create-brainerce-store 1.28.13 → 1.28.17

package/package.json

@@ -1,46 +1,46 @@
-{
-  "name": "create-brainerce-store",
-  "version": "1.28.13",
-  "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
-  "bin": {
-    "create-brainerce-store": "dist/index.js"
-  },
-  "files": [
-    "dist",
-    "templates",
-    "messages"
-  ],
-  "scripts": {
-    "build": "tsup src/index.ts --format cjs --dts --clean",
-    "dev": "tsup src/index.ts --format cjs --dts --watch",
-    "clean": "rimraf dist",
-    "prepublishOnly": "npm run build"
-  },
-  "dependencies": {
-    "chalk": "^4.1.2",
-    "commander": "^12.1.0",
-    "ejs": "^3.1.10",
-    "fs-extra": "^11.2.0",
-    "ora": "^5.4.1",
-    "prompts": "^2.4.2"
-  },
-  "devDependencies": {
-    "@types/ejs": "^3.1.5",
-    "@types/fs-extra": "^11.0.4",
-    "@types/prompts": "^2.4.9",
-    "tsup": "^8.0.0",
-    "typescript": "^5.4.0"
-  },
-  "engines": {
-    "node": ">=18"
-  },
-  "keywords": [
-    "brainerce",
-    "ecommerce",
-    "storefront",
-    "scaffold",
-    "create",
-    "nextjs"
-  ],
-  "license": "MIT"
-}
+{
+  "name": "create-brainerce-store",
+  "version": "1.28.17",
+  "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
+  "bin": {
+    "create-brainerce-store": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "templates",
+    "messages"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs --dts --clean",
+    "dev": "tsup src/index.ts --format cjs --dts --watch",
+    "clean": "rimraf dist",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^12.1.0",
+    "ejs": "^3.1.10",
+    "fs-extra": "^11.2.0",
+    "ora": "^5.4.1",
+    "prompts": "^2.4.2"
+  },
+  "devDependencies": {
+    "@types/ejs": "^3.1.5",
+    "@types/fs-extra": "^11.0.4",
+    "@types/prompts": "^2.4.9",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "brainerce",
+    "ecommerce",
+    "storefront",
+    "scaffold",
+    "create",
+    "nextjs"
+  ],
+  "license": "MIT"
+}

package/templates/nextjs/base/next.config.ts

@@ -1,47 +1,47 @@
-import type { NextConfig } from 'next';
-
-const nextConfig: NextConfig = {
-  // isomorphic-dompurify ships jsdom, which at runtime reads stylesheet files
-  // from its own package directory. Webpack bundling breaks those relative
-  // lookups — loading it externally from node_modules keeps the paths intact.
-  serverExternalPackages: ['isomorphic-dompurify'],
-  images: {
-    // The storefront is a consumer of the Brainerce API — it has to render
-    // whatever image URLs the API returns. In practice those URLs can be on
-    // cdn.brainerce.com OR on an upstream merchant host (WooCommerce, Shopify,
-    // self-hosted) depending on whether the product's image-import job has
-    // completed on the backend. Rather than hard-fail on unknown hosts, skip
-    // the server-side optimizer entirely and let the browser fetch each image
-    // directly from origin. No server-side fetching → no SSRF or DoS surface
-    // on this Next server. Trade-off: no webp/resize/lazy optimization, so
-    // LCP is marginally worse. Acceptable; the storefront is not the right
-    // layer to enforce a hostname policy.
-    unoptimized: true,
-  },
-  async headers() {
-    return [
-      {
-        source: '/(.*)',
-        headers: [
-          {
-            key: 'Strict-Transport-Security',
-            value: 'max-age=63072000; includeSubDomains; preload',
-          },
-          { key: 'X-Content-Type-Options', value: 'nosniff' },
-          // SAMEORIGIN (not DENY) so iframe-based payment providers (e.g. Cardcom)
-          // can redirect the iframe back to /payment-complete on the storefront
-          // itself after a successful charge — the postMessage relay needs the
-          // parent frame to be able to render our own same-origin page.
-          { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
-          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
-          {
-            key: 'Permissions-Policy',
-            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
-          },
-        ],
-      },
-    ];
-  },
-};
-
-export default nextConfig;
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  // isomorphic-dompurify ships jsdom, which at runtime reads stylesheet files
+  // from its own package directory. Webpack bundling breaks those relative
+  // lookups — loading it externally from node_modules keeps the paths intact.
+  serverExternalPackages: ['isomorphic-dompurify'],
+  images: {
+    // The storefront is a consumer of the Brainerce API — it has to render
+    // whatever image URLs the API returns. In practice those URLs can be on
+    // cdn.brainerce.com OR on an upstream merchant host (WooCommerce, Shopify,
+    // self-hosted) depending on whether the product's image-import job has
+    // completed on the backend. Rather than hard-fail on unknown hosts, skip
+    // the server-side optimizer entirely and let the browser fetch each image
+    // directly from origin. No server-side fetching → no SSRF or DoS surface
+    // on this Next server. Trade-off: no webp/resize/lazy optimization, so
+    // LCP is marginally worse. Acceptable; the storefront is not the right
+    // layer to enforce a hostname policy.
+    unoptimized: true,
+  },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          {
+            key: 'Strict-Transport-Security',
+            value: 'max-age=63072000; includeSubDomains; preload',
+          },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          // SAMEORIGIN (not DENY) so iframe-based payment providers (e.g. Cardcom)
+          // can redirect the iframe back to /payment-complete on the storefront
+          // itself after a successful charge — the postMessage relay needs the
+          // parent frame to be able to render our own same-origin page.
+          { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()',
+          },
+        ],
+      },
+    ];
+  },
+};
+
+export default nextConfig;

package/templates/nextjs/base/src/app/api/auth/logout/route.ts

@@ -1,15 +1,15 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { checkCsrf } from '@/lib/csrf';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-
-export async function POST(request: NextRequest) {
-  const csrfError = checkCsrf(request);
-  if (csrfError) return csrfError;
-
-  const response = NextResponse.json({ success: true });
-  response.cookies.delete(TOKEN_COOKIE);
-  response.cookies.delete(LOGGED_IN_COOKIE);
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { checkCsrf } from '@/lib/csrf';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  const response = NextResponse.json({ success: true });
+  response.cookies.delete(TOKEN_COOKIE);
+  response.cookies.delete(LOGGED_IN_COOKIE);
+  return response;
+}

package/templates/nextjs/base/src/app/api/auth/oauth-callback/route.ts

@@ -1,66 +1,66 @@
-import { NextRequest, NextResponse } from 'next/server';
-
-const TOKEN_COOKIE = 'brainerce_customer_token';
-const LOGGED_IN_COOKIE = 'brainerce_logged_in';
-const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
-
-function isSecure(): boolean {
-  return process.env.NODE_ENV === 'production';
-}
-
-/**
- * OAuth callback handler.
- * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
- * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
- */
-export async function GET(request: NextRequest) {
-  const { searchParams } = request.nextUrl;
-  const token = searchParams.get('token');
-  const oauthSuccess = searchParams.get('oauth_success');
-  const oauthError = searchParams.get('oauth_error');
-
-  // Build redirect URL to client-side callback page
-  const redirectUrl = new URL('/auth/callback', request.url);
-
-  if (oauthError) {
-    redirectUrl.searchParams.set('oauth_error', oauthError);
-    const response = NextResponse.redirect(redirectUrl);
-    response.headers.set('Referrer-Policy', 'no-referrer');
-    return response;
-  }
-
-  if (oauthSuccess === 'true' && token) {
-    redirectUrl.searchParams.set('oauth_success', 'true');
-
-    const response = NextResponse.redirect(redirectUrl);
-
-    // Set httpOnly cookie with the token
-    response.cookies.set(TOKEN_COOKIE, token, {
-      httpOnly: true,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    // Set indicator cookie (readable by client JS)
-    response.cookies.set(LOGGED_IN_COOKIE, '1', {
-      httpOnly: false,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
-
-    // Prevent token leaking via Referer header on the downstream navigation
-    response.headers.set('Referrer-Policy', 'no-referrer');
-
-    return response;
-  }
-
-  // Fallback: no token or success flag
-  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
-  const response = NextResponse.redirect(redirectUrl);
-  response.headers.set('Referrer-Policy', 'no-referrer');
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+
+const TOKEN_COOKIE = 'brainerce_customer_token';
+const LOGGED_IN_COOKIE = 'brainerce_logged_in';
+const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
+
+function isSecure(): boolean {
+  return process.env.NODE_ENV === 'production';
+}
+
+/**
+ * OAuth callback handler.
+ * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
+ * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
+ */
+export async function GET(request: NextRequest) {
+  const { searchParams } = request.nextUrl;
+  const token = searchParams.get('token');
+  const oauthSuccess = searchParams.get('oauth_success');
+  const oauthError = searchParams.get('oauth_error');
+
+  // Build redirect URL to client-side callback page
+  const redirectUrl = new URL('/auth/callback', request.url);
+
+  if (oauthError) {
+    redirectUrl.searchParams.set('oauth_error', oauthError);
+    const response = NextResponse.redirect(redirectUrl);
+    response.headers.set('Referrer-Policy', 'no-referrer');
+    return response;
+  }
+
+  if (oauthSuccess === 'true' && token) {
+    redirectUrl.searchParams.set('oauth_success', 'true');
+
+    const response = NextResponse.redirect(redirectUrl);
+
+    // Set httpOnly cookie with the token
+    response.cookies.set(TOKEN_COOKIE, token, {
+      httpOnly: true,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Set indicator cookie (readable by client JS)
+    response.cookies.set(LOGGED_IN_COOKIE, '1', {
+      httpOnly: false,
+      secure: isSecure(),
+      sameSite: 'lax',
+      path: '/',
+      maxAge: COOKIE_MAX_AGE,
+    });
+
+    // Prevent token leaking via Referer header on the downstream navigation
+    response.headers.set('Referrer-Policy', 'no-referrer');
+
+    return response;
+  }
+
+  // Fallback: no token or success flag
+  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
+  const response = NextResponse.redirect(redirectUrl);
+  response.headers.set('Referrer-Policy', 'no-referrer');
+  return response;
+}

package/templates/nextjs/base/src/app/api/auth/reset-password/route.ts

@@ -1,76 +1,76 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { validatePassword } from '@/lib/validation';
-import { checkCsrf } from '@/lib/csrf';
-
-const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
-  /\/$/,
-  ''
-);
-
-const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
-
-const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
-
-/**
- * BFF endpoint for password reset.
- * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
- * and proxies the request to the backend. The token never touches client JS.
- */
-export async function POST(request: NextRequest) {
-  const csrfError = checkCsrf(request);
-  if (csrfError) return csrfError;
-
-  // Read reset token from httpOnly cookie
-  const cookieStore = await cookies();
-  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
-
-  if (!resetTokenCookie?.value) {
-    return NextResponse.json(
-      { error: 'No reset token found. Please request a new password reset link.' },
-      { status: 400 }
-    );
-  }
-
-  // Parse request body
-  const body = await request.json();
-  const { newPassword } = body;
-
-  const passwordError = validatePassword(newPassword);
-  if (passwordError) {
-    return NextResponse.json({ error: passwordError }, { status: 400 });
-  }
-
-  // Proxy to backend
-  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
-
-  const backendResponse = await fetch(backendUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      Origin: request.nextUrl.origin,
-    },
-    body: JSON.stringify({
-      token: resetTokenCookie.value,
-      newPassword,
-    }),
-  });
-
-  let data: unknown;
-  try {
-    data = await backendResponse.json();
-  } catch {
-    const response = NextResponse.json({ error: 'Invalid response from backend' }, { status: 502 });
-    response.cookies.delete(RESET_TOKEN_COOKIE);
-    return response;
-  }
-
-  const response = NextResponse.json(data, {
-    status: backendResponse.status,
-  });
-
-  // Always clear the reset token cookie after use (success or failure)
-  response.cookies.delete(RESET_TOKEN_COOKIE);
-
-  return response;
-}
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { validatePassword } from '@/lib/validation';
+import { checkCsrf } from '@/lib/csrf';
+
+const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+
+const CONNECTION_ID = process.env.NEXT_PUBLIC_BRAINERCE_CONNECTION_ID || '';
+
+const RESET_TOKEN_COOKIE = 'brainerce_reset_token';
+
+/**
+ * BFF endpoint for password reset.
+ * Reads the reset token from the httpOnly cookie (set by /api/auth/reset-callback)
+ * and proxies the request to the backend. The token never touches client JS.
+ */
+export async function POST(request: NextRequest) {
+  const csrfError = checkCsrf(request);
+  if (csrfError) return csrfError;
+
+  // Read reset token from httpOnly cookie
+  const cookieStore = await cookies();
+  const resetTokenCookie = cookieStore.get(RESET_TOKEN_COOKIE);
+
+  if (!resetTokenCookie?.value) {
+    return NextResponse.json(
+      { error: 'No reset token found. Please request a new password reset link.' },
+      { status: 400 }
+    );
+  }
+
+  // Parse request body
+  const body = await request.json();
+  const { newPassword } = body;
+
+  const passwordError = validatePassword(newPassword);
+  if (passwordError) {
+    return NextResponse.json({ error: passwordError }, { status: 400 });
+  }
+
+  // Proxy to backend
+  const backendUrl = `${BACKEND_URL}/api/vc/${CONNECTION_ID}/customers/reset-password`;
+
+  const backendResponse = await fetch(backendUrl, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Origin: request.nextUrl.origin,
+    },
+    body: JSON.stringify({
+      token: resetTokenCookie.value,
+      newPassword,
+    }),
+  });
+
+  let data: unknown;
+  try {
+    data = await backendResponse.json();
+  } catch {
+    const response = NextResponse.json({ error: 'Invalid response from backend' }, { status: 502 });
+    response.cookies.delete(RESET_TOKEN_COOKIE);
+    return response;
+  }
+
+  const response = NextResponse.json(data, {
+    status: backendResponse.status,
+  });
+
+  // Always clear the reset token cookie after use (success or failure)
+  response.cookies.delete(RESET_TOKEN_COOKIE);
+
+  return response;
+}