create-brainerce-store 1.27.6 → 1.28.1

package/templates/nextjs/base/src/components/seo/product-json-ld.tsx

@@ -1,72 +1,88 @@
-import type { Product } from 'brainerce';
-import { getProductPriceInfo } from 'brainerce';
-
-interface ProductJsonLdProps {
-  product: Product;
-  url: string;
-  currency?: string;
-}
-
-export function ProductJsonLd({ product, url, currency = 'USD' }: ProductJsonLdProps) {
-  const priceInfo = getProductPriceInfo(product);
-  const imageUrl = product.images?.[0]?.url;
-  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || '';
-
-  const productJsonLd = {
-    '@context': 'https://schema.org',
-    '@type': 'Product',
-    name: product.name,
-    description: product.description || product.name,
-    image: imageUrl,
-    url,
-    sku: product.sku || product.id,
-    offers: {
-      '@type': 'Offer',
-      price: priceInfo.price,
-      priceCurrency: currency,
-      availability:
-        product.inventory?.canPurchase !== false
-          ? 'https://schema.org/InStock'
-          : 'https://schema.org/OutOfStock',
-      url,
-    },
-  };
-
-  const breadcrumbJsonLd = {
-    '@context': 'https://schema.org',
-    '@type': 'BreadcrumbList',
-    itemListElement: [
-      {
-        '@type': 'ListItem',
-        position: 1,
-        name: 'Home',
-        item: baseUrl || '/',
-      },
-      {
-        '@type': 'ListItem',
-        position: 2,
-        name: 'Products',
-        item: `${baseUrl}/products`,
-      },
-      {
-        '@type': 'ListItem',
-        position: 3,
-        name: product.name,
-        item: url,
-      },
-    ],
-  };
-
-  return (
-    <>
-      <script
-        type="application/ld+json"
-        dangerouslySetInnerHTML={{ __html: JSON.stringify(productJsonLd) }}
-      />
-      <script
-        type="application/ld+json"
-        dangerouslySetInnerHTML={{ __html: JSON.stringify(breadcrumbJsonLd) }}
-      />
-    </>
-  );
-}
+import type { Product } from 'brainerce';
+import { getProductPriceInfo } from 'brainerce';
+import { getNonce } from '@/lib/nonce';
+
+interface ProductJsonLdProps {
+  product: Product;
+  url: string;
+  currency?: string;
+}
+
+export async function ProductJsonLd({ product, url, currency = 'USD' }: ProductJsonLdProps) {
+  const nonce = await getNonce();
+  const priceInfo = getProductPriceInfo(product);
+  const imageUrl = product.images?.[0]?.url;
+  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || '';
+
+  const productJsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'Product',
+    name: product.name,
+    description: product.description || product.name,
+    image: imageUrl,
+    url,
+    sku: product.sku || product.id,
+    offers: {
+      '@type': 'Offer',
+      price: priceInfo.price,
+      priceCurrency: currency,
+      availability:
+        product.inventory?.canPurchase !== false
+          ? 'https://schema.org/InStock'
+          : 'https://schema.org/OutOfStock',
+      url,
+    },
+  };
+
+  const breadcrumbJsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'BreadcrumbList',
+    itemListElement: [
+      {
+        '@type': 'ListItem',
+        position: 1,
+        name: 'Home',
+        item: baseUrl || '/',
+      },
+      {
+        '@type': 'ListItem',
+        position: 2,
+        name: 'Products',
+        item: `${baseUrl}/products`,
+      },
+      {
+        '@type': 'ListItem',
+        position: 3,
+        name: product.name,
+        item: url,
+      },
+    ],
+  };
+
+  return (
+    <>
+      <script
+        type="application/ld+json"
+        nonce={nonce}
+        suppressHydrationWarning
+        dangerouslySetInnerHTML={{ __html: serializeJsonLd(productJsonLd) }}
+      />
+      <script
+        type="application/ld+json"
+        nonce={nonce}
+        suppressHydrationWarning
+        dangerouslySetInnerHTML={{ __html: serializeJsonLd(breadcrumbJsonLd) }}
+      />
+    </>
+  );
+}
+
+// Serialize a JSON-LD object for embedding in a <script> tag. Escapes
+// `<`, `>`, and `&` to \uXXXX so seller-controlled product fields cannot
+// break out of the script element with `</script>` or inject HTML.
+function serializeJsonLd(value: unknown): string {
+  return JSON.stringify(value)
+    .replace(/</g, '\\u003c')
+    .replace(/>/g, '\\u003e')
+    .replace(/&/g, '\\u0026');
+}

package/templates/nextjs/base/src/lib/csrf.ts

@@ -0,0 +1,11 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export const CSRF_HEADER = 'x-requested-with';
+export const CSRF_VALUE = 'brainerce';
+
+export function checkCsrf(request: NextRequest): NextResponse | null {
+  if (request.headers.get(CSRF_HEADER) !== CSRF_VALUE) {
+    return NextResponse.json({ error: 'CSRF validation failed' }, { status: 403 });
+  }
+  return null;
+}

package/templates/nextjs/base/src/lib/nonce.ts

@@ -0,0 +1,10 @@
+import { headers } from 'next/headers';
+
+/**
+ * Reads the per-request CSP nonce set by middleware.
+ * Use this in server components that render inline `<script>` tags so
+ * they comply with the strict CSP (no `unsafe-inline`).
+ */
+export async function getNonce(): Promise<string | undefined> {
+  return (await headers()).get('x-nonce') ?? undefined;
+}

package/templates/nextjs/base/src/lib/safe-redirect.ts

@@ -0,0 +1,45 @@
+const ALLOWED_PAYMENT_HOSTS: readonly string[] = [
+  'checkout.stripe.com',
+  'js.stripe.com',
+  'hooks.stripe.com',
+  'www.paypal.com',
+  'www.sandbox.paypal.com',
+  'secure.cardcom.solutions',
+  'meshulam.co.il',
+  'grow.link',
+  'grow.security',
+  'creditguard.co.il',
+];
+
+export function isAllowedPaymentUrl(url: string): boolean {
+  if (!url || typeof url !== 'string') return false;
+
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return false;
+  }
+
+  if (parsed.protocol !== 'https:') return false;
+
+  const hostname = parsed.hostname.toLowerCase();
+  return ALLOWED_PAYMENT_HOSTS.some((host) => hostname === host || hostname.endsWith('.' + host));
+}
+
+export function safePaymentRedirect(url: string): void {
+  if (!isAllowedPaymentUrl(url)) {
+    throw new Error('Payment redirect URL is not in the allowlist');
+  }
+  if (typeof window !== 'undefined') {
+    window.location.href = url;
+  }
+}
+
+// CUID format used by Prisma for Checkout.id — c + 24 lowercase alphanumeric chars.
+// Allow a small range to tolerate cuid2 (slightly different length).
+const CHECKOUT_ID_RE = /^c[a-z0-9]{20,30}$/;
+
+export function isValidCheckoutId(id: unknown): id is string {
+  return typeof id === 'string' && CHECKOUT_ID_RE.test(id);
+}

package/templates/nextjs/base/src/lib/sanitize-html.ts

@@ -0,0 +1,93 @@
+import DOMPurify from 'isomorphic-dompurify';
+
+const TRUSTED_IFRAME_PREFIXES = [
+  'https://www.youtube.com/embed/',
+  'https://www.youtube-nocookie.com/embed/',
+  'https://player.vimeo.com/video/',
+];
+
+let hooksRegistered = false;
+
+function registerHooksOnce() {
+  if (hooksRegistered) return;
+  hooksRegistered = true;
+
+  DOMPurify.addHook('uponSanitizeElement', (node, data) => {
+    if (data.tagName !== 'iframe') return;
+    const el = node as Element;
+    const src = el.getAttribute('src') || '';
+    const isTrusted = TRUSTED_IFRAME_PREFIXES.some((prefix) => src.startsWith(prefix));
+    if (!isTrusted) {
+      el.parentNode?.removeChild(el);
+    }
+  });
+
+  DOMPurify.addHook('afterSanitizeAttributes', (node) => {
+    if (!('tagName' in node)) return;
+    const el = node as Element;
+    if (el.tagName === 'A' && el.getAttribute('target') === '_blank') {
+      el.setAttribute('rel', 'noopener noreferrer nofollow');
+    }
+  });
+}
+
+export function sanitizeProductHtml(html: string): string {
+  if (!html) return '';
+  registerHooksOnce();
+
+  return DOMPurify.sanitize(html, {
+    ALLOWED_TAGS: [
+      'p',
+      'br',
+      'strong',
+      'b',
+      'em',
+      'i',
+      'u',
+      's',
+      'strike',
+      'h1',
+      'h2',
+      'h3',
+      'h4',
+      'h5',
+      'h6',
+      'ul',
+      'ol',
+      'li',
+      'a',
+      'blockquote',
+      'code',
+      'pre',
+      'div',
+      'span',
+      'img',
+      'table',
+      'thead',
+      'tbody',
+      'tr',
+      'th',
+      'td',
+      'colgroup',
+      'col',
+      'iframe',
+    ],
+    ALLOWED_ATTR: [
+      'href',
+      'target',
+      'rel',
+      'class',
+      'src',
+      'alt',
+      'width',
+      'height',
+      'colspan',
+      'rowspan',
+      'allow',
+      'allowfullscreen',
+      'frameborder',
+      'loading',
+    ],
+    ALLOW_DATA_ATTR: false,
+  });
+}

package/templates/nextjs/base/src/lib/validation.ts

@@ -0,0 +1,37 @@
+const EMAIL_REGEX =
+  /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+$/;
+
+export function isValidEmail(email: string): boolean {
+  if (!email || typeof email !== 'string') return false;
+  if (email.length > 254) return false;
+  return EMAIL_REGEX.test(email);
+}
+
+export type PasswordErrorCode =
+  | 'passwordRequired'
+  | 'passwordTooShort'
+  | 'passwordNoUppercase'
+  | 'passwordNoNumber'
+  | 'passwordNoSymbol';
+
+export function getPasswordError(password: string): PasswordErrorCode | null {
+  if (!password || typeof password !== 'string') return 'passwordRequired';
+  if (password.length < 8) return 'passwordTooShort';
+  if (!/[A-Z]/.test(password)) return 'passwordNoUppercase';
+  if (!/[0-9]/.test(password)) return 'passwordNoNumber';
+  if (!/[^A-Za-z0-9]/.test(password)) return 'passwordNoSymbol';
+  return null;
+}
+
+const PASSWORD_ERROR_MESSAGES: Record<PasswordErrorCode, string> = {
+  passwordRequired: 'Password is required',
+  passwordTooShort: 'Password must be at least 8 characters',
+  passwordNoUppercase: 'Password must contain at least one uppercase letter',
+  passwordNoNumber: 'Password must contain at least one number',
+  passwordNoSymbol: 'Password must contain at least one special character',
+};
+
+export function validatePassword(password: string): string | null {
+  const code = getPasswordError(password);
+  return code ? PASSWORD_ERROR_MESSAGES[code] : null;
+}

package/templates/nextjs/base/src/middleware.ts.ejs

@@ -11,6 +11,44 @@ function getLocaleFromPath(pathname: string): string | null {
   return supportedLocales.includes(segment) ? segment : null;
 }
 
+function generateNonce(): string {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  let binary = '';
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+
+function buildCsp(nonce: string): string {
+  const isDev = process.env.NODE_ENV === 'development';
+  // Next dev uses webpack's eval-source-map devtool, which requires 'unsafe-eval'
+  // to execute module code. Prod builds never eval, so this only loosens dev.
+  const scriptSrc = isDev
+    ? `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval'`
+    : `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`;
+  return [
+    "default-src 'self'",
+    scriptSrc,
+    "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
+    "img-src 'self' data: blob: https:",
+    "font-src 'self' data:",
+    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
+    "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
+    "worker-src 'self' blob:",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "object-src 'none'",
+    'upgrade-insecure-requests',
+  ].join('; ');
+}
+
+function applyCspHeaders(response: NextResponse, nonce: string): NextResponse {
+  response.headers.set('Content-Security-Policy', buildCsp(nonce));
+  response.headers.set('x-nonce', nonce);
+  return response;
+}
+
 export function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;
 
@@ -23,13 +61,17 @@ export function middleware(request: NextRequest) {
     return NextResponse.next();
   }
 
+  const nonce = generateNonce();
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set('x-nonce', nonce);
+
   const pathnameLocale = getLocaleFromPath(pathname);
 
   // Redirect to default locale if no locale prefix
   if (!pathnameLocale) {
     const url = request.nextUrl.clone();
     url.pathname = `/${defaultLocale}${pathname}`;
-    return NextResponse.redirect(url);
+    return applyCspHeaders(NextResponse.redirect(url), nonce);
   }
 
   // Auth protection (with locale prefix)
@@ -39,14 +81,14 @@ export function middleware(request: NextRequest) {
     const token = request.cookies.get(TOKEN_COOKIE);
     if (!token?.value) {
       const loginUrl = new URL(`/${pathnameLocale}/login`, request.url);
-      return NextResponse.redirect(loginUrl);
+      return applyCspHeaders(NextResponse.redirect(loginUrl), nonce);
     }
   }
 
-  // Set locale header for server components
-  const response = NextResponse.next();
+  // Set locale header for server components + forward nonce
+  const response = NextResponse.next({ request: { headers: requestHeaders } });
   response.headers.set('x-locale', pathnameLocale);
-  return response;
+  return applyCspHeaders(response, nonce);
 }
 
 export const config = {
@@ -60,22 +102,75 @@ const TOKEN_COOKIE = 'brainerce_customer_token';
 /** Routes that require customer authentication */
 const PROTECTED_PATHS = ['/account'];
 
+function generateNonce(): string {
+  const bytes = new Uint8Array(16);
+  crypto.getRandomValues(bytes);
+  let binary = '';
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+
+function buildCsp(nonce: string): string {
+  const isDev = process.env.NODE_ENV === 'development';
+  // Next dev uses webpack's eval-source-map devtool, which requires 'unsafe-eval'
+  // to execute module code. Prod builds never eval, so this only loosens dev.
+  const scriptSrc = isDev
+    ? `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval'`
+    : `script-src 'self' 'nonce-${nonce}' 'strict-dynamic'`;
+  return [
+    "default-src 'self'",
+    scriptSrc,
+    "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
+    "img-src 'self' data: blob: https:",
+    "font-src 'self' data:",
+    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
+    "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
+    "worker-src 'self' blob:",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+    "object-src 'none'",
+    'upgrade-insecure-requests',
+  ].join('; ');
+}
+
+function applyCspHeaders(response: NextResponse, nonce: string): NextResponse {
+  response.headers.set('Content-Security-Policy', buildCsp(nonce));
+  response.headers.set('x-nonce', nonce);
+  return response;
+}
+
 export function middleware(request: NextRequest) {
   const { pathname } = request.nextUrl;
+
+  // Skip static files and API routes
+  if (
+    pathname.startsWith('/api/') ||
+    pathname.startsWith('/_next/') ||
+    pathname.includes('.')
+  ) {
+    return NextResponse.next();
+  }
+
+  const nonce = generateNonce();
+  const requestHeaders = new Headers(request.headers);
+  requestHeaders.set('x-nonce', nonce);
+
   const isProtected = PROTECTED_PATHS.some((p) => pathname.startsWith(p));
 
   if (isProtected) {
     const token = request.cookies.get(TOKEN_COOKIE);
     if (!token?.value) {
       const loginUrl = new URL('/login', request.url);
-      return NextResponse.redirect(loginUrl);
+      return applyCspHeaders(NextResponse.redirect(loginUrl), nonce);
     }
   }
 
-  return NextResponse.next();
+  const response = NextResponse.next({ request: { headers: requestHeaders } });
+  return applyCspHeaders(response, nonce);
 }
 
 export const config = {
-  matcher: ['/account/:path*'],
+  matcher: ['/((?!_next|api|.*\\..*).*)'],
 };
 <% } %>