create-brainerce-store 1.28.20 → 1.28.21

package/templates/nextjs/base/src/lib/safe-redirect.ts

@@ -1,45 +1,60 @@
-const ALLOWED_PAYMENT_HOSTS: readonly string[] = [
-  'checkout.stripe.com',
-  'js.stripe.com',
-  'hooks.stripe.com',
-  'www.paypal.com',
-  'www.sandbox.paypal.com',
-  'secure.cardcom.solutions',
-  'meshulam.co.il',
-  'grow.link',
-  'grow.security',
-  'creditguard.co.il',
-];
-
-export function isAllowedPaymentUrl(url: string): boolean {
-  if (!url || typeof url !== 'string') return false;
-
-  let parsed: URL;
-  try {
-    parsed = new URL(url);
-  } catch {
-    return false;
-  }
-
-  if (parsed.protocol !== 'https:') return false;
-
-  const hostname = parsed.hostname.toLowerCase();
-  return ALLOWED_PAYMENT_HOSTS.some((host) => hostname === host || hostname.endsWith('.' + host));
-}
-
-export function safePaymentRedirect(url: string): void {
-  if (!isAllowedPaymentUrl(url)) {
-    throw new Error('Payment redirect URL is not in the allowlist');
-  }
-  if (typeof window !== 'undefined') {
-    window.location.href = url;
-  }
-}
-
-// CUID format used by Prisma for Checkout.id — c + 24 lowercase alphanumeric chars.
-// Allow a small range to tolerate cuid2 (slightly different length).
-const CHECKOUT_ID_RE = /^c[a-z0-9]{20,30}$/;
-
-export function isValidCheckoutId(id: unknown): id is string {
-  return typeof id === 'string' && CHECKOUT_ID_RE.test(id);
-}
+const ALLOWED_PAYMENT_HOSTS: readonly string[] = [
+  'checkout.stripe.com',
+  'js.stripe.com',
+  'hooks.stripe.com',
+  'www.paypal.com',
+  'www.sandbox.paypal.com',
+  'secure.cardcom.solutions',
+  'meshulam.co.il',
+  'grow.link',
+  'grow.security',
+  'creditguard.co.il',
+  // Brainerce-hosted payment embeds (cardcom-payments /embed/:lpCode etc.).
+  // These are platform-owned iframe shells that wrap provider-specific flows
+  // and relay postMessage events back to the storefront.
+  'brainerce.com',
+];
+
+export function isAllowedPaymentUrl(url: string): boolean {
+  if (!url || typeof url !== 'string') return false;
+
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return false;
+  }
+
+  const hostname = parsed.hostname.toLowerCase();
+
+  // Dev-only: allow http://localhost|127.0.0.1 so the local storefront can
+  // iframe the local backend's embed proxy. Stripped in production builds.
+  if (
+    process.env.NODE_ENV !== 'production' &&
+    parsed.protocol === 'http:' &&
+    (hostname === 'localhost' || hostname === '127.0.0.1')
+  ) {
+    return true;
+  }
+
+  if (parsed.protocol !== 'https:') return false;
+
+  return ALLOWED_PAYMENT_HOSTS.some((host) => hostname === host || hostname.endsWith('.' + host));
+}
+
+export function safePaymentRedirect(url: string): void {
+  if (!isAllowedPaymentUrl(url)) {
+    throw new Error('Payment redirect URL is not in the allowlist');
+  }
+  if (typeof window !== 'undefined') {
+    window.location.href = url;
+  }
+}
+
+// CUID format used by Prisma for Checkout.id — c + 24 lowercase alphanumeric chars.
+// Allow a small range to tolerate cuid2 (slightly different length).
+const CHECKOUT_ID_RE = /^c[a-z0-9]{20,30}$/;
+
+export function isValidCheckoutId(id: unknown): id is string {
+  return typeof id === 'string' && CHECKOUT_ID_RE.test(id);
+}

package/templates/nextjs/base/src/middleware.ts.ejs

@@ -32,7 +32,7 @@ function buildCsp(nonce: string): string {
     "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
     "img-src 'self' data: blob: https:",
     "font-src 'self' data:",
-    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
+    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com https://*.brainerce.com",
     "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
     "worker-src 'self' blob:",
     // 'self' (not 'none') so iframe-based payment providers (e.g. Cardcom)
@@ -149,7 +149,7 @@ function buildCsp(nonce: string): string {
     "style-src 'self' 'unsafe-inline' https://cdn.meshulam.co.il",
     "img-src 'self' data: blob: https:",
     "font-src 'self' data:",
-    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
+    "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com https://*.brainerce.com",
     "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
     "worker-src 'self' blob:",
     // 'self' (not 'none') so iframe-based payment providers (e.g. Cardcom)

package/dist/index.d.ts

@@ -1 +0,0 @@
-#!/usr/bin/env node