create-brainerce-store 1.47.1 → 1.49.0

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.47.1",
+      version: "1.49.0",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-brainerce-store",
-  "version": "1.47.1",
+  "version": "1.49.0",
   "description": "Scaffold a production-ready e-commerce storefront connected to Brainerce",
   "bin": {
     "create-brainerce-store": "dist/index.js"

package/templates/nextjs/base/src/app/api/auth/oauth-callback/route.ts

@@ -4,63 +4,85 @@ const TOKEN_COOKIE = 'brainerce_customer_token';
 const LOGGED_IN_COOKIE = 'brainerce_logged_in';
 const COOKIE_MAX_AGE = 7 * 24 * 60 * 60; // 7 days
 
+const BACKEND_URL = (process.env.BRAINERCE_API_URL || 'https://api.brainerce.com').replace(
+  /\/$/,
+  ''
+);
+
 function isSecure(): boolean {
   return process.env.NODE_ENV === 'production';
 }
 
+function errorRedirect(base: URL, message: string): NextResponse {
+  base.searchParams.set('oauth_error', message);
+  const response = NextResponse.redirect(base);
+  response.headers.set('Referrer-Policy', 'no-referrer');
+  return response;
+}
+
 /**
  * OAuth callback handler.
- * The backend redirects here with ?token=jwt&oauth_success=true after OAuth code exchange.
- * We set the httpOnly cookie and redirect to the client-side callback page (without the token).
+ *
+ * The backend redirects here with ?oauth_success=true&auth_code=<one-time-code>.
+ * We exchange the auth_code for the real JWT via a server-to-server POST (so the
+ * JWT never appears in any URL), then set an httpOnly cookie and redirect to the
+ * client-side callback page.
  */
 export async function GET(request: NextRequest) {
   const { searchParams } = request.nextUrl;
-  const token = searchParams.get('token');
+  const authCode = searchParams.get('auth_code');
   const oauthSuccess = searchParams.get('oauth_success');
   const oauthError = searchParams.get('oauth_error');
 
-  // Build redirect URL to client-side callback page
   const redirectUrl = new URL('/auth/callback', request.url);
 
   if (oauthError) {
-    redirectUrl.searchParams.set('oauth_error', oauthError);
-    const response = NextResponse.redirect(redirectUrl);
-    response.headers.set('Referrer-Policy', 'no-referrer');
-    return response;
+    return errorRedirect(redirectUrl, oauthError);
   }
 
-  if (oauthSuccess === 'true' && token) {
-    redirectUrl.searchParams.set('oauth_success', 'true');
-
-    const response = NextResponse.redirect(redirectUrl);
+  if (oauthSuccess !== 'true' || !authCode) {
+    return errorRedirect(redirectUrl, 'Authentication failed');
+  }
 
-    // Set httpOnly cookie with the token
-    response.cookies.set(TOKEN_COOKIE, token, {
-      httpOnly: true,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
+  // Exchange the one-time auth_code for the real JWT.
+  // This is a server-to-server call — the JWT never enters the browser URL.
+  let token: string;
+  try {
+    const exchangeRes = await fetch(`${BACKEND_URL}/api/oauth/customer/exchange`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ code: authCode }),
     });
+    if (!exchangeRes.ok) {
+      throw new Error(`exchange responded ${exchangeRes.status}`);
+    }
+    const data = await exchangeRes.json();
+    if (!data.token) throw new Error('missing token in exchange response');
+    token = data.token;
+  } catch (err) {
+    console.error('[oauth-callback] auth_code exchange failed:', err);
+    return errorRedirect(redirectUrl, 'Authentication failed');
+  }
 
-    // Set indicator cookie (readable by client JS)
-    response.cookies.set(LOGGED_IN_COOKIE, '1', {
-      httpOnly: false,
-      secure: isSecure(),
-      sameSite: 'lax',
-      path: '/',
-      maxAge: COOKIE_MAX_AGE,
-    });
+  redirectUrl.searchParams.set('oauth_success', 'true');
+  const response = NextResponse.redirect(redirectUrl);
 
-    // Prevent token leaking via Referer header on the downstream navigation
-    response.headers.set('Referrer-Policy', 'no-referrer');
+  response.cookies.set(TOKEN_COOKIE, token, {
+    httpOnly: true,
+    secure: isSecure(),
+    sameSite: 'lax',
+    path: '/',
+    maxAge: COOKIE_MAX_AGE,
+  });
 
-    return response;
-  }
+  response.cookies.set(LOGGED_IN_COOKIE, '1', {
+    httpOnly: false,
+    secure: isSecure(),
+    sameSite: 'lax',
+    path: '/',
+    maxAge: COOKIE_MAX_AGE,
+  });
 
-  // Fallback: no token or success flag
-  redirectUrl.searchParams.set('oauth_error', 'Authentication failed');
-  const response = NextResponse.redirect(redirectUrl);
   response.headers.set('Referrer-Policy', 'no-referrer');
   return response;
 }

package/templates/nextjs/base/src/app/products/[slug]/page.tsx

@@ -1,118 +1,157 @@
-import type { Metadata } from 'next';
-import { notFound } from 'next/navigation';
-import { getProductPriceInfo } from 'brainerce';
-import { getServerClient, fetchStoreInfo } from '@/lib/brainerce';
-import { resolveCurrency } from '@/lib/resolve-currency';
-import { buildMetaDescription } from '@/lib/seo';
-import { decodeSlug } from '@/lib/utils';
-import { ProductJsonLd } from '@/components/seo/product-json-ld';
-import { ReviewsSection } from '@/components/reviews/reviews-section';
-import { ProductClientSection } from './product-client-section';
-
-type Props = {
-  params: Promise<{ slug: string; locale?: string }>;
-};
-
-export async function generateMetadata({ params }: Props): Promise<Metadata> {
-  const { slug: rawSlug, locale } = await params;
-  const slug = decodeSlug(rawSlug);
-
-  try {
-    const client = getServerClient(locale);
-    // Fetch product + store info in parallel; storeInfo gives us the live
-    // currency for OG price tags (with env-var + USD fallbacks so we never
-    // silently emit a wrong currency when the API is briefly unreachable).
-    const [product, storeInfo] = await Promise.all([
-      client.getProductBySlug(slug),
-      fetchStoreInfo(locale),
-    ]);
-    const imageUrl = product.images?.[0]?.url;
-    // Prefer merchant-authored SEO copy; fall back to a stripped+truncated
-    // version of the visible description, then product name. We must NEVER
-    // emit raw HTML or a mid-word cut into <meta name="description">.
-    const seoTitle = (product as { seoTitle?: string | null }).seoTitle || product.name;
-    const seoDescription =
-      (product as { seoDescription?: string | null }).seoDescription ||
-      buildMetaDescription(product.description) ||
-      product.name;
-
-    // OG product meta tags drive WhatsApp / Facebook / X link previews and
-    // Google Merchant Center product enrichment. Emitting the literal "0"
-    // here (the previous bug) causes price-zero link cards. Use the real
-    // effective price from the SDK helper.
-    const priceInfo = getProductPriceInfo(product);
-    const currency = resolveCurrency(storeInfo);
-    const priceAmount = priceInfo.price > 0 ? priceInfo.price.toFixed(2) : null;
-    const inStock = product.inventory?.canPurchase !== false;
-    const brandName = (product as { brand?: { name?: string } | null }).brand?.name;
-
-    return {
-      title: seoTitle,
-      description: seoDescription,
-      alternates: {
-        canonical: `/products/${slug}`,
-      },
-      openGraph: {
-        title: seoTitle,
-        description: seoDescription,
-        images: imageUrl ? [{ url: imageUrl, alt: product.name }] : [],
-        type: 'website',
-      },
-      twitter: {
-        card: 'summary_large_image',
-        title: seoTitle,
-        description: seoDescription,
-        images: imageUrl ? [imageUrl] : [],
-      },
-      // Emit the OG product extension (Facebook / WhatsApp / X link previews,
-      // Google Merchant Center). Skips the price pair entirely when the SDK
-      // can't determine a positive amount, rather than shipping "0".
-      other: {
-        ...(priceAmount
-          ? {
-              'og:price:amount': priceAmount,
-              'og:price:currency': currency,
-              'product:price:amount': priceAmount,
-              'product:price:currency': currency,
-            }
-          : {}),
-        'product:availability': inStock ? 'in stock' : 'out of stock',
-        'product:condition': 'new',
-        ...(brandName ? { 'product:brand': brandName } : {}),
-      },
-    };
-  } catch {
-    return {
-      title: 'Product not found',
-    };
-  }
-}
-
-export default async function ProductDetailPage({ params }: Props) {
-  const { slug: rawSlug, locale } = await params;
-  const slug = decodeSlug(rawSlug);
-
-  let product;
-  try {
-    const client = getServerClient(locale);
-    product = await client.getProductBySlug(slug);
-  } catch {
-    notFound();
-  }
-
-  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || '';
-  const productUrl = `${baseUrl}/products/${slug}`;
-  // Reuse the cached storeInfo from generateMetadata's call — React cache()
-  // collapses both into one backend request per render. resolveCurrency owns
-  // the env-var + USD fallback chain so this stays a single source of truth.
-  const storeInfo = await fetchStoreInfo(locale);
-  const currency = resolveCurrency(storeInfo);
-
-  return (
-    <>
-      <ProductJsonLd product={product} url={productUrl} currency={currency} />
-      <ProductClientSection product={product} />
-      <ReviewsSection productId={product.id} />
-    </>
-  );
-}
+import type { Metadata } from 'next';
+import { notFound } from 'next/navigation';
+import { getProductPriceInfo } from 'brainerce';
+import { getServerClient, fetchStoreInfo } from '@/lib/brainerce';
+import { resolveCurrency } from '@/lib/resolve-currency';
+import { buildMetaDescription } from '@/lib/seo';
+import { decodeSlug } from '@/lib/utils';
+import { ProductJsonLd } from '@/components/seo/product-json-ld';
+import { ReviewsSection } from '@/components/reviews/reviews-section';
+import { ProductClientSection } from './product-client-section';
+
+type Props = {
+  params: Promise<{ slug: string; locale?: string }>;
+};
+
+function buildHreflang(
+  baseUrl: string,
+  baseSlug: string,
+  localeSlugs: Record<string, string>,
+  locales: string[],
+  defaultLoc: string
+): Record<string, string> {
+  const langs: Record<string, string> = {};
+  for (const loc of locales) {
+    const locSlug = localeSlugs[loc] || baseSlug;
+    const path = loc === defaultLoc ? `/products/${locSlug}` : `/${loc}/products/${locSlug}`;
+    langs[loc] = `${baseUrl}${path}`;
+  }
+  // x-default points to the default-locale canonical (no prefix)
+  langs['x-default'] = `${baseUrl}/products/${localeSlugs[defaultLoc] || baseSlug}`;
+  return langs;
+}
+
+export async function generateMetadata({ params }: Props): Promise<Metadata> {
+  const { slug: rawSlug, locale } = await params;
+  const slug = decodeSlug(rawSlug);
+
+  try {
+    const client = getServerClient(locale);
+    // Fetch product + store info in parallel; storeInfo gives us the live
+    // currency for OG price tags (with env-var + USD fallbacks so we never
+    // silently emit a wrong currency when the API is briefly unreachable).
+    const [product, storeInfo] = await Promise.all([
+      client.getProductBySlug(slug),
+      fetchStoreInfo(locale),
+    ]);
+    const imageUrl = product.images?.[0]?.url;
+    // Prefer merchant-authored SEO copy; fall back to a stripped+truncated
+    // version of the visible description, then product name. We must NEVER
+    // emit raw HTML or a mid-word cut into <meta name="description">.
+    const seoTitle = (product as { seoTitle?: string | null }).seoTitle || product.name;
+    const seoDescription =
+      (product as { seoDescription?: string | null }).seoDescription ||
+      buildMetaDescription(product.description) ||
+      product.name;
+
+    // OG product meta tags drive WhatsApp / Facebook / X link previews and
+    // Google Merchant Center product enrichment. Emitting the literal "0"
+    // here (the previous bug) causes price-zero link cards. Use the real
+    // effective price from the SDK helper.
+    const priceInfo = getProductPriceInfo(product);
+    const currency = resolveCurrency(storeInfo);
+    const priceAmount = priceInfo.price > 0 ? priceInfo.price.toFixed(2) : null;
+    const inStock = product.inventory?.canPurchase !== false;
+    const brandName = (product as { brand?: { name?: string } | null }).brand?.name;
+
+    // Multilingual SEO: hreflang tags + correct canonical per locale.
+    // Locales come from storeInfo.i18n — already fetched above, zero extra cost.
+    const supportedLocales = storeInfo?.i18n?.supportedLocales ?? [];
+    const defaultLoc = storeInfo?.i18n?.defaultLocale ?? storeInfo?.language ?? '';
+    const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || '';
+    const baseSlug = product.slug || slug;
+    const localeSlugs = product.localeSlugs ?? {};
+
+    // Canonical: use the locale-specific slug for this locale when available.
+    const canonicalSlug = (locale && localeSlugs[locale]) || baseSlug;
+    const canonicalPath =
+      locale && locale !== defaultLoc
+        ? `/${locale}/products/${canonicalSlug}`
+        : `/products/${canonicalSlug}`;
+
+    const hreflangLanguages =
+      supportedLocales.length > 1
+        ? buildHreflang(baseUrl, baseSlug, localeSlugs, supportedLocales, defaultLoc)
+        : undefined;
+
+    return {
+      title: seoTitle,
+      description: seoDescription,
+      alternates: {
+        canonical: canonicalPath,
+        ...(hreflangLanguages ? { languages: hreflangLanguages } : {}),
+      },
+      openGraph: {
+        title: seoTitle,
+        description: seoDescription,
+        images: imageUrl ? [{ url: imageUrl, alt: product.name }] : [],
+        type: 'website',
+      },
+      twitter: {
+        card: 'summary_large_image',
+        title: seoTitle,
+        description: seoDescription,
+        images: imageUrl ? [imageUrl] : [],
+      },
+      // Emit the OG product extension (Facebook / WhatsApp / X link previews,
+      // Google Merchant Center). Skips the price pair entirely when the SDK
+      // can't determine a positive amount, rather than shipping "0".
+      other: {
+        ...(priceAmount
+          ? {
+              'og:price:amount': priceAmount,
+              'og:price:currency': currency,
+              'product:price:amount': priceAmount,
+              'product:price:currency': currency,
+            }
+          : {}),
+        'product:availability': inStock ? 'in stock' : 'out of stock',
+        'product:condition': 'new',
+        ...(brandName ? { 'product:brand': brandName } : {}),
+      },
+    };
+  } catch {
+    return {
+      title: 'Product not found',
+    };
+  }
+}
+
+export default async function ProductDetailPage({ params }: Props) {
+  const { slug: rawSlug, locale } = await params;
+  const slug = decodeSlug(rawSlug);
+
+  let product;
+  try {
+    const client = getServerClient(locale);
+    product = await client.getProductBySlug(slug);
+  } catch {
+    notFound();
+  }
+
+  const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || '';
+  const productUrl = `${baseUrl}/products/${slug}`;
+  // Reuse the cached storeInfo from generateMetadata's call — React cache()
+  // collapses both into one backend request per render. resolveCurrency owns
+  // the env-var + USD fallback chain so this stays a single source of truth.
+  const storeInfo = await fetchStoreInfo(locale);
+  const currency = resolveCurrency(storeInfo);
+
+  return (
+    <>
+      <ProductJsonLd product={product} url={productUrl} currency={currency} />
+      <ProductClientSection product={product} />
+      <ReviewsSection productId={product.id} />
+    </>
+  );
+}

package/templates/nextjs/base/src/app/sitemap.ts

@@ -4,19 +4,43 @@ import { getServerClient } from '@/lib/brainerce';
 export default async function sitemap(): Promise<MetadataRoute.Sitemap> {
   const baseUrl = process.env.NEXT_PUBLIC_SITE_URL || 'https://example.com';
 
-  const staticPages: MetadataRoute.Sitemap = [
-    { url: baseUrl, lastModified: new Date(), priority: 1 },
-    { url: `${baseUrl}/products`, lastModified: new Date(), priority: 0.9 },
-  ];
+  const client = getServerClient();
+  const storeInfo = await client.getStoreInfo().catch(() => null);
+  const supportedLocales = storeInfo?.i18n?.supportedLocales ?? [];
+  const defaultLoc = storeInfo?.i18n?.defaultLocale ?? storeInfo?.language ?? '';
+  const isMultiLocale = supportedLocales.length > 1;
+
+  const staticPages: MetadataRoute.Sitemap = isMultiLocale
+    ? supportedLocales.flatMap((loc) => {
+        const prefix = loc === defaultLoc ? '' : `/${loc}`;
+        return [
+          { url: `${baseUrl}${prefix || '/'}`, lastModified: new Date(), priority: 1 },
+          { url: `${baseUrl}${prefix}/products`, lastModified: new Date(), priority: 0.9 },
+        ];
+      })
+    : [
+        { url: baseUrl, lastModified: new Date(), priority: 1 },
+        { url: `${baseUrl}/products`, lastModified: new Date(), priority: 0.9 },
+      ];
 
   try {
-    const client = getServerClient();
     const { data: products } = await client.getProducts({ limit: 1000 });
-    const productPages: MetadataRoute.Sitemap = products.map((product) => ({
-      url: `${baseUrl}/products/${product.slug}`,
-      lastModified: product.updatedAt ? new Date(product.updatedAt) : new Date(),
-      priority: 0.8,
-    }));
+
+    const productPages: MetadataRoute.Sitemap = products.flatMap((product) => {
+      const baseSlug = product.slug || product.id;
+      const localeSlugs = product.localeSlugs ?? {};
+      const lastMod = product.updatedAt ? new Date(product.updatedAt) : new Date();
+
+      if (!isMultiLocale) {
+        return [{ url: `${baseUrl}/products/${baseSlug}`, lastModified: lastMod, priority: 0.8 }];
+      }
+
+      return supportedLocales.map((loc) => {
+        const locSlug = localeSlugs[loc] || baseSlug;
+        const path = loc === defaultLoc ? `/products/${locSlug}` : `/${loc}/products/${locSlug}`;
+        return { url: `${baseUrl}${path}`, lastModified: lastMod, priority: 0.8 };
+      });
+    });
 
     return [...staticPages, ...productPages];
   } catch {