fontdue-js 3.0.0-alpha7 → 3.0.0-alpha8

package/dist/__tests__/nextAdapter.test.js

@@ -0,0 +1,307 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
+// The next adapter modules read process.env at module load, so each test
+// group stubs the env and re-imports them fresh.
+async function importTenant() {
+  return await import("../next/tenant.js");
+}
+async function importConfig() {
+  return await import("../next/config.js");
+}
+async function importRevalidate() {
+  return await import("../next/revalidate.js");
+}
+const revalidateTag = vi.fn();
+vi.mock('next/cache', () => ({
+  revalidateTag: tag => revalidateTag(tag)
+}));
+beforeEach(() => {
+  vi.resetModules();
+  revalidateTag.mockClear();
+  vi.unstubAllEnvs();
+});
+function stubSingleTenant() {
+  let url = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : 'https://acme.fontdue.com';
+  vi.stubEnv('NEXT_PUBLIC_FONTDUE_URL', url);
+  vi.stubEnv('FONTDUE_MULTI_TENANT', '');
+  vi.stubEnv('FONTDUE_ORIGIN', '');
+  vi.stubEnv('FONTDUE_PROXY_SECRET', '');
+}
+function stubMultiTenant() {
+  let {
+    origin = '',
+    secret = ''
+  } = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
+  vi.stubEnv('NEXT_PUBLIC_FONTDUE_URL', '');
+  vi.stubEnv('FONTDUE_MULTI_TENANT', '1');
+  vi.stubEnv('FONTDUE_ORIGIN', origin);
+  vi.stubEnv('FONTDUE_PROXY_SECRET', secret);
+}
+describe('isValidDomain', () => {
+  it('accepts plain dotted hostnames and rejects everything else', async () => {
+    stubMultiTenant();
+    const {
+      isValidDomain
+    } = await importTenant();
+    expect(isValidDomain('acme.fontdue.com')).toBe(true);
+    expect(isValidDomain('a-b.example')).toBe(true);
+    expect(isValidDomain('localhost')).toBe(false); // no dot
+    expect(isValidDomain('acme.fontdue.com:3000')).toBe(false); // port
+    expect(isValidDomain('acme.fontdue.com/x')).toBe(false); // path
+    expect(isValidDomain('-bad.example')).toBe(false);
+    expect(isValidDomain('a'.repeat(254) + '.example')).toBe(false);
+  });
+});
+describe('fontdueEndpoint', () => {
+  it('single-tenant: targets NEXT_PUBLIC_FONTDUE_URL with no headers', async () => {
+    stubSingleTenant('https://acme.fontdue.com');
+    const {
+      fontdueEndpoint
+    } = await importTenant();
+    expect(fontdueEndpoint('acme.fontdue.com')).toEqual({
+      origin: 'https://acme.fontdue.com',
+      headers: {},
+      tags: ['graphql', 'graphql:acme.fontdue.com']
+    });
+  });
+  it('single-tenant: throws when NEXT_PUBLIC_FONTDUE_URL is missing', async () => {
+    vi.stubEnv('NEXT_PUBLIC_FONTDUE_URL', '');
+    vi.stubEnv('FONTDUE_MULTI_TENANT', '');
+    const {
+      fontdueEndpoint
+    } = await importTenant();
+    expect(() => fontdueEndpoint('acme.fontdue.com')).toThrow(/NEXT_PUBLIC_FONTDUE_URL/);
+  });
+  it('multi-tenant: forwards the host to FONTDUE_ORIGIN with the proxy secret', async () => {
+    stubMultiTenant({
+      origin: 'http://app:4000',
+      secret: 's3cret'
+    });
+    const {
+      fontdueEndpoint
+    } = await importTenant();
+    expect(fontdueEndpoint('acme.fontdue.com')).toEqual({
+      origin: 'http://app:4000',
+      headers: {
+        'x-forwarded-host': 'acme.fontdue.com',
+        'x-fontdue-proxy-secret': 's3cret'
+      },
+      tags: ['graphql', 'graphql:acme.fontdue.com']
+    });
+  });
+  it('multi-tenant: omits the secret header when unset', async () => {
+    stubMultiTenant({
+      origin: 'http://app:4000'
+    });
+    const {
+      fontdueEndpoint
+    } = await importTenant();
+    expect(fontdueEndpoint('acme.fontdue.com').headers).toEqual({
+      'x-forwarded-host': 'acme.fontdue.com'
+    });
+  });
+  it('multi-tenant: falls back to the tenant public URL without FONTDUE_ORIGIN', async () => {
+    stubMultiTenant();
+    const {
+      fontdueEndpoint
+    } = await importTenant();
+    expect(fontdueEndpoint('acme.fontdue.com').origin).toBe('https://acme.fontdue.com');
+  });
+});
+describe('configureFontdueRender', () => {
+  it('rejects invalid domains with null and sets no config', async () => {
+    stubMultiTenant({
+      origin: 'http://app:4000'
+    });
+    const {
+      configureFontdueRender
+    } = await importTenant();
+    const {
+      getFontdueServerConfig
+    } = await import("../relay/serverConfig.js");
+    expect(configureFontdueRender('not a domain')).toBeNull();
+    expect(getFontdueServerConfig()).toBeUndefined();
+  });
+  it('sets the per-render server config and returns the endpoint', async () => {
+    stubMultiTenant({
+      origin: 'http://app:4000',
+      secret: 's3cret'
+    });
+    const {
+      configureFontdueRender
+    } = await importTenant();
+    const {
+      getFontdueServerConfig
+    } = await import("../relay/serverConfig.js");
+    const endpoint = configureFontdueRender('acme.fontdue.com');
+    expect(endpoint === null || endpoint === void 0 ? void 0 : endpoint.origin).toBe('http://app:4000');
+    // Outside an RSC render React.cache doesn't memoize, so the write is a
+    // no-op here — but the config passed must still be shaped correctly, so
+    // assert via fontdueServerConfig instead.
+    const {
+      fontdueServerConfig
+    } = await importTenant();
+    expect(fontdueServerConfig('acme.fontdue.com')).toEqual({
+      url: 'http://app:4000',
+      headers: {
+        'x-forwarded-host': 'acme.fontdue.com',
+        'x-fontdue-proxy-secret': 's3cret'
+      },
+      cacheTags: ['graphql:acme.fontdue.com']
+    });
+  });
+});
+describe('withFontdue', () => {
+  it('throws when neither mode is configured', async () => {
+    vi.stubEnv('NEXT_PUBLIC_FONTDUE_URL', '');
+    vi.stubEnv('FONTDUE_MULTI_TENANT', '');
+    const {
+      withFontdue
+    } = await importConfig();
+    expect(() => withFontdue({})).toThrow(/NEXT_PUBLIC_FONTDUE_URL/);
+  });
+  it('single-tenant: rewrites every path under the constant domain', async () => {
+    stubSingleTenant('https://acme.fontdue.com');
+    const {
+      withFontdue
+    } = await importConfig();
+    const rewrites = await withFontdue({}).rewrites();
+    expect(rewrites.afterFiles).toEqual([]);
+    expect(rewrites.fallback).toEqual([]);
+    const destinations = rewrites.beforeFiles.map(r => r.destination);
+    expect(destinations).toEqual(['/acme.fontdue.com', '/acme.fontdue.com/robots.txt', '/acme.fontdue.com/sitemap.xml', '/acme.fontdue.com/:path']);
+  });
+  it('multi-tenant: emits forwarded-host rules before host rules, mutually exclusive', async () => {
+    stubMultiTenant();
+    const {
+      withFontdue
+    } = await importConfig();
+    const rewrites = await withFontdue({}).rewrites();
+    expect(rewrites.beforeFiles).toHaveLength(8);
+    const [forwarded, hostBased] = [rewrites.beforeFiles.slice(0, 4), rewrites.beforeFiles.slice(4)];
+    for (const rule of forwarded) {
+      var _rule$has;
+      expect((_rule$has = rule.has) === null || _rule$has === void 0 ? void 0 : _rule$has[0]).toMatchObject({
+        type: 'header',
+        key: 'x-forwarded-host'
+      });
+      expect(rule.missing).toBeUndefined();
+    }
+    for (const rule of hostBased) {
+      var _rule$has2, _rule$missing;
+      expect((_rule$has2 = rule.has) === null || _rule$has2 === void 0 ? void 0 : _rule$has2[0]).toMatchObject({
+        type: 'host'
+      });
+      expect((_rule$missing = rule.missing) === null || _rule$missing === void 0 ? void 0 : _rule$missing[0]).toMatchObject({
+        type: 'header',
+        key: 'x-forwarded-host'
+      });
+    }
+  });
+  it("chains the app's beforeFiles rules ahead of the tenant rules", async () => {
+    stubSingleTenant();
+    const {
+      withFontdue
+    } = await importConfig();
+    const userRule = {
+      source: '/old',
+      destination: '/new'
+    };
+    const config = withFontdue({
+      rewrites: async () => ({
+        beforeFiles: [userRule]
+      })
+    });
+    const rewrites = await config.rewrites();
+    expect(rewrites.beforeFiles[0]).toEqual(userRule);
+    expect(rewrites.beforeFiles).toHaveLength(5);
+  });
+  it("treats a plain-array rewrites() result as afterFiles, per Next's contract", async () => {
+    stubSingleTenant();
+    const {
+      withFontdue
+    } = await importConfig();
+    const userRule = {
+      source: '/old',
+      destination: '/new'
+    };
+    const rewrites = await withFontdue({
+      rewrites: async () => [userRule]
+    }).rewrites();
+    expect(rewrites.afterFiles).toEqual([userRule]);
+    expect(rewrites.beforeFiles).toHaveLength(4);
+  });
+  it('merges image settings, keeping app remotePatterns and overrides', async () => {
+    stubMultiTenant();
+    const {
+      withFontdue
+    } = await importConfig();
+    const config = withFontdue({
+      images: {
+        dangerouslyAllowSVG: false,
+        remotePatterns: [{
+          protocol: 'https',
+          hostname: 'cdn.example'
+        }]
+      }
+    });
+    expect(config.images.dangerouslyAllowSVG).toBe(false);
+    // NODE_ENV is 'test' here, i.e. not production → dev workaround active.
+    expect(config.images.unoptimized).toBe(true);
+    const hostnames = config.images.remotePatterns.map(p => p.hostname);
+    expect(hostnames).toContain('cdn.example');
+    expect(hostnames).toContain('*.fontdue.com');
+    expect(hostnames).toContain('**');
+  });
+  it('passes unrelated config through and defaults htmlLimitedBots', async () => {
+    stubSingleTenant();
+    const {
+      withFontdue
+    } = await importConfig();
+    const config = withFontdue({
+      reactStrictMode: true
+    });
+    expect(config.reactStrictMode).toBe(true);
+    expect(config.htmlLimitedBots).toEqual(/.*/);
+    expect(withFontdue({
+      htmlLimitedBots: /Googlebot/
+    }).htmlLimitedBots).toEqual(/Googlebot/);
+  });
+});
+describe('revalidate POST', () => {
+  it('multi-tenant: purges only the tenant tag', async () => {
+    stubMultiTenant();
+    const {
+      POST
+    } = await importRevalidate();
+    const response = await POST(new Request('http://internal/api/revalidate?domain=Acme.Fontdue.com', {
+      method: 'POST'
+    }));
+    expect(response.status).toBe(200);
+    expect(revalidateTag).toHaveBeenCalledExactlyOnceWith('graphql:acme.fontdue.com');
+  });
+  it('multi-tenant: 400s on a missing or invalid domain', async () => {
+    stubMultiTenant();
+    const {
+      POST
+    } = await importRevalidate();
+    for (const url of ['http://internal/api/revalidate', 'http://internal/api/revalidate?domain=not%20a%20domain']) {
+      const response = await POST(new Request(url, {
+        method: 'POST'
+      }));
+      expect(response.status).toBe(400);
+    }
+    expect(revalidateTag).not.toHaveBeenCalled();
+  });
+  it('single-tenant: purges the global graphql tag', async () => {
+    stubSingleTenant();
+    const {
+      POST
+    } = await importRevalidate();
+    const response = await POST(new Request('http://internal/api/revalidate', {
+      method: 'POST'
+    }));
+    expect(response.status).toBe(200);
+    expect(revalidateTag).toHaveBeenCalledExactlyOnceWith('graphql');
+  });
+});

package/dist/next/config.d.ts

@@ -0,0 +1,45 @@
+interface RouteHas {
+    type: 'header' | 'query' | 'cookie' | 'host';
+    key?: string;
+    value?: string;
+}
+interface Rewrite {
+    source: string;
+    destination: string;
+    has?: RouteHas[];
+    missing?: RouteHas[];
+}
+interface RewriteGroups {
+    beforeFiles: Rewrite[];
+    afterFiles: Rewrite[];
+    fallback: Rewrite[];
+}
+type RewritesResult = Rewrite[] | Partial<RewriteGroups>;
+interface NextConfigLike {
+    rewrites?: () => Promise<RewritesResult> | RewritesResult;
+    images?: {
+        remotePatterns?: unknown[];
+        [key: string]: unknown;
+    };
+    [key: string]: unknown;
+}
+export declare function tenantRewrites(): Rewrite[];
+export declare function withFontdue<C extends NextConfigLike>(nextConfig?: C): C & {
+    rewrites(): Promise<{
+        beforeFiles: Rewrite[];
+        afterFiles: Rewrite[];
+        fallback: Rewrite[];
+    }>;
+    images: {
+        remotePatterns: unknown[];
+        dangerouslyAllowSVG: boolean;
+        loader: "custom";
+        loaderFile: string;
+    } | {
+        remotePatterns: unknown[];
+        dangerouslyAllowSVG: boolean;
+        unoptimized: boolean;
+    };
+    htmlLimitedBots: RegExp;
+};
+export {};

package/dist/next/config.js

@@ -0,0 +1,180 @@
+// withFontdue(nextConfig): next.config wrapper that installs everything a
+// Fontdue storefront needs — host→path tenant rewrites, image settings, and
+// workarounds for Next behaviors that would otherwise break Fontdue pages.
+// Import it from next.config.mjs (this package is ESM):
+//
+//   import { withFontdue } from 'fontdue-js/next/config';
+//   export default withFontdue({ /* your config */ });
+//
+// This module is evaluated at config-load time, so it must not import React,
+// Relay, or anything else from the component tree.
+
+import { relative } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// Minimal structural types so this module doesn't need `next` installed to
+// type-check; the shapes match next/dist/lib/load-custom-routes.
+
+// Every page lives under the /[domain]/... route tree so Next renders and
+// caches each tenant's pages independently. These rewrites turn the request's
+// host into that leading path segment:
+//
+//   acme.fontdue.com/fonts/foo  →  /acme.fontdue.com/fonts/foo (internal)
+//
+// In single-tenant mode the domain is constant (from NEXT_PUBLIC_FONTDUE_URL)
+// so the app behaves exactly like a plain single-site Next app.
+//
+// This is done with config rewrites rather than middleware on purpose:
+// middleware rewrites bypass the ISR page cache on self-hosted next start,
+// turning every request into a full render. beforeFiles rewrites go through
+// the normal routing layer and keep per-tenant ISR working. (beforeFiles also
+// runs before app routes are matched, so the internal /[domain] paths can't
+// be reached directly with a mismatching Host — /evil.com on acme's domain
+// becomes /acme.fontdue.com/evil.com, which 404s.)
+//
+// X-Forwarded-Host (set by the Fontdue proxy in front of this service) wins
+// over Host. The hostname charset is constrained in the patterns; anything
+// else falls through to a 404.
+//
+// beforeFiles rules CHAIN: each rule is evaluated in order against the
+// already-rewritten path, so a rewrite must produce a path no later rule can
+// match. Tenant domains always contain a dot, so the catch-all path rule
+// refuses any path whose first segment contains a dot — that makes the
+// rewritten /acme.fontdue.com/... inert. robots.txt and sitemap.xml (dotted
+// first segments we DO want to serve) get their own explicit rules, which run
+// first. Side effect: a page slug containing a dot can't be routed at the
+// top level.
+const TENANT_HOST = '(?<tenant>[a-zA-Z0-9][a-zA-Z0-9.-]*)';
+const DOTLESS_PATH = '/:path((?!api/|_next/|favicon\\.ico)(?![^/]*\\.[^/]*(?:/|$)).*)';
+
+// One rule set rewriting onto `dest` (either a fixed /domain or the /:tenant
+// capture from `has`). `conditions` is {has?, missing?}.
+function rewriteRules(dest) {
+  let conditions = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  return [{
+    source: '/',
+    destination: dest,
+    ...conditions
+  }, {
+    source: '/robots.txt',
+    destination: `${dest}/robots.txt`,
+    ...conditions
+  }, {
+    source: '/sitemap.xml',
+    destination: `${dest}/sitemap.xml`,
+    ...conditions
+  }, {
+    source: DOTLESS_PATH,
+    destination: `${dest}/:path`,
+    ...conditions
+  }];
+}
+export function tenantRewrites() {
+  const fontdueUrl = process.env.NEXT_PUBLIC_FONTDUE_URL;
+  const isMultiTenant = process.env.FONTDUE_MULTI_TENANT === '1';
+  if (!isMultiTenant) {
+    return rewriteRules(`/${new URL(fontdueUrl).host}`);
+  }
+  const forwardedHost = {
+    type: 'header',
+    key: 'x-forwarded-host',
+    value: `${TENANT_HOST}(:.*)?`
+  };
+  const noForwardedHost = {
+    type: 'header',
+    key: 'x-forwarded-host'
+  };
+  const host = {
+    type: 'host',
+    value: TENANT_HOST
+  };
+  return [...rewriteRules('/:tenant', {
+    has: [forwardedHost]
+  }),
+  // Host-based rules only apply when X-Forwarded-Host is absent, so the
+  // two sets can't both rewrite one request.
+  ...rewriteRules('/:tenant', {
+    has: [host],
+    missing: [noForwardedHost]
+  })];
+}
+async function resolveRewrites(rewrites) {
+  const result = (await (rewrites === null || rewrites === void 0 ? void 0 : rewrites())) ?? [];
+  // A plain array from rewrites() is afterFiles, per Next's contract.
+  if (Array.isArray(result)) {
+    return {
+      beforeFiles: [],
+      afterFiles: result,
+      fallback: []
+    };
+  }
+  return {
+    beforeFiles: result.beforeFiles ?? [],
+    afterFiles: result.afterFiles ?? [],
+    fallback: result.fallback ?? []
+  };
+}
+export function withFontdue() {
+  let nextConfig = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
+  const fontdueUrl = process.env.NEXT_PUBLIC_FONTDUE_URL;
+  const isMultiTenant = process.env.FONTDUE_MULTI_TENANT === '1';
+  if (!isMultiTenant && !fontdueUrl) {
+    throw new Error('Set NEXT_PUBLIC_FONTDUE_URL (single-tenant) or FONTDUE_MULTI_TENANT=1 (multi-tenant).');
+  }
+  const userImages = nextConfig.images ?? {};
+  return {
+    ...nextConfig,
+    async rewrites() {
+      const user = await resolveRewrites(nextConfig.rewrites);
+      return {
+        // App rules run first, against the public (pre-tenant) path; because
+        // beforeFiles rules chain, a dotless path they produce is then
+        // prefixed by the tenant rules like any direct request. afterFiles
+        // and fallback rules run after the tenant prefix is applied, so
+        // their sources must match the internal /[domain]/... form.
+        beforeFiles: [...user.beforeFiles, ...tenantRewrites()],
+        afterFiles: user.afterFiles,
+        fallback: user.fallback
+      };
+    },
+    images: {
+      // With a Cloudflare image transformation host configured, optimization
+      // moves to its edge (image-loader.ts) and the in-process optimizer —
+      // and sharp — stay out of the deployment entirely. The host must be in
+      // the env at build time (the loader is inlined into the client bundle)
+      // as well as at serve time (this config runs again under next start).
+      //
+      // Without one, in multi-tenant dev the GraphQL origin is typically a
+      // container or tunnel from which tenant hostnames don't resolve
+      // publicly, so the optimizer can't fetch the originals — serve them
+      // unoptimized there.
+      ...(process.env.NEXT_PUBLIC_FONTDUE_IMAGE_HOST ? {
+        loader: 'custom',
+        // Next resolves loaderFile against the project root and rejects
+        // absolute paths, so point into this package relative to cwd.
+        loaderFile: relative(process.cwd(), fileURLToPath(new URL('./image-loader.js', import.meta.url)))
+      } : {
+        unoptimized: isMultiTenant && process.env.NODE_ENV !== 'production'
+      }),
+      dangerouslyAllowSVG: true,
+      ...userImages,
+      remotePatterns: [...(fontdueUrl ? [{
+        protocol: 'https',
+        hostname: new URL(fontdueUrl).hostname
+      }] : []), {
+        protocol: 'https',
+        hostname: '*.fontdue.com'
+      },
+      // Multi-tenant: logos and images can live on any tenant custom
+      // domain. The URLs all come from the Fontdue CMS, not user input.
+      ...(isMultiTenant ? [{
+        protocol: 'https',
+        hostname: '**'
+      }] : []), ...(userImages.remotePatterns ?? [])]
+    },
+    // Treat every user agent as HTML-limited so metadata rendering blocks
+    // the response. Streamed metadata locks in a 200 status before
+    // generateMetadata's notFound() can produce a real 404.
+    htmlLimitedBots: nextConfig.htmlLimitedBots ?? /.*/
+  };
+}

package/dist/next/image-loader.d.ts

@@ -0,0 +1,7 @@
+interface ImageLoaderProps {
+    src: string;
+    width: number;
+    quality?: number;
+}
+export default function fontdueImageLoader({ src, width, quality, }: ImageLoaderProps): string;
+export {};

package/dist/next/image-loader.js

@@ -0,0 +1,39 @@
+// Custom next/image loader that serves images through a Cloudflare image
+// transformation host (developers.cloudflare.com/images/transform-images)
+// instead of the in-process Next optimizer, so the deployment needs neither
+// the /_next/image endpoint nor sharp. withFontdue activates it when
+// NEXT_PUBLIC_FONTDUE_IMAGE_HOST is set; see config.ts.
+//
+// NEXT_PUBLIC_FONTDUE_IMAGE_ORIGINS (comma-separated hostnames) should
+// mirror the transformation host's allowed-origins list. Sources on other
+// hosts — e.g. the /logo endpoint a site serves from its own (possibly
+// customer-owned) domain, which can't be allowlisted — are served as-is
+// rather than as transform URLs Cloudflare would refuse (ERROR 9401).
+//
+// Next bundles this file into the client build and inlines the NEXT_PUBLIC_
+// reads at build time, so it must stay dependency-free, and the variables
+// have to be present when `next build` runs (not just at serve time).
+
+function transformable(src) {
+  const origins = process.env.NEXT_PUBLIC_FONTDUE_IMAGE_ORIGINS;
+  if (!origins) return true;
+  let hostname;
+  try {
+    hostname = new URL(src).hostname;
+  } catch {
+    return false;
+  }
+  return origins.split(',').some(origin => origin.trim() === hostname);
+}
+export default function fontdueImageLoader(_ref) {
+  let {
+    src,
+    width,
+    quality
+  } = _ref;
+  const host = process.env.NEXT_PUBLIC_FONTDUE_IMAGE_HOST;
+  // No transform host, a local asset it couldn't fetch, or a source outside
+  // its allowed origins: serve the original, like `unoptimized`.
+  if (!host || src.startsWith('/') || !transformable(src)) return src;
+  return `https://${host}/cdn-cgi/image/width=${width},quality=${quality ?? 75},format=auto/${src}`;
+}

package/dist/next/index.d.ts

@@ -0,0 +1,2 @@
+export { isMultiTenant, isValidDomain, fontdueEndpoint, fallbackSiteUrl, fontdueServerConfig, configureFontdueRender, type FontdueEndpoint, } from './tenant.js';
+export { setFontdueServerConfig, getFontdueServerConfig, type FontdueServerConfig, } from '../relay/serverConfig.js';

package/dist/next/index.js

@@ -0,0 +1,10 @@
+// Server-side entrypoint for Next.js apps (the App Router / RSC adapter).
+// The config-time wrapper lives in 'fontdue-js/next/config' and the deploy
+// hook route handler in 'fontdue-js/next/revalidate'.
+
+export { isMultiTenant, isValidDomain, fontdueEndpoint, fallbackSiteUrl, fontdueServerConfig, configureFontdueRender } from './tenant.js';
+
+// The per-render config store consumed by fontdue-js's own server-side
+// fetches. configureFontdueRender covers the common case; these are exported
+// for apps that need to set or inspect the config directly.
+export { setFontdueServerConfig, getFontdueServerConfig } from '../relay/serverConfig.js';

package/dist/next/revalidate.d.ts

@@ -0,0 +1 @@
+export declare function POST(request: Request): Promise<Response>;

package/dist/next/revalidate.js

@@ -0,0 +1,37 @@
+// Route handler for Fontdue's deploy hook: re-export it from
+// app/api/revalidate/route.ts:
+//
+//   export { POST } from 'fontdue-js/next/revalidate';
+//
+// Fontdue calls it when a site's content changes. Multi-tenant deployments
+// receive the tenant in the URL, e.g.
+//   POST /api/revalidate?domain=acme.fontdue.com
+// and only that tenant's cache is purged (pages and embed data share the
+// per-domain tag — see fontdueEndpoint/fontdueServerConfig in ./tenant).
+// Single-tenant deployments use the parameterless form and purge everything
+// carrying the 'graphql' tag.
+
+import { revalidateTag } from 'next/cache';
+import { isMultiTenant, isValidDomain } from './tenant.js';
+export async function POST(request) {
+  var _URL$searchParams$get;
+  const domain = (_URL$searchParams$get = new URL(request.url).searchParams.get('domain')) === null || _URL$searchParams$get === void 0 ? void 0 : _URL$searchParams$get.toLowerCase();
+  if (isMultiTenant) {
+    if (!domain || !isValidDomain(domain)) {
+      return Response.json({
+        revalidated: false,
+        error: 'Missing or invalid ?domain='
+      }, {
+        status: 400
+      });
+    }
+    revalidateTag(`graphql:${domain}`);
+  } else {
+    revalidateTag('graphql');
+  }
+  return Response.json({
+    revalidated: true,
+    domain,
+    now: Date.now()
+  });
+}

package/dist/next/tenant.d.ts

@@ -0,0 +1,18 @@
+import { type FontdueServerConfig } from '../relay/serverConfig.js';
+export declare const isMultiTenant: boolean;
+export declare function isValidDomain(domain: string): boolean;
+export interface FontdueEndpoint {
+    /** Base URL the app's own GraphQL fetches should target. */
+    origin: string;
+    /** Headers the Fontdue server needs to resolve the tenant. */
+    headers: Record<string, string>;
+    /**
+     * Cache tags for the app's own fetch calls (pass as `next: { tags }`), so
+     * the revalidate handler (see ./revalidate) can purge one site at a time.
+     */
+    tags: string[];
+}
+export declare function fontdueEndpoint(domain: string): FontdueEndpoint;
+export declare function fallbackSiteUrl(domain: string): string;
+export declare function fontdueServerConfig(domain: string): FontdueServerConfig;
+export declare function configureFontdueRender(domain: string): FontdueEndpoint | null;

package/dist/next/tenant.js

@@ -0,0 +1,105 @@
+// Tenant/mode resolution for Next.js apps. An app using this adapter runs in
+// one of two modes:
+//
+// - Single-tenant (default): NEXT_PUBLIC_FONTDUE_URL points at one Fontdue
+//   site and every request renders that site.
+//
+// - Multi-tenant (FONTDUE_MULTI_TENANT=1): the tenant is derived per request
+//   from the (forwarded) Host header, and one deployment serves every
+//   tenant. The rewrites installed by withFontdue (see ./config) turn each
+//   request into the /[domain]/... route tree so pages are rendered and
+//   cached per domain.
+//
+// In multi-tenant mode, GraphQL is fetched from FONTDUE_ORIGIN (the internal
+// Fontdue server, e.g. http://localhost:4000 when running next to it) with
+// the tenant's domain forwarded via X-Forwarded-Host, authenticated by the
+// FONTDUE_PROXY_SECRET shared secret (the Fontdue server refuses to trust
+// X-Forwarded-Host without it). Without FONTDUE_ORIGIN it falls back to
+// fetching the tenant's public URL directly, which is useful for local
+// development against live sites.
+//
+// The fontdue-js components embedded in pages fetch the same way: their
+// server-side preloads read the per-render config set by
+// configureFontdueRender, and in the browser they fetch the relative
+// /graphql on the page's own origin — so multi-tenant mode needs no
+// NEXT_PUBLIC_FONTDUE_URL at all.
+
+import { setFontdueServerConfig } from '../relay/serverConfig.js';
+export const isMultiTenant = process.env.FONTDUE_MULTI_TENANT === '1';
+const singleTenantUrl = process.env.NEXT_PUBLIC_FONTDUE_URL;
+const internalOrigin = process.env.FONTDUE_ORIGIN;
+const proxySecret = process.env.FONTDUE_PROXY_SECRET;
+
+// Hostnames only: letters/digits/hyphens/dots, no path or port. Anything else
+// is rejected before it can reach the GraphQL fetch or the filesystem cache.
+const DOMAIN_RE = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/;
+export function isValidDomain(domain) {
+  return domain.length <= 253 && DOMAIN_RE.test(domain);
+}
+// Where to fetch GraphQL for a given tenant domain, plus any headers needed
+// for the Fontdue server to resolve that tenant.
+export function fontdueEndpoint(domain) {
+  const tags = ['graphql', `graphql:${domain}`];
+  if (!isMultiTenant) {
+    if (!singleTenantUrl) {
+      throw new Error('fontdue-js/next: set NEXT_PUBLIC_FONTDUE_URL (single-tenant) or FONTDUE_MULTI_TENANT=1 (multi-tenant).');
+    }
+    return {
+      origin: singleTenantUrl,
+      headers: {},
+      tags
+    };
+  }
+  if (internalOrigin) {
+    return {
+      origin: internalOrigin,
+      headers: {
+        'x-forwarded-host': domain,
+        ...(proxySecret ? {
+          'x-fontdue-proxy-secret': proxySecret
+        } : {})
+      },
+      tags
+    };
+  }
+  return {
+    origin: `https://${domain}`,
+    headers: {},
+    tags
+  };
+}
+
+// metadataBase / sitemap fallback when the site URL setting is empty.
+export function fallbackSiteUrl(domain) {
+  return isMultiTenant ? `https://${domain}` : 'http://localhost:3000';
+}
+
+// Per-render config for fontdue-js's own server-side fetches: same endpoint
+// and headers as the app's fetches, plus the per-domain cache tag so the
+// revalidate handler purges embed data (theme config, type testers, store)
+// along with the pages. ('graphql' itself is added by the network layer.)
+export function fontdueServerConfig(domain) {
+  const {
+    origin,
+    headers
+  } = fontdueEndpoint(domain);
+  return {
+    url: origin,
+    headers,
+    cacheTags: [`graphql:${domain}`]
+  };
+}
+
+// The one call a data helper needs at the top of every page render:
+// validates the request-derived domain (null means "treat as 404"), then
+// points fontdue-js's server-side fetches at the tenant's endpoint for the
+// rest of this render pass.
+//
+// Call it in a data helper every page goes through, not only in the root
+// layout: an App Router soft navigation re-renders just the page segment,
+// and the per-render config store starts empty on every pass.
+export function configureFontdueRender(domain) {
+  if (!isValidDomain(domain)) return null;
+  setFontdueServerConfig(fontdueServerConfig(domain));
+  return fontdueEndpoint(domain);
+}

package/dist/relay/environment.js

@@ -4,7 +4,7 @@ import { getFontdueServerConfig } from './serverConfig.js';
 
 // `__FONTDUE_JS_VERSION__` is replaced by an inline babel plugin
 // (defineVersionPlugin in .babelrc.cjs) with the literal package.json#version.
-const version = "3.0.0-alpha7";
+const version = "3.0.0-alpha8";
 const IS_SERVER = typeof window === typeof undefined;
 
 // Read env from either process.env (Node/Next.js) or import.meta.env (Vite/Astro).

package/dist/vite.js

@@ -79,7 +79,9 @@ function getFontdueJsSubpaths() {
   for (const key of Object.keys(pkg.exports ?? {})) {
     if (!key.startsWith('./')) continue;
     if (key.endsWith('.css')) continue;
+    // Build-config and server-only entrypoints never reach a browser bundle.
     if (key === './vite') continue;
+    if (key === './next' || key.startsWith('./next/')) continue;
     out.push(`fontdue-js/${key.slice(2)}`);
   }
   return out;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fontdue-js",
-  "version": "3.0.0-alpha7",
+  "version": "3.0.0-alpha8",
   "type": "module",
   "scripts": {
     "build": "npm run relay && run-p build-js build-css build-ts",
@@ -82,7 +82,10 @@
   },
   "exports": {
     ".": "./dist/index.js",
-    "./server": "./dist/relay/serverConfig.js",
+    "./next": "./dist/next/index.js",
+    "./next/config": "./dist/next/config.js",
+    "./next/revalidate": "./dist/next/revalidate.js",
+    "./next/image-loader": "./dist/next/image-loader.js",
     "./fontdue.css": "./dist/fontdue.css",
     "./BuyButton": {
       "react-server": "./dist/components/BuyButton/index.server.js",

package/types/next-cache.d.ts

@@ -0,0 +1,6 @@
+// Minimal declaration so src/next/revalidate.ts type-checks without `next`
+// installed (it's the host app's dependency; this package only ever runs the
+// import inside a Next.js server).
+declare module 'next/cache' {
+  export function revalidateTag(tag: string): void;
+}