npm - create-brainerce-store - Versions diffs - 1.27.5 → 1.28.0 - Mend

create-brainerce-store 1.27.5 → 1.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/dist/index.js +95 -22
package/messages/en.json +12 -1
package/messages/he.json +12 -1
package/package.json +1 -1
package/templates/nextjs/base/.env.local.ejs +3 -3
package/templates/nextjs/base/next.config.ts +13 -12
package/templates/nextjs/base/package.json.ejs +2 -1
package/templates/nextjs/base/src/app/api/auth/logout/route.ts +15 -14
package/templates/nextjs/base/src/app/api/auth/oauth-callback/route.ts +66 -59
package/templates/nextjs/base/src/app/api/auth/reset-password/route.ts +76 -77
package/templates/nextjs/base/src/app/api/store/[...path]/route.ts +229 -198
package/templates/nextjs/base/src/app/checkout/page.tsx +975 -972
package/templates/nextjs/base/src/app/layout.tsx.ejs +29 -13
package/templates/nextjs/base/src/app/order-confirmation/page.tsx +271 -271
package/templates/nextjs/base/src/app/payment-complete/page.tsx +59 -59
package/templates/nextjs/base/src/app/products/[slug]/product-client-section.tsx +501 -486
package/templates/nextjs/base/src/app/products/page.tsx +475 -475
package/templates/nextjs/base/src/app/reset-password/page.tsx +138 -131
package/templates/nextjs/base/src/components/auth/register-form.tsx +245 -232
package/templates/nextjs/base/src/components/checkout/checkout-form.tsx +416 -415
package/templates/nextjs/base/src/components/checkout/custom-fields-step.tsx +258 -184
package/templates/nextjs/base/src/components/checkout/payment-step.tsx +84 -20
package/templates/nextjs/base/src/components/seo/product-json-ld.tsx +86 -72
package/templates/nextjs/base/src/lib/csrf.ts +11 -0
package/templates/nextjs/base/src/lib/navigation.tsx.ejs +60 -60
package/templates/nextjs/base/src/lib/nonce.ts +10 -0
package/templates/nextjs/base/src/lib/safe-redirect.ts +45 -0
package/templates/nextjs/base/src/lib/sanitize-html.ts +93 -0
package/templates/nextjs/base/src/lib/validation.ts +37 -0
package/templates/nextjs/base/src/middleware.ts.ejs +91 -8
package/templates/nextjs/base/tsconfig.tsbuildinfo +1 -0
package/templates/nextjs/themes/luxury/globals.css +399 -399
package/templates/nextjs/themes/luxury/theme.json +23 -23
package/templates/nextjs/themes/playful/globals.css +400 -400
package/templates/nextjs/themes/playful/theme.json +23 -23

package/templates/nextjs/base/src/app/api/auth/reset-password/route.ts CHANGED Viewed

@@ -1,77 +1,76 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { cookies, headers } from 'next/headers';
-const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
-  /\/$/,
-  ''
-);
-const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
-const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
-const CSRF_HEADER = 'x-requested-with';
-const CSRF_VALUE = 'brainerce';
-/**
- * BFF endpoint for password reset.
- * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
- * and proxies the request to the backend. The token never touches client JS.
- */
-export async function POST(request: NextRequest) {
-  // CSRF check
-  const csrfHeader = request.headers.get(CSRF_HEADER);
-  if (csrfHeader !== CSRF_VALUE) {
-    return NextResponse.json({ error: 'CSRF validation failed' }, { status: 403 });
-  }
-  // Read reset token from httpOnly cookie
-  const cookieStore = await cookies();
-  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
-  if (!resetTokenCookie?.value) {
-    return NextResponse.json(
-      { error: 'No reset token found. Please request a new password reset link.' },
-      { status: 400 }
-    );
-  }
-  // Parse request body
-  const body = await request.json();
-  const { newPassword } = body;
-  if (!newPassword) {
-    return NextResponse.json({ error: 'New password is required' }, { status: 400 });
-  }
-  // Derive Origin from the incoming request so the backend's BrowserOriginGuard accepts it
-  const requestHeaders = await headers();
-  const host = requestHeaders.get('host') || 'localhost:3000';
-  const proto = requestHeaders.get('x-forwarded-proto') || 'http';
-  const origin = requestHeaders.get('origin') || `${proto}://${host}`;
-  // Proxy to backend
-  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
-  const backendResponse = await fetch(backendUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Origin: origin,
-    },
-    body: JSON.stringify({
-      token: resetTokenCookie.value,
-      newPassword,
-    }),
-  });
-  const data = await backendResponse.json();
-  const response = NextResponse.json(data, {
-    status: backendResponse.status,
-  });
-  // Always clear the reset token cookie after use (success or failure)
-  response.cookies.delete(RESET_TOKEN_COOKIE);
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { validatePassword } from '@/lib/validation';
+import { checkCsrf } from '@/lib/csrf';
+const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
+const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
+/**
+ * BFF endpoint for password reset.
+ * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
+ * and proxies the request to the backend. The token never touches client JS.
+ */
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+  // Read reset token from httpOnly cookie
+  const cookieStore = await cookies();
+  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
+  if (!resetTokenCookie?.value) {
+    return NextResponse.json(
+      { error: 'No reset token found. Please request a new password reset link.' },
+      { status: 400 }
+    );
+  }
+  // Parse request body
+  const body = await request.json();
+  const { newPassword } = body;
+  const passwordError = validatePassword(newPassword);
+  if (passwordError) {
+    return NextResponse.json({ error: passwordError }, { status: 400 });
+  }
+  // Proxy to backend
+  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
+  const backendResponse = await fetch(backendUrl, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Origin: request.nextUrl.origin,
+    },
+    body: JSON.stringify({
+      token: resetTokenCookie.value,
+      newPassword,
+    }),
+  });
+  let data: unknown;
+  try {
+    data = await backendResponse.json();
+  } catch {
+    const response = NextResponse.json({ error: 'Invalid response from backend' }, { status: 502 });
+    response.cookies.delete(RESET_TOKEN_COOKIE);
+    return response;
+  }
+  const response = NextResponse.json(data, {
+    status: backendResponse.status,
+  });
+  // Always clear the reset token cookie after use (success or failure)
+  response.cookies.delete(RESET_TOKEN_COOKIE);
+  return response;
+}

package/templates/nextjs/base/src/app/api/store/[...path]/route.ts CHANGED Viewed

@@ -1,198 +1,229 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
-  /\/$/,
-  ''
-);
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-const CSRF_HEADER = 'x-requested-with';
-const CSRF_VALUE = 'brainerce';
-const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
-/** Auth endpoints whose responses contain tokens to intercept */
-const AUTH_ENDPOINTS = ['customers/login', 'customers/register', 'customers/verify-email'];
-function isAuthEndpoint(path: string): boolean {
-  return AUTH_ENDPOINTS.some((ep) => path.endsWith(ep));
-}
-function isSecure(): boolean {
-  return process.env.NODE_ENV === 'production';
-}
-function setAuthCookies(response: NextResponse, token: string): void {
-  response.cookies.set(TOKEN_COOKIE, token, {
-    httpOnly: true,
-    secure: isSecure(),
-    sameSite: 'lax',
-    path: '/',
-    maxAge: COOKIE_MAX_AGE,
-  });
-  response.cookies.set(LOGGED_IN_COOKIE, '1', {
-    httpOnly: false,
-    secure: isSecure(),
-    sameSite: 'lax',
-    path: '/',
-    maxAge: COOKIE_MAX_AGE,
-  });
-}
-function clearAuthCookies(response: NextResponse): void {
-  response.cookies.delete(TOKEN_COOKIE);
-  response.cookies.delete(LOGGED_IN_COOKIE);
-}
-async function proxyRequest(
-  request: NextRequest,
-  params: { path: string[] }
-): Promise<NextResponse> {
-  const method = request.method;
-  // CSRF protection for mutating requests
-  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
-    const csrfHeader = request.headers.get(CSRF_HEADER);
-    if (csrfHeader !== CSRF_VALUE) {
-      return NextResponse.json({ error: 'CSRF validation failed' }, { status: 403 });
-    }
-  }
-  // Build backend URL from path segments
-  const pathSegments = params.path.join('/');
-  const backendUrl = new URL(`${BACKEND_URL}/${pathSegments}`);
-  // Forward query parameters
-  request.nextUrl.searchParams.forEach((value, key) => {
-    backendUrl.searchParams.set(key, value);
-  });
-  // Build headers for backend request
-  const headers: Record<string, string> = {
-    'Content-Type': 'application/json',
-  };
-  // Forward Origin/Referer so backend BrowserOriginGuard accepts proxied requests
-  // Always send Origin — same-origin GET requests may not include it, but the backend
-  // uses its presence to distinguish fetch() calls from direct browser navigation
-  const origin = request.headers.get('origin') || request.nextUrl.origin;
-  const referer = request.headers.get('referer');
-  headers['Origin'] = origin;
-  if (referer) headers['Referer'] = referer;
-  // Forward SDK version header if present
-  const sdkVersion = request.headers.get('x-sdk-version');
-  if (sdkVersion) {
-    headers['X-SDK-Version'] = sdkVersion;
-  }
-  // Add auth token from httpOnly cookie
-  const cookieStore = await cookies();
-  const tokenCookie = cookieStore.get(TOKEN_COOKIE);
-  if (tokenCookie?.value) {
-    headers['Authorization'] = `Bearer ${tokenCookie.value}`;
-  }
-  // Forward request body for non-GET requests
-  let body: string | undefined;
-  if (method !== 'GET' && method !== 'HEAD') {
-    try {
-      body = await request.text();
-    } catch {
-      // No body
-    }
-  }
-  // Proxy the request to backend
-  let backendResponse: Response;
-  try {
-    backendResponse = await fetch(backendUrl.toString(), {
-      method,
-      headers,
-      body,
-    });
-  } catch (error) {
-    return NextResponse.json({ error: 'Backend service unavailable' }, { status: 502 });
-  }
-  // Read response body
-  const responseText = await backendResponse.text();
-  // For auth endpoints: intercept token, set cookie, strip token from response
-  if (backendResponse.ok && method === 'POST' && isAuthEndpoint(pathSegments)) {
-    try {
-      const data = JSON.parse(responseText);
-      if (data.token) {
-        const token = data.token;
-        // Strip token from client response
-        const { token: _stripped, ...safeData } = data;
-        const response = NextResponse.json(safeData, {
-          status: backendResponse.status,
-        });
-        setAuthCookies(response, token);
-        return response;
-      }
-    } catch {
-      // Not JSON or no token field — pass through
-    }
-  }
-  // Handle 401 responses: clear auth cookies
-  if (backendResponse.status === 401 && tokenCookie?.value) {
-    const response = new NextResponse(responseText, {
-      status: backendResponse.status,
-      headers: {
-        'Content-Type': backendResponse.headers.get('Content-Type') || 'application/json',
-      },
-    });
-    clearAuthCookies(response);
-    return response;
-  }
-  // Pass through response as-is
-  return new NextResponse(responseText, {
-    status: backendResponse.status,
-    headers: {
-      'Content-Type': backendResponse.headers.get('Content-Type') || 'application/json',
-    },
-  });
-}
-export async function GET(
-  request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
-) {
-  return proxyRequest(request, await params);
-}
-export async function POST(
-  request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
-) {
-  return proxyRequest(request, await params);
-}
-export async function PUT(
-  request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
-) {
-  return proxyRequest(request, await params);
-}
-export async function PATCH(
-  request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
-) {
-  return proxyRequest(request, await params);
-}
-export async function DELETE(
-  request: NextRequest,
-  { params }: { params: Promise<{ path: string[] }> }
-) {
-  return proxyRequest(request, await params);
-}
+// SECURITY: This BFF proxy intentionally has no application-level rate limiting.
+// Rate limiting is the deployer's responsibility — configure it at the platform
+// edge (Vercel Firewall, Cloudflare, nginx) or add a Redis-backed limiter
+// (e.g. @upstash/ratelimit) here before going to production. Auth endpoints
+// like customers/login and customers/register are the most important to cover.
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { checkCsrf } from '@/lib/csrf';
+const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
+const BACKEND_TIMEOUT_MS = 15_000;
+/** Auth endpoints whose responses contain tokens to intercept */
+const AUTH_ENDPOINTS = ['customers/login', 'customers/register', 'customers/verify-email'];
+function isAuthEndpoint(path: string): boolean {
+  return AUTH_ENDPOINTS.some((ep) => path.endsWith(ep));
+}
+function isSafePathSegment(segment: string): boolean {
+  if (!segment) return false;
+  if (segment === '.' || segment === '..') return false;
+  if (segment.includes('/') || segment.includes('\\')) return false;
+  if (segment.includes('\0')) return false;
+  return true;
+}
+function isSecure(): boolean {
+  return process.env.NODE_ENV === 'production';
+}
+function setAuthCookies(response: NextResponse, token: string): void {
+  response.cookies.set(TOKEN_COOKIE, token, {
+    httpOnly: true,
+    secure: isSecure(),
+    sameSite: 'lax',
+    path: '/',
+    maxAge: COOKIE_MAX_AGE,
+  });
+  response.cookies.set(LOGGED_IN_COOKIE, '1', {
+    httpOnly: false,
+    secure: isSecure(),
+    sameSite: 'lax',
+    path: '/',
+    maxAge: COOKIE_MAX_AGE,
+  });
+}
+function clearAuthCookies(response: NextResponse): void {
+  response.cookies.delete(TOKEN_COOKIE);
+  response.cookies.delete(LOGGED_IN_COOKIE);
+}
+async function proxyRequest(
+  request: NextRequest,
+  params: { path: string[] }
+): Promise<NextResponse> {
+  const method = request.method;
+  // Reject path-traversal attempts before constructing the backend URL
+  if (!params.path.every(isSafePathSegment)) {
+    return NextResponse.json({ error: 'Invalid path' }, { status: 400 });
+  }
+  // CSRF protection for mutating requests
+  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+    const csrfError = checkCsrf(request);
+    if (csrfError) return csrfError;
+  }
+  // Build backend URL from path segments
+  const pathSegments = params.path.join('/');
+  const backendUrl = new URL(`${BACKEND_URL}/${pathSegments}`);
+  // Forward query parameters
+  request.nextUrl.searchParams.forEach((value, key) => {
+    backendUrl.searchParams.set(key, value);
+  });
+  // Build headers for backend request
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+  // Send the proxy's own origin (not the client-supplied Origin header).
+  // The backend's BrowserOriginGuard only checks for presence of Origin/Referer,
+  // so forwarding a client-controlled value adds spoofing surface for nothing.
+  headers['Origin'] = request.nextUrl.origin;
+  // Forward SDK version header if present
+  const sdkVersion = request.headers.get('x-sdk-version');
+  if (sdkVersion) {
+    headers['X-SDK-Version'] = sdkVersion;
+  }
+  // Add auth token from httpOnly cookie
+  const cookieStore = await cookies();
+  const tokenCookie = cookieStore.get(TOKEN_COOKIE);
+  if (tokenCookie?.value) {
+    headers['Authorization'] = `Bearer ${tokenCookie.value}`;
+  }
+  // Forward request body for non-GET requests
+  let body: string | undefined;
+  if (method !== 'GET' && method !== 'HEAD') {
+    try {
+      body = await request.text();
+    } catch {
+      // No body
+    }
+  }
+  // Proxy the request to backend
+  let backendResponse: Response;
+  const abortController = new AbortController();
+  const timeoutId = setTimeout(() => abortController.abort(), BACKEND_TIMEOUT_MS);
+  try {
+    backendResponse = await fetch(backendUrl.toString(), {
+      method,
+      headers,
+      body,
+      signal: abortController.signal,
+    });
+  } catch (error) {
+    const isTimeout = (error as Error)?.name === 'AbortError';
+    return NextResponse.json(
+      { error: isTimeout ? 'Backend request timed out' : 'Backend service unavailable' },
+      { status: isTimeout ? 504 : 502 }
+    );
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  // Read response body
+  const responseText = await backendResponse.text();
+  // For auth endpoints: intercept token, set cookie, strip token from response
+  if (backendResponse.ok && method === 'POST' && isAuthEndpoint(pathSegments)) {
+    try {
+      const data = JSON.parse(responseText);
+      if (data.token) {
+        const token = data.token;
+        // Strip token from client response
+        const { token: _stripped, ...safeData } = data;
+        const response = NextResponse.json(safeData, {
+          status: backendResponse.status,
+        });
+        setAuthCookies(response, token);
+        return response;
+      }
+    } catch {
+      // Not JSON or no token field — pass through
+    }
+  }
+  // Handle 401 responses: clear auth cookies
+  if (backendResponse.status === 401 && tokenCookie?.value) {
+    const response = new NextResponse(responseText, {
+      status: backendResponse.status,
+      headers: {
+        'Content-Type': backendResponse.headers.get('Content-Type') || 'application/json',
+      },
+    });
+    clearAuthCookies(response);
+    return response;
+  }
+  // Sanitize 5xx responses so backend internals don't leak to the client
+  if (backendResponse.status >= 500) {
+    console.error(`[proxy] backend ${backendResponse.status} on ${pathSegments}:`, responseText);
+    return NextResponse.json(
+      { error: 'Backend service error' },
+      { status: backendResponse.status }
+    );
+  }
+  // Pass through response as-is
+  return new NextResponse(responseText, {
+    status: backendResponse.status,
+    headers: {
+      'Content-Type': backendResponse.headers.get('Content-Type') || 'application/json',
+    },
+  });
+}
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  return proxyRequest(request, await params);
+}
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  return proxyRequest(request, await params);
+}
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  return proxyRequest(request, await params);
+}
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  return proxyRequest(request, await params);
+}
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path: string[] }> }
+) {
+  return proxyRequest(request, await params);
+}