api.brainerce.com",
     i18nEnabled: isMultiLocale,
     supportedLocales: JSON.stringify(supportedLocales),
     defaultLocale
@@ -355,20 +401,11 @@ async function scaffold(options) {
     const appDir = import_path.default.join(targetDir, "src", "app");
     const localeDir = import_path.default.join(appDir, "[locale]");
     await import_fs_extra.default.ensureDir(localeDir);
-    const keepInAppRoot = /* @__PURE__ */ new Set([
-      "globals.css",
-      "robots.ts",
-      "sitemap.ts",
-      "api",
-      ".well-known"
-    ]);
+    const keepInAppRoot = /* @__PURE__ */ new Set(["globals.css", "robots.ts", "sitemap.ts", "api", ".well-known"]);
     const appEntries = await import_fs_extra.default.readdir(appDir, { withFileTypes: true });
     for (const entry of appEntries) {
       if (keepInAppRoot.has(entry.name) || entry.name === "[locale]") continue;
-      await import_fs_extra.default.move(
-        import_path.default.join(appDir, entry.name),
-        import_path.default.join(localeDir, entry.name)
-      );
+      await import_fs_extra.default.move(import_path.default.join(appDir, entry.name), import_path.default.join(localeDir, entry.name));
     }
   }
   if (await import_fs_extra.default.pathExists(themeDir)) {
@@ -597,11 +634,47 @@ program.name("create-brainerce-store").description("Scaffold a production-ready
     }
     let connectionId = options.connectionId;
     const explicitApiUrl = (options.apiUrl || process.env.BRAINERCE_API_URL || "").replace(/\/$/, "");
+    const apiUrlError = validateApiUrl(explicitApiUrl);
+    if (apiUrlError) {
+      logger.error(apiUrlError);
+      process.exit(1);
+    }
+    if (explicitApiUrl && explicitApiUrl !== KNOWN_API_URLS.production && explicitApiUrl !== KNOWN_API_URLS.staging) {
+      logger.warn(
+        `Using non-standard API URL: ${explicitApiUrl} \u2014 make sure you trust this endpoint.`
+      );
+    }
     const candidateApiUrls = explicitApiUrl ? [explicitApiUrl] : [KNOWN_API_URLS.production, KNOWN_API_URLS.staging];
+    const VALID_LANGUAGES = ["en", "he"];
+    const VALID_PKG_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
+    const VALID_FRAMEWORKS = ["nextjs"];
+    const VALID_THEMES = ["minimal", "luxury", "playful"];
     let language = options.language;
+    if (language && !VALID_LANGUAGES.includes(language)) {
+      logger.error(
+        `Invalid --language "${language}". Expected one of: ${VALID_LANGUAGES.join(", ")}`
+      );
+      process.exit(1);
+    }
     let framework = options.framework;
+    if (!VALID_FRAMEWORKS.includes(framework)) {
+      logger.error(
+        `Invalid --framework "${framework}". Expected one of: ${VALID_FRAMEWORKS.join(", ")}`
+      );
+      process.exit(1);
+    }
     let theme = options.theme;
+    if (!VALID_THEMES.includes(theme)) {
+      logger.error(`Invalid --theme "${theme}". Expected one of: ${VALID_THEMES.join(", ")}`);
+      process.exit(1);
+    }
     let pkgManager = options.pkgManager;
+    if (pkgManager && !VALID_PKG_MANAGERS.includes(pkgManager)) {
+      logger.error(
+        `Invalid --pkg-manager "${pkgManager}". Expected one of: ${VALID_PKG_MANAGERS.join(", ")}`
+      );
+      process.exit(1);
+    }
     const skipGit = options.git === false;
     const skipInstall = options.install === false;
     let storeInfo = null;

package/messages/en.json

@@ -154,11 +154,13 @@
     "changePickup": "Change pickup",
     "changeShipping": "Change shipping",
     "payment": "Payment",
+    "securePayment": "Secure payment",
     "preparingPayment": "Preparing payment...",
     "loadingPaymentOptions": "Loading payment options...",
     "paymentNotConfigured": "Payment Not Configured",
     "paymentNotConfiguredDesc": "Payment has not been set up for this store yet. Please contact the store owner.",
     "paymentError": "Payment Error",
+    "paymentRedirectBlocked": "Payment redirect blocked for security reasons. Please contact support.",
     "sandboxTitle": "Sandbox Mode",
     "sandboxDescription": "This is a test order. No real payment will be processed.",
     "completeTestOrder": "Complete Test Order",
@@ -187,6 +189,10 @@
     "customFieldsFailed": "Failed to save selections",
     "customFieldsRequired": "Required",
     "customFieldsSelectPlaceholder": "— Select —",
+    "customFieldsImageUpload": "Click to upload an image",
+    "customFieldsImageRemove": "Remove",
+    "customFieldsImageUploading": "Uploading...",
+    "customFieldsImageTooLarge": "File must be under 5MB",
     "changeOptions": "Change options",
     "surcharges": "Additional charges"
   },
@@ -243,13 +249,18 @@
     "passwordPlaceholder": "Enter your password",
     "firstNamePlaceholder": "Jane",
     "lastNamePlaceholder": "Doe",
-    "atLeastChars": "At least 6 characters",
+    "atLeastChars": "At least 8 characters",
     "orContinueWith": "or continue with",
     "tooShort": "Too short",
     "weak": "Weak",
     "fair": "Fair",
     "good": "Good",
     "strong": "Strong",
+    "passwordRequired": "Password is required",
+    "passwordTooShort": "Password must be at least 8 characters",
+    "passwordNoUppercase": "Password must contain at least one uppercase letter",
+    "passwordNoNumber": "Password must contain at least one number",
+    "passwordNoSymbol": "Password must contain at least one special character",
     "google": "Google",
     "facebook": "Facebook",
     "github": "GitHub",

package/messages/he.json

@@ -154,11 +154,13 @@
     "changePickup": "שנה איסוף",
     "changeShipping": "שנה משלוח",
     "payment": "תשלום",
+    "securePayment": "תשלום מאובטח",
     "preparingPayment": "מכין תשלום...",
     "loadingPaymentOptions": "טוען אפשרויות תשלום...",
     "paymentNotConfigured": "תשלום לא מוגדר",
     "paymentNotConfiguredDesc": "התשלום עדיין לא הוגדר לחנות זו. אנא פנו לבעל החנות.",
     "paymentError": "שגיאת תשלום",
+    "paymentRedirectBlocked": "הפניית התשלום נחסמה מטעמי אבטחה. אנא פנו לתמיכה.",
     "sandboxTitle": "מצב בדיקה",
     "sandboxDescription": "זוהי הזמנת בדיקה. לא יבוצע תשלום אמיתי.",
     "completeTestOrder": "השלם הזמנת בדיקה",
@@ -187,6 +189,10 @@
     "customFieldsFailed": "שגיאה בשמירת הבחירות",
     "customFieldsRequired": "חובה",
     "customFieldsSelectPlaceholder": "— בחר —",
+    "customFieldsImageUpload": "לחץ להעלאת תמונה",
+    "customFieldsImageRemove": "הסר",
+    "customFieldsImageUploading": "...מעלה",
+    "customFieldsImageTooLarge": "הקובץ חייב להיות מתחת ל-5MB",
     "changeOptions": "שנה אפשרויות",
     "surcharges": "תוספות"
   },
@@ -243,13 +249,18 @@
     "passwordPlaceholder": "הזינו סיסמה",
     "firstNamePlaceholder": "ישראל",
     "lastNamePlaceholder": "ישראלי",
-    "atLeastChars": "לפחות 6 תווים",
+    "atLeastChars": "לפחות 8 תווים",
     "orContinueWith": "או המשיכו עם",
     "tooShort": "קצרה מדי",
     "weak": "חלשה",
     "fair": "סבירה",
     "good": "טובה",
     "strong": "חזקה",
+    "passwordRequired": "סיסמה נדרשת",
+    "passwordTooShort": "הסיסמה חייבת להכיל לפחות 8 תווים",
+    "passwordNoUppercase": "הסיסמה חייבת להכיל לפחות אות גדולה אחת",
+    "passwordNoNumber": "הסיסמה חייבת להכיל לפחות ספרה אחת",
+    "passwordNoSymbol": "הסיסמה חייבת להכיל לפחות סימן מיוחד אחד",
     "google": "Google",
     "facebook": "Facebook",
     "github": "GitHub",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-brainerce-store",
-  "version": "1.27.5",
+  "version": "1.28.0",
   "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
   "bin": {
     "create-brainerce-store": "dist/index.js"

package/templates/nextjs/base/.env.local.ejs

@@ -2,11 +2,11 @@
 NEXT_PUBLIC_BRAINERCE_CONNECTION_ID=<%= connectionId %>
 
 # Store info (pre-fetched during setup to avoid flash on first load)
-NEXT_PUBLIC_STORE_NAME=<%= storeName %>
-NEXT_PUBLIC_STORE_CURRENCY=<%= currency %>
+NEXT_PUBLIC_STORE_NAME=<%- storeNameEnv %>
+NEXT_PUBLIC_STORE_CURRENCY=<%- currencyEnv %>
 
 # Backend API URL (server-side only — used by BFF proxy and SSR, never exposed to browser)
-BRAINERCE_API_URL=<%= apiBaseUrl %>
+BRAINERCE_API_URL=<%- apiBaseUrlEnv %>
 
 # Public site URL — used for sitemap, robots.txt, and SEO metadata
 NEXT_PUBLIC_SITE_URL=http://localhost:3000

package/templates/nextjs/base/next.config.ts

@@ -2,7 +2,10 @@ import type { NextConfig } from 'next';
 
 const nextConfig: NextConfig = {
   images: {
-    remotePatterns: [{ protocol: 'https', hostname: '**' }],
+    remotePatterns: [
+      { protocol: 'https', hostname: 'cdn.brainerce.com' },
+      { protocol: 'https', hostname: '*.brainerce.com' },
+    ],
   },
   async headers() {
     return [
@@ -10,17 +13,15 @@ const nextConfig: NextConfig = {
         source: '/(.*)',
         headers: [
           {
-            key: 'Content-Security-Policy',
-            value: [
-              "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.meshulam.co.il https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://js.stripe.com https://pay.google.com",
-              "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
-              "img-src 'self' data: blob: https:",
-              "font-src 'self' data:",
-              "frame-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions",
-              "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://google.com https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
-              "worker-src 'self' blob:",
-            ].join('; '),
+            key: 'Strict-Transport-Security',
+            value: 'max-age=63072000; includeSubDomains; preload',
+          },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
           },
         ],
       },

package/templates/nextjs/base/package.json.ejs

@@ -15,7 +15,8 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "clsx": "^2.1.0",
-    "tailwind-merge": "^2.2.0"
+    "tailwind-merge": "^2.2.0",
+    "isomorphic-dompurify": "^3.8.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",

package/templates/nextjs/base/src/app/api/auth/logout/route.ts

@@ -1,14 +1,15 @@
-import { NextResponse } from 'next/server';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-
-/**
- * Logout endpoint. Clears auth cookies.
- */
-export async function POST() {
-  const response = NextResponse.json({ success: true });
-  response.cookies.delete(TOKEN_COOKIE);
-  response.cookies.delete(LOGGED_IN_COOKIE);
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { checkCsrf } from '@/lib/csrf';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  const response = NextResponse.json({ success: true });
+  response.cookies.delete(TOKEN_COOKIE);
+  response.cookies.delete(LOGGED_IN_COOKIE);
+  return response;
+}

package/templates/nextjs/base/src/app/api/auth/oauth-callback/route.ts

@@ -1,59 +1,66 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
-
-function isSecure(): boolean {
-  return process.env.NODE_ENV === 'production';
-}
-
-/**
- * OAuth callback handler.
- * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
- * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
- */
-export async function GET(request: NextRequest) {
-  const { searchParams } = request.nextUrl;
-  const token = searchParams.get('token');
-  const oauthSuccess = searchParams.get('oauth_success');
-  const oauthError = searchParams.get('oauth_error');
-
-  // Build redirect URL to client-side callback page
-  const redirectUrl = new URL('/auth/callback', request.url);
-
-  if (oauthError) {
-    redirectUrl.searchParams.set('oauth_error', oauthError);
-    return NextResponse.redirect(redirectUrl);
-  }
-
-  if (oauthSuccess === 'true' && token) {
-    redirectUrl.searchParams.set('oauth_success', 'true');
-
-    const response = NextResponse.redirect(redirectUrl);
-
-    // Set httpOnly cookie with the token
-    response.cookies.set(TOKEN_COOKIE, token, {
-      httpOnly: true,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    // Set indicator cookie (readable by client JS)
-    response.cookies.set(LOGGED_IN_COOKIE, '1', {
-      httpOnly: false,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    return response;
-  }
-
-  // Fallback: no token or success flag
-  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
-  return NextResponse.redirect(redirectUrl);
-}
+import { NextRequest, NextResponse } from 'next/server';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
+
+function isSecure(): boolean {
+  return process.env.NODE_ENV === 'production';
+}
+
+/**
+ * OAuth callback handler.
+ * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
+ * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
+ */
+export async function GET(request: NextRequest) {
+  const { searchParams } = request.nextUrl;
+  const token = searchParams.get('token');
+  const oauthSuccess = searchParams.get('oauth_success');
+  const oauthError = searchParams.get('oauth_error');
+
+  // Build redirect URL to client-side callback page
+  const redirectUrl = new URL('/auth/callback', request.url);
+
+  if (oauthError) {
+    redirectUrl.searchParams.set('oauth_error', oauthError);
+    const response = NextResponse.redirect(redirectUrl);
+    response.headers.set('Referrer-Policy', 'no-referrer');
+    return response;
+  }
+
+  if (oauthSuccess === 'true' && token) {
+    redirectUrl.searchParams.set('oauth_success', 'true');
+
+    const response = NextResponse.redirect(redirectUrl);
+
+    // Set httpOnly cookie with the token
+    response.cookies.set(TOKEN_COOKIE, token, {
+      httpOnly: true,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Set indicator cookie (readable by client JS)
+    response.cookies.set(LOGGED_IN_COOKIE, '1', {
+      httpOnly: false,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Prevent token leaking via Referer header on the downstream navigation
+    response.headers.set('Referrer-Policy', 'no-referrer');
+
+    return response;
+  }
+
+  // Fallback: no token or success flag
+  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
+  const response = NextResponse.redirect(redirectUrl);
+  response.headers.set('Referrer-Policy', 'no-referrer');
+  return response;
+}