create-brainerce-store 1.28.4 → 1.28.9

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.28.4",
+      version: "1.28.9",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-brainerce-store",
-  "version": "1.28.4",
+  "version": "1.28.9",
   "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
   "bin": {
     "create-brainerce-store": "dist/index.js"

package/templates/nextjs/base/next.config.ts

@@ -2,10 +2,17 @@ import type { NextConfig } from 'next';
 
 const nextConfig: NextConfig = {
   images: {
-    remotePatterns: [
-      { protocol: 'https', hostname: 'cdn.brainerce.com' },
-      { protocol: 'https', hostname: '*.brainerce.com' },
-    ],
+    // The storefront is a consumer of the Brainerce API — it has to render
+    // whatever image URLs the API returns. In practice those URLs can be on
+    // cdn.brainerce.com OR on an upstream merchant host (WooCommerce, Shopify,
+    // self-hosted) depending on whether the product's image-import job has
+    // completed on the backend. Rather than hard-fail on unknown hosts, skip
+    // the server-side optimizer entirely and let the browser fetch each image
+    // directly from origin. No server-side fetching → no SSRF or DoS surface
+    // on this Next server. Trade-off: no webp/resize/lazy optimization, so
+    // LCP is marginally worse. Acceptable; the storefront is not the right
+    // layer to enforce a hostname policy.
+    unoptimized: true,
   },
   async headers() {
     return [
@@ -17,7 +24,11 @@ const nextConfig: NextConfig = {
             value: 'max-age=63072000; includeSubDomains; preload',
           },
           { key: 'X-Content-Type-Options', value: 'nosniff' },
-          { key: 'X-Frame-Options', value: 'DENY' },
+          // SAMEORIGIN (not DENY) so iframe-based payment providers (e.g. Cardcom)
+          // can redirect the iframe back to /payment-complete on the storefront
+          // itself after a successful charge — the postMessage relay needs the
+          // parent frame to be able to render our own same-origin page.
+          { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
           { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
           {
             key: 'Permissions-Policy',

package/templates/nextjs/base/src/components/checkout/payment-step.tsx

@@ -557,14 +557,14 @@ export function PaymentStep({ checkoutId, className }: PaymentStepProps) {
 
   if (sdk.renderType === 'iframe') {
     if (!isAllowedPaymentUrl(paymentIntent.clientSecret)) return null;
-    const formattedAmount = formatPrice(Number(paymentIntent.amount) || 0, {
+    const formattedAmount = formatPrice((Number(paymentIntent.amount) || 0) / 100, {
       currency: paymentIntent.currency,
     }) as string;
     return (
       <>
         {/* Modal overlay */}
         <div className="fixed inset-0 z-50 flex items-start justify-center overflow-y-auto bg-black/50 py-6 backdrop-blur-sm">
-          <div className="bg-background relative mx-4 flex w-full max-w-lg flex-col overflow-hidden rounded-2xl shadow-2xl">
+          <div className="bg-background relative mx-4 flex w-full max-w-2xl flex-col overflow-hidden rounded-2xl shadow-2xl">
             {/* Header */}
             <div className="border-border flex items-center justify-between gap-4 border-b px-5 py-4">
               <div className="flex min-w-0 flex-col">
@@ -605,7 +605,7 @@ export function PaymentStep({ checkoutId, className }: PaymentStepProps) {
             <iframe
               src={paymentIntent.clientSecret}
               className="w-full border-0"
-              style={{ height: '70vh' }}
+              style={{ height: '80vh' }}
               title={t('payment')}
               allow="payment"
             />

package/templates/nextjs/base/src/middleware.ts.ejs

@@ -35,7 +35,10 @@ function buildCsp(nonce: string): string {
     "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
     "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
     "worker-src 'self' blob:",
-    "frame-ancestors 'none'",
+    // 'self' (not 'none') so iframe-based payment providers (e.g. Cardcom)
+    // can redirect the iframe back to /payment-complete on the storefront
+    // itself after a successful charge.
+    "frame-ancestors 'self'",
     "base-uri 'self'",
     "form-action 'self'",
     "object-src 'none'",
@@ -149,7 +152,10 @@ function buildCsp(nonce: string): string {
     "frame-src 'self' https://meshulam.co.il https://*.meshulam.co.il https://grow.link https://*.grow.link https://grow.security https://*.grow.security https://creditguard.co.il https://*.creditguard.co.il https://js.stripe.com https://hooks.stripe.com https://pay.google.com https://secure.cardcom.solutions https://checkout.stripe.com https://www.paypal.com https://www.sandbox.paypal.com",
     "connect-src 'self' https://*.meshulam.co.il https://grow.link https://*.grow.link https://*.grow.security https://pay.google.com https://*.stripe.com https://*.creditguard.co.il",
     "worker-src 'self' blob:",
-    "frame-ancestors 'none'",
+    // 'self' (not 'none') so iframe-based payment providers (e.g. Cardcom)
+    // can redirect the iframe back to /payment-complete on the storefront
+    // itself after a successful charge.
+    "frame-ancestors 'self'",
     "base-uri 'self'",
     "form-action 'self'",
     "object-src 'none'",