create-brainerce-store 1.27.6 → 1.28.1

package/package.json

@@ -1,46 +1,46 @@
-{
-  "name": "create-brainerce-store",
-  "version": "1.27.6",
-  "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
-  "bin": {
-    "create-brainerce-store": "dist/index.js"
-  },
-  "files": [
-    "dist",
-    "templates",
-    "messages"
-  ],
-  "scripts": {
-    "build": "tsup src/index.ts --format cjs --dts --clean",
-    "dev": "tsup src/index.ts --format cjs --dts --watch",
-    "clean": "rimraf dist",
-    "prepublishOnly": "npm run build"
-  },
-  "dependencies": {
-    "chalk": "^4.1.2",
-    "commander": "^12.1.0",
-    "ejs": "^3.1.10",
-    "fs-extra": "^11.2.0",
-    "ora": "^5.4.1",
-    "prompts": "^2.4.2"
-  },
-  "devDependencies": {
-    "@types/ejs": "^3.1.5",
-    "@types/fs-extra": "^11.0.4",
-    "@types/prompts": "^2.4.9",
-    "tsup": "^8.0.0",
-    "typescript": "^5.4.0"
-  },
-  "engines": {
-    "node": ">=18"
-  },
-  "keywords": [
-    "brainerce",
-    "ecommerce",
-    "storefront",
-    "scaffold",
-    "create",
-    "nextjs"
-  ],
-  "license": "MIT"
-}
+{
+  "name": "create-brainerce-store",
+  "version": "1.28.1",
+  "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
+  "bin": {
+    "create-brainerce-store": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "messages"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs --dts --clean",
+    "dev": "tsup src/index.ts --format cjs --dts --watch",
+    "clean": "rimraf dist",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^12.1.0",
+    "ejs": "^3.1.10",
+    "fs-extra": "^11.2.0",
+    "ora": "^5.4.1",
+    "prompts": "^2.4.2"
+  },
+  "devDependencies": {
+    "@types/ejs": "^3.1.5",
+    "@types/fs-extra": "^11.0.4",
+    "@types/prompts": "^2.4.9",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "brainerce",
+    "ecommerce",
+    "storefront",
+    "scaffold",
+    "create",
+    "nextjs"
+  ],
+  "license": "MIT"
+}

package/templates/nextjs/base/.env.local.ejs

@@ -2,11 +2,11 @@
 NEXT_PUBLIC_BRAINERCE_CONNECTION_ID=<%= connectionId %>
 
 # Store info (pre-fetched during setup to avoid flash on first load)
-NEXT_PUBLIC_STORE_NAME=<%= storeName %>
-NEXT_PUBLIC_STORE_CURRENCY=<%= currency %>
+NEXT_PUBLIC_STORE_NAME=<%- storeNameEnv %>
+NEXT_PUBLIC_STORE_CURRENCY=<%- currencyEnv %>
 
 # Backend API URL (server-side only — used by BFF proxy and SSR, never exposed to browser)
-BRAINERCE_API_URL=<%= apiBaseUrl %>
+BRAINERCE_API_URL=<%- apiBaseUrlEnv %>
 
 # Public site URL — used for sitemap, robots.txt, and SEO metadata
 NEXT_PUBLIC_SITE_URL=http://localhost:3000

package/templates/nextjs/base/next.config.ts

@@ -1,31 +1,32 @@
-import type { NextConfig } from 'next';
-
-const nextConfig: NextConfig = {
-  images: {
-    remotePatterns: [{ protocol: 'https', hostname: '**' }],
-  },
-  async headers() {
-    return [
-      {
-        source: '/(.*)',
-        headers: [
-          {
-            key: 'Content-Security-Policy',
-            value: [
-              "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.meshulam.co.il https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://js.stripe.com https://pay.google.com",
-              "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
-              "img-src 'self' data: blob: https:",
-              "font-src 'self' data:",
-              "frame-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions",
-              "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://google.com https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
-              "worker-src 'self' blob:",
-            ].join('; '),
-          },
-        ],
-      },
-    ];
-  },
-};
-
-export default nextConfig;
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  images: {
+    remotePatterns: [
+      { protocol: 'https', hostname: 'cdn.brainerce.com' },
+      { protocol: 'https', hostname: '*.brainerce.com' },
+    ],
+  },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=63072000; includeSubDomains; preload',
+          },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
+          },
+        ],
+      },
+    ];
+  },
+};
+
+export default nextConfig;

package/templates/nextjs/base/package.json.ejs

@@ -15,7 +15,8 @@
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "clsx": "^2.1.0",
-    "tailwind-merge": "^2.2.0"
+    "tailwind-merge": "^2.2.0",
+    "isomorphic-dompurify": "^3.8.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",

package/templates/nextjs/base/src/app/api/auth/logout/route.ts

@@ -1,14 +1,15 @@
-import { NextResponse } from 'next/server';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-
-/**
- * Logout endpoint. Clears auth cookies.
- */
-export async function POST() {
-  const response = NextResponse.json({ success: true });
-  response.cookies.delete(TOKEN_COOKIE);
-  response.cookies.delete(LOGGED_IN_COOKIE);
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { checkCsrf } from '@/lib/csrf';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  const response = NextResponse.json({ success: true });
+  response.cookies.delete(TOKEN_COOKIE);
+  response.cookies.delete(LOGGED_IN_COOKIE);
+  return response;
+}

package/templates/nextjs/base/src/app/api/auth/oauth-callback/route.ts

@@ -1,59 +1,66 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
-
-function isSecure(): boolean {
-  return process.env.NODE_ENV === 'production';
-}
-
-/**
- * OAuth callback handler.
- * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
- * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
- */
-export async function GET(request: NextRequest) {
-  const { searchParams } = request.nextUrl;
-  const token = searchParams.get('token');
-  const oauthSuccess = searchParams.get('oauth_success');
-  const oauthError = searchParams.get('oauth_error');
-
-  // Build redirect URL to client-side callback page
-  const redirectUrl = new URL('/auth/callback', request.url);
-
-  if (oauthError) {
-    redirectUrl.searchParams.set('oauth_error', oauthError);
-    return NextResponse.redirect(redirectUrl);
-  }
-
-  if (oauthSuccess === 'true' && token) {
-    redirectUrl.searchParams.set('oauth_success', 'true');
-
-    const response = NextResponse.redirect(redirectUrl);
-
-    // Set httpOnly cookie with the token
-    response.cookies.set(TOKEN_COOKIE, token, {
-      httpOnly: true,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    // Set indicator cookie (readable by client JS)
-    response.cookies.set(LOGGED_IN_COOKIE, '1', {
-      httpOnly: false,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    return response;
-  }
-
-  // Fallback: no token or success flag
-  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
-  return NextResponse.redirect(redirectUrl);
-}
+import { NextRequest, NextResponse } from 'next/server';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
+
+function isSecure(): boolean {
+  return process.env.NODE_ENV === 'production';
+}
+
+/**
+ * OAuth callback handler.
+ * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
+ * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
+ */
+export async function GET(request: NextRequest) {
+  const { searchParams } = request.nextUrl;
+  const token = searchParams.get('token');
+  const oauthSuccess = searchParams.get('oauth_success');
+  const oauthError = searchParams.get('oauth_error');
+
+  // Build redirect URL to client-side callback page
+  const redirectUrl = new URL('/auth/callback', request.url);
+
+  if (oauthError) {
+    redirectUrl.searchParams.set('oauth_error', oauthError);
+    const response = NextResponse.redirect(redirectUrl);
+    response.headers.set('Referrer-Policy', 'no-referrer');
+    return response;
+  }
+
+  if (oauthSuccess === 'true' && token) {
+    redirectUrl.searchParams.set('oauth_success', 'true');
+
+    const response = NextResponse.redirect(redirectUrl);
+
+    // Set httpOnly cookie with the token
+    response.cookies.set(TOKEN_COOKIE, token, {
+      httpOnly: true,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Set indicator cookie (readable by client JS)
+    response.cookies.set(LOGGED_IN_COOKIE, '1', {
+      httpOnly: false,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Prevent token leaking via Referer header on the downstream navigation
+    response.headers.set('Referrer-Policy', 'no-referrer');
+
+    return response;
+  }
+
+  // Fallback: no token or success flag
+  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
+  const response = NextResponse.redirect(redirectUrl);
+  response.headers.set('Referrer-Policy', 'no-referrer');
+  return response;
+}

package/templates/nextjs/base/src/app/api/auth/reset-password/route.ts

@@ -1,77 +1,76 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { cookies, headers } from 'next/headers';
-
-const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
-  /\/$/,
-  ''
-);
-
-const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
-
-const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
-const CSRF_HEADER = 'x-requested-with';
-const CSRF_VALUE = 'brainerce';
-
-/**
- * BFF endpoint for password reset.
- * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
- * and proxies the request to the backend. The token never touches client JS.
- */
-export async function POST(request: NextRequest) {
-  // CSRF check
-  const csrfHeader = request.headers.get(CSRF_HEADER);
-  if (csrfHeader !== CSRF_VALUE) {
-    return NextResponse.json({ error: 'CSRF validation failed' }, { status: 403 });
-  }
-
-  // Read reset token from httpOnly cookie
-  const cookieStore = await cookies();
-  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
-
-  if (!resetTokenCookie?.value) {
-    return NextResponse.json(
-      { error: 'No reset token found. Please request a new password reset link.' },
-      { status: 400 }
-    );
-  }
-
-  // Parse request body
-  const body = await request.json();
-  const { newPassword } = body;
-
-  if (!newPassword) {
-    return NextResponse.json({ error: 'New password is required' }, { status: 400 });
-  }
-
-  // Derive Origin from the incoming request so the backend's BrowserOriginGuard accepts it
-  const requestHeaders = await headers();
-  const host = requestHeaders.get('host') || 'localhost:3000';
-  const proto = requestHeaders.get('x-forwarded-proto') || 'http';
-  const origin = requestHeaders.get('origin') || `${proto}://${host}`;
-
-  // Proxy to backend
-  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
-
-  const backendResponse = await fetch(backendUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Origin: origin,
-    },
-    body: JSON.stringify({
-      token: resetTokenCookie.value,
-      newPassword,
-    }),
-  });
-
-  const data = await backendResponse.json();
-
-  const response = NextResponse.json(data, {
-    status: backendResponse.status,
-  });
-
-  // Always clear the reset token cookie after use (success or failure)
-  response.cookies.delete(RESET_TOKEN_COOKIE);
-
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { validatePassword } from '@/lib/validation';
+import { checkCsrf } from '@/lib/csrf';
+
+const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+
+const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
+
+const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
+
+/**
+ * BFF endpoint for password reset.
+ * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
+ * and proxies the request to the backend. The token never touches client JS.
+ */
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  // Read reset token from httpOnly cookie
+  const cookieStore = await cookies();
+  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
+
+  if (!resetTokenCookie?.value) {
+    return NextResponse.json(
+      { error: 'No reset token found. Please request a new password reset link.' },
+      { status: 400 }
+    );
+  }
+
+  // Parse request body
+  const body = await request.json();
+  const { newPassword } = body;
+
+  const passwordError = validatePassword(newPassword);
+  if (passwordError) {
+    return NextResponse.json({ error: passwordError }, { status: 400 });
+  }
+
+  // Proxy to backend
+  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
+
+  const backendResponse = await fetch(backendUrl, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Origin: request.nextUrl.origin,
+    },
+    body: JSON.stringify({
+      token: resetTokenCookie.value,
+      newPassword,
+    }),
+  });
+
+  let data: unknown;
+  try {
+    data = await backendResponse.json();
+  } catch {
+    const response = NextResponse.json({ error: 'Invalid response from backend' }, { status: 502 });
+    response.cookies.delete(RESET_TOKEN_COOKIE);
+    return response;
+  }
+
+  const response = NextResponse.json(data, {
+    status: backendResponse.status,
+  });
+
+  // Always clear the reset token cookie after use (success or failure)
+  response.cookies.delete(RESET_TOKEN_COOKIE);
+
+  return response;
+}