remote-components 0.3.5 → 0.3.6

package/dist/host/proxy/client.cjs

@@ -1,36 +1,7 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/host/proxy/client.ts
-var client_exports = {};
-__export(client_exports, {
-  routeThroughHostProxy: () => routeThroughHostProxy
-});
-module.exports = __toCommonJS(client_exports);
-
-// src/utils/constants.ts
-var RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
+"use strict";Object.defineProperty(exports, "__esModule", {value: true});
 
-// src/runtime/url/protected-rc-fallback.ts
-function generateProtectedRcFallbackSrc(url) {
-  return `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${encodeURIComponent(url)}`;
-}
+var _chunkKE7QPAQ4cjs = require('../../chunk-KE7QPAQ4.cjs');
+require('../../chunk-SHFJ5OQA.cjs');
 
 // src/host/proxy/client.ts
 var routeThroughHostProxy = (remoteSrc, url) => {
@@ -44,14 +15,13 @@ var routeThroughHostProxy = (remoteSrc, url) => {
   try {
     const parsed = new URL(url, location.href);
     if (parsed.origin === remoteOrigin) {
-      return generateProtectedRcFallbackSrc(url);
+      return _chunkKE7QPAQ4cjs.generateProtectedRcFallbackSrc.call(void 0, url);
     }
-  } catch {
+  } catch (e) {
   }
   return void 0;
 };
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  routeThroughHostProxy
-});
+
+
+exports.routeThroughHostProxy = routeThroughHostProxy;
 //# sourceMappingURL=client.cjs.map

package/dist/host/proxy/client.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/host/proxy/client.ts","../../../src/utils/constants.ts","../../../src/runtime/url/protected-rc-fallback.ts"],"sourcesContent":["import { generateProtectedRcFallbackSrc } from '../../runtime/url/protected-rc-fallback';\n\n/**\n * Called before each asset fetch (scripts, styles, chunks, images) for a remote component.\n * Return a rewritten URL string to redirect the fetch, or undefined to use the original URL.\n *\n * @param remoteSrc - The `src` of the remote component\n * @param url - The asset URL about to be fetched\n */\nexport type ResolveClientUrl = (\n  remoteSrc: string,\n  url: string,\n) => string | undefined;\n\n/**\n * A `ResolveClientUrl` that routes cross-origin remote component asset requests\n * through the host's `/rc-fetch-protected-remote` endpoint. Same-origin URLs pass through unchanged.\n *\n * Use this on Vercel preview deployments where deployment protection would otherwise\n * block direct cross-origin fetches — routing through the host means requests carry\n * the host's auth cookies.\n *\n * Requires `withRemoteComponentsHostProxy` on the host side to handle the proxied requests.\n *\n * @example\n * ```tsx\n * import { routeThroughHostProxy } from 'remote-components/host/proxy/client';\n *\n * <ConsumeRemoteComponent\n *   src=\"https://remote-app.com/components/header\"\n *   resolveClientUrl={routeThroughHostProxy}\n * />\n * ```\n */\nexport const routeThroughHostProxy: ResolveClientUrl = (remoteSrc, url) => {\n  if (typeof location === 'undefined') {\n    return undefined;\n  }\n  const remoteOrigin = new URL(remoteSrc, location.href).origin;\n  if (remoteOrigin === location.origin) {\n    return undefined;\n  }\n  try {\n    const parsed = new URL(url, location.href);\n    if (parsed.origin === remoteOrigin) {\n      return generateProtectedRcFallbackSrc(url);\n    }\n  } catch {\n    // If URL parsing fails, return undefined to use the original\n  }\n  return undefined;\n};\n","export const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\nexport const MISSING_SHARED_MODULES_MESSAGE =\n  'Remote Components shared modules not found. Did you forget to wrap your config with `withRemoteComponentsConfig` on both host and remote?';\n\nexport const CORS_DOCS_URL =\n  'https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components';\n","import { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/utils/constants';\n\n/**\n * Generates a fallback URL that proxies the request through the host's protected remote fetch endpoint\n */\nexport function generateProtectedRcFallbackSrc(url: string): string {\n  return `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${encodeURIComponent(url)}`;\n}\n\nexport function isProxiedUrl(url: string): boolean {\n  try {\n    return (\n      new URL(url, location.href).pathname ===\n      RC_PROTECTED_REMOTE_FETCH_PATHNAME\n    );\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAO,IAAM,qCAAqC;;;ACK3C,SAAS,+BAA+B,KAAqB;AAClE,SAAO,GAAG,0CAA0C,mBAAmB,GAAG;AAC5E;;;AF2BO,IAAM,wBAA0C,CAAC,WAAW,QAAQ;AACzE,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AACA,QAAM,eAAe,IAAI,IAAI,WAAW,SAAS,IAAI,EAAE;AACvD,MAAI,iBAAiB,SAAS,QAAQ;AACpC,WAAO;AAAA,EACT;AACA,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI;AACzC,QAAI,OAAO,WAAW,cAAc;AAClC,aAAO,+BAA+B,GAAG;AAAA,IAC3C;AAAA,EACF,QAAE;AAAA,EAEF;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../../src/host/proxy/client.ts"],"names":[],"mappings":";;;;;;AAkCO,IAAM,wBAA0C,CAAC,WAAW,QAAQ;AACzE,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AACA,QAAM,eAAe,IAAI,IAAI,WAAW,SAAS,IAAI,EAAE;AACvD,MAAI,iBAAiB,SAAS,QAAQ;AACpC,WAAO;AAAA,EACT;AACA,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI;AACzC,QAAI,OAAO,WAAW,cAAc;AAClC,aAAO,+BAA+B,GAAG;AAAA,IAC3C;AAAA,EACF,QAAE;AAAA,EAEF;AACA,SAAO;AACT","sourcesContent":["import { generateProtectedRcFallbackSrc } from '../../runtime/url/protected-rc-fallback';\n\n/**\n * Called before each asset fetch (scripts, styles, chunks, images) for a remote component.\n * Return a rewritten URL string to redirect the fetch, or undefined to use the original URL.\n *\n * @param remoteSrc - The `src` of the remote component\n * @param url - The asset URL about to be fetched\n */\nexport type ResolveClientUrl = (\n  remoteSrc: string,\n  url: string,\n) => string | undefined;\n\n/**\n * A `ResolveClientUrl` that routes cross-origin remote component asset requests\n * through the host's `/rc-fetch-protected-remote` endpoint. Same-origin URLs pass through unchanged.\n *\n * Use this on Vercel preview deployments where deployment protection would otherwise\n * block direct cross-origin fetches — routing through the host means requests carry\n * the host's auth cookies.\n *\n * Requires `withRemoteComponentsHostProxy` on the host side to handle the proxied requests.\n *\n * @example\n * ```tsx\n * import { routeThroughHostProxy } from 'remote-components/host/proxy/client';\n *\n * <ConsumeRemoteComponent\n *   src=\"https://remote-app.com/components/header\"\n *   resolveClientUrl={routeThroughHostProxy}\n * />\n * ```\n */\nexport const routeThroughHostProxy: ResolveClientUrl = (remoteSrc, url) => {\n  if (typeof location === 'undefined') {\n    return undefined;\n  }\n  const remoteOrigin = new URL(remoteSrc, location.href).origin;\n  if (remoteOrigin === location.origin) {\n    return undefined;\n  }\n  try {\n    const parsed = new URL(url, location.href);\n    if (parsed.origin === remoteOrigin) {\n      return generateProtectedRcFallbackSrc(url);\n    }\n  } catch {\n    // If URL parsing fails, return undefined to use the original\n  }\n  return undefined;\n};\n"]}

package/dist/host/proxy/client.js

@@ -1,10 +1,7 @@
-// src/utils/constants.ts
-var RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-
-// src/runtime/url/protected-rc-fallback.ts
-function generateProtectedRcFallbackSrc(url) {
-  return `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${encodeURIComponent(url)}`;
-}
+import {
+  generateProtectedRcFallbackSrc
+} from "../../chunk-X6YKUJKH.js";
+import "../../chunk-ENYGL5CO.js";
 
 // src/host/proxy/client.ts
 var routeThroughHostProxy = (remoteSrc, url) => {

package/dist/host/proxy/client.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/utils/constants.ts","../../../src/runtime/url/protected-rc-fallback.ts","../../../src/host/proxy/client.ts"],"sourcesContent":["export const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\nexport const MISSING_SHARED_MODULES_MESSAGE =\n  'Remote Components shared modules not found. Did you forget to wrap your config with `withRemoteComponentsConfig` on both host and remote?';\n\nexport const CORS_DOCS_URL =\n  'https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components';\n","import { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/utils/constants';\n\n/**\n * Generates a fallback URL that proxies the request through the host's protected remote fetch endpoint\n */\nexport function generateProtectedRcFallbackSrc(url: string): string {\n  return `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${encodeURIComponent(url)}`;\n}\n\nexport function isProxiedUrl(url: string): boolean {\n  try {\n    return (\n      new URL(url, location.href).pathname ===\n      RC_PROTECTED_REMOTE_FETCH_PATHNAME\n    );\n  } catch {\n    return false;\n  }\n}\n","import { generateProtectedRcFallbackSrc } from '../../runtime/url/protected-rc-fallback';\n\n/**\n * Called before each asset fetch (scripts, styles, chunks, images) for a remote component.\n * Return a rewritten URL string to redirect the fetch, or undefined to use the original URL.\n *\n * @param remoteSrc - The `src` of the remote component\n * @param url - The asset URL about to be fetched\n */\nexport type ResolveClientUrl = (\n  remoteSrc: string,\n  url: string,\n) => string | undefined;\n\n/**\n * A `ResolveClientUrl` that routes cross-origin remote component asset requests\n * through the host's `/rc-fetch-protected-remote` endpoint. Same-origin URLs pass through unchanged.\n *\n * Use this on Vercel preview deployments where deployment protection would otherwise\n * block direct cross-origin fetches — routing through the host means requests carry\n * the host's auth cookies.\n *\n * Requires `withRemoteComponentsHostProxy` on the host side to handle the proxied requests.\n *\n * @example\n * ```tsx\n * import { routeThroughHostProxy } from 'remote-components/host/proxy/client';\n *\n * <ConsumeRemoteComponent\n *   src=\"https://remote-app.com/components/header\"\n *   resolveClientUrl={routeThroughHostProxy}\n * />\n * ```\n */\nexport const routeThroughHostProxy: ResolveClientUrl = (remoteSrc, url) => {\n  if (typeof location === 'undefined') {\n    return undefined;\n  }\n  const remoteOrigin = new URL(remoteSrc, location.href).origin;\n  if (remoteOrigin === location.origin) {\n    return undefined;\n  }\n  try {\n    const parsed = new URL(url, location.href);\n    if (parsed.origin === remoteOrigin) {\n      return generateProtectedRcFallbackSrc(url);\n    }\n  } catch {\n    // If URL parsing fails, return undefined to use the original\n  }\n  return undefined;\n};\n"],"mappings":";AAAO,IAAM,qCAAqC;;;ACK3C,SAAS,+BAA+B,KAAqB;AAClE,SAAO,GAAG,0CAA0C,mBAAmB,GAAG;AAC5E;;;AC2BO,IAAM,wBAA0C,CAAC,WAAW,QAAQ;AACzE,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AACA,QAAM,eAAe,IAAI,IAAI,WAAW,SAAS,IAAI,EAAE;AACvD,MAAI,iBAAiB,SAAS,QAAQ;AACpC,WAAO;AAAA,EACT;AACA,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI;AACzC,QAAI,OAAO,WAAW,cAAc;AAClC,aAAO,+BAA+B,GAAG;AAAA,IAC3C;AAAA,EACF,QAAE;AAAA,EAEF;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../../src/host/proxy/client.ts"],"sourcesContent":["import { generateProtectedRcFallbackSrc } from '../../runtime/url/protected-rc-fallback';\n\n/**\n * Called before each asset fetch (scripts, styles, chunks, images) for a remote component.\n * Return a rewritten URL string to redirect the fetch, or undefined to use the original URL.\n *\n * @param remoteSrc - The `src` of the remote component\n * @param url - The asset URL about to be fetched\n */\nexport type ResolveClientUrl = (\n  remoteSrc: string,\n  url: string,\n) => string | undefined;\n\n/**\n * A `ResolveClientUrl` that routes cross-origin remote component asset requests\n * through the host's `/rc-fetch-protected-remote` endpoint. Same-origin URLs pass through unchanged.\n *\n * Use this on Vercel preview deployments where deployment protection would otherwise\n * block direct cross-origin fetches — routing through the host means requests carry\n * the host's auth cookies.\n *\n * Requires `withRemoteComponentsHostProxy` on the host side to handle the proxied requests.\n *\n * @example\n * ```tsx\n * import { routeThroughHostProxy } from 'remote-components/host/proxy/client';\n *\n * <ConsumeRemoteComponent\n *   src=\"https://remote-app.com/components/header\"\n *   resolveClientUrl={routeThroughHostProxy}\n * />\n * ```\n */\nexport const routeThroughHostProxy: ResolveClientUrl = (remoteSrc, url) => {\n  if (typeof location === 'undefined') {\n    return undefined;\n  }\n  const remoteOrigin = new URL(remoteSrc, location.href).origin;\n  if (remoteOrigin === location.origin) {\n    return undefined;\n  }\n  try {\n    const parsed = new URL(url, location.href);\n    if (parsed.origin === remoteOrigin) {\n      return generateProtectedRcFallbackSrc(url);\n    }\n  } catch {\n    // If URL parsing fails, return undefined to use the original\n  }\n  return undefined;\n};\n"],"mappings":";;;;;;AAkCO,IAAM,wBAA0C,CAAC,WAAW,QAAQ;AACzE,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AACA,QAAM,eAAe,IAAI,IAAI,WAAW,SAAS,IAAI,EAAE;AACvD,MAAI,iBAAiB,SAAS,QAAQ;AACpC,WAAO;AAAA,EACT;AACA,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,KAAK,SAAS,IAAI;AACzC,QAAI,OAAO,WAAW,cAAc;AAClC,aAAO,+BAA+B,GAAG;AAAA,IAC3C;AAAA,EACF,QAAE;AAAA,EAEF;AACA,SAAO;AACT;","names":[]}

package/dist/host/proxy.cjs

@@ -1,54 +1,18 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }
+
+var _chunkTCFLEBQMcjs = require('../chunk-TCFLEBQM.cjs');
 
-// src/host/proxy/index.ts
-var proxy_exports = {};
-__export(proxy_exports, {
-  withConsumeRemoteComponentsProxy: () => withConsumeRemoteComponentsProxy
-});
-module.exports = __toCommonJS(proxy_exports);
-var import_server = require("next/server");
 
-// src/host/server/fetch-headers.ts
-function remoteFetchHeaders() {
-  return {
-    /**
-     * Authenticates deployment protection for the remote. Needed for SSR and SSG clients.
-     * If the remote component uses vercel deployment protection, ensure the host and remote vercel
-     * projects share a common automation bypass secret, and the shared secret is used as the
-     * VERCEL_AUTOMATION_BYPASS_SECRET env var in the host project.
-     */
-    ...typeof process === "object" && typeof process.env === "object" && typeof process.env.VERCEL_AUTOMATION_BYPASS_SECRET === "string" ? {
-      "x-vercel-protection-bypass": process.env.VERCEL_AUTOMATION_BYPASS_SECRET
-    } : {},
-    Accept: "text/html"
-  };
-}
 
-// src/utils/constants.ts
-var RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-var CORS_DOCS_URL = "https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components";
+var _chunkSHFJ5OQAcjs = require('../chunk-SHFJ5OQA.cjs');
+
+// src/host/proxy/index.ts
+var _server = require('next/server');
 
 // src/host/proxy/protected-fetch.ts
 async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   const url = new URL(requestUrl, "https://fallback.com");
-  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
+  if (url.pathname !== _chunkSHFJ5OQAcjs.RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
     return null;
   }
   const targetUrl = url.searchParams.get("url");
@@ -60,7 +24,7 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   let parsedTargetUrl;
   try {
     parsedTargetUrl = new URL(targetUrl);
-  } catch {
+  } catch (e) {
     return new Response("Bad request: invalid URL", { status: 400 });
   }
   if (parsedTargetUrl.protocol !== "https:" && parsedTargetUrl.protocol !== "http:") {
@@ -68,14 +32,14 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
       status: 400
     });
   }
-  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(
+  const envPatterns = _optionalChain([process, 'access', _ => _.env, 'access', _2 => _2.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS, 'optionalAccess', _3 => _3.split, 'call', _4 => _4(
     ","
-  ).map((p) => p.trim());
-  const optionPatterns = options?.allowedProxyUrls;
+  ), 'access', _5 => _5.map, 'call', _6 => _6((p) => p.trim())]);
+  const optionPatterns = _optionalChain([options, 'optionalAccess', _7 => _7.allowedProxyUrls]);
   const allowedPatterns = [...optionPatterns || [], ...envPatterns || []];
   if (allowedPatterns.length === 0) {
     return new Response(
-      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${CORS_DOCS_URL}`,
+      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${_chunkSHFJ5OQAcjs.CORS_DOCS_URL}`,
       {
         status: 403
       }
@@ -98,13 +62,13 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   });
   if (!isUrlAllowed) {
     return new Response(
-      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${CORS_DOCS_URL}`,
+      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${_chunkSHFJ5OQAcjs.CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
-  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });
+  const response = await fetch(targetUrl, { headers: _chunkTCFLEBQMcjs.remoteFetchHeaders.call(void 0, ) });
   const SAFE_HEADERS = [
     "content-type",
     "cache-control",
@@ -135,11 +99,10 @@ function withConsumeRemoteComponentsProxy(proxy, options) {
     if (protectedFetchResponse) {
       return protectedFetchResponse;
     }
-    return typeof proxy === "function" ? await proxy(request) : import_server.NextResponse.next();
+    return typeof proxy === "function" ? await proxy(request) : _server.NextResponse.next();
   };
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  withConsumeRemoteComponentsProxy
-});
+
+
+exports.withConsumeRemoteComponentsProxy = withConsumeRemoteComponentsProxy;
 //# sourceMappingURL=proxy.cjs.map

package/dist/host/proxy.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/host/proxy/index.ts","../../src/host/server/fetch-headers.ts","../../src/utils/constants.ts","../../src/host/proxy/protected-fetch.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  type HostProxyOptions,\n  handleProtectedRemoteFetchRequest,\n} from './protected-fetch';\n\n/**\n * Wraps a Next.js proxy handler to add remote component support:\n * handles cross-origin asset fetches via the `/rc-fetch-protected-remote` endpoint,\n * then falls through to your proxy handler (or `NextResponse.next()`) for all other requests.\n *\n * Add `/rc-fetch-protected-remote` to your proxy/middleware matchers to activate it.\n *\n * @param proxy - Optional Next.js proxy handler to run for non-remote-component requests\n * @param options - Configuration options for SSRF protection\n */\nexport function withConsumeRemoteComponentsProxy(\n  proxy?: (request: NextRequest) => NextResponse | Promise<NextResponse>,\n  options?: HostProxyOptions,\n) {\n  return async (request: NextRequest) => {\n    // Check if this is a protected remote fetch request\n    const protectedFetchResponse = await handleProtectedRemoteFetchRequest(\n      request.url,\n      options,\n    );\n\n    if (protectedFetchResponse) {\n      return protectedFetchResponse;\n    }\n\n    return typeof proxy === 'function'\n      ? await proxy(request)\n      : NextResponse.next();\n  };\n}\n\nexport type { HostProxyOptions } from './protected-fetch';\n","/**\n * The headers to use when fetching the remote component.\n */\nexport function remoteFetchHeaders() {\n  return {\n    /**\n     * Authenticates deployment protection for the remote. Needed for SSR and SSG clients.\n     * If the remote component uses vercel deployment protection, ensure the host and remote vercel\n     * projects share a common automation bypass secret, and the shared secret is used as the\n     * VERCEL_AUTOMATION_BYPASS_SECRET env var in the host project.\n     */\n    ...(typeof process === 'object' &&\n    typeof process.env === 'object' &&\n    typeof process.env.VERCEL_AUTOMATION_BYPASS_SECRET === 'string'\n      ? {\n          'x-vercel-protection-bypass':\n            process.env.VERCEL_AUTOMATION_BYPASS_SECRET,\n        }\n      : {}),\n    Accept: 'text/html',\n  };\n}\n","export const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\nexport const MISSING_SHARED_MODULES_MESSAGE =\n  'Remote Components shared modules not found. Did you forget to wrap your config with `withRemoteComponentsConfig` on both host and remote?';\n\nexport const CORS_DOCS_URL =\n  'https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components';\n","/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/host/server/fetch-headers';\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/utils/constants';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA+C;;;ACGxC,SAAS,qBAAqB;AACnC,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOL,GAAI,OAAO,YAAY,YACvB,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,IAAI,oCAAoC,WACnD;AAAA,MACE,8BACE,QAAQ,IAAI;AAAA,IAChB,IACA,CAAC;AAAA,IACL,QAAQ;AAAA,EACV;AACF;;;ACrBO,IAAM,qCAAqC;AAK3C,IAAM,gBACX;;;ACyBF,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;;;AHzHO,SAAS,iCACd,OACA,SACA;AACA,SAAO,OAAO,YAAyB;AAErC,UAAM,yBAAyB,MAAM;AAAA,MACnC,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,wBAAwB;AAC1B,aAAO;AAAA,IACT;AAEA,WAAO,OAAO,UAAU,aACpB,MAAM,MAAM,OAAO,IACnB,2BAAa,KAAK;AAAA,EACxB;AACF;","names":[]}
+{"version":3,"sources":["../../src/host/proxy/index.ts","../../src/host/proxy/protected-fetch.ts"],"names":[],"mappings":";;;;;;;;;AAAA,SAA2B,oBAAoB;;;AC+B/C,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;;;ADzHO,SAAS,iCACd,OACA,SACA;AACA,SAAO,OAAO,YAAyB;AAErC,UAAM,yBAAyB,MAAM;AAAA,MACnC,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,wBAAwB;AAC1B,aAAO;AAAA,IACT;AAEA,WAAO,OAAO,UAAU,aACpB,MAAM,MAAM,OAAO,IACnB,aAAa,KAAK;AAAA,EACxB;AACF","sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  type HostProxyOptions,\n  handleProtectedRemoteFetchRequest,\n} from './protected-fetch';\n\n/**\n * Wraps a Next.js proxy handler to add remote component support:\n * handles cross-origin asset fetches via the `/rc-fetch-protected-remote` endpoint,\n * then falls through to your proxy handler (or `NextResponse.next()`) for all other requests.\n *\n * Add `/rc-fetch-protected-remote` to your proxy/middleware matchers to activate it.\n *\n * @param proxy - Optional Next.js proxy handler to run for non-remote-component requests\n * @param options - Configuration options for SSRF protection\n */\nexport function withConsumeRemoteComponentsProxy(\n  proxy?: (request: NextRequest) => NextResponse | Promise<NextResponse>,\n  options?: HostProxyOptions,\n) {\n  return async (request: NextRequest) => {\n    // Check if this is a protected remote fetch request\n    const protectedFetchResponse = await handleProtectedRemoteFetchRequest(\n      request.url,\n      options,\n    );\n\n    if (protectedFetchResponse) {\n      return protectedFetchResponse;\n    }\n\n    return typeof proxy === 'function'\n      ? await proxy(request)\n      : NextResponse.next();\n  };\n}\n\nexport type { HostProxyOptions } from './protected-fetch';\n","/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/host/server/fetch-headers';\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/utils/constants';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"]}

package/dist/host/proxy.js

@@ -1,26 +1,14 @@
+import {
+  remoteFetchHeaders
+} from "../chunk-GAXJTFBV.js";
+import {
+  CORS_DOCS_URL,
+  RC_PROTECTED_REMOTE_FETCH_PATHNAME
+} from "../chunk-ENYGL5CO.js";
+
 // src/host/proxy/index.ts
 import { NextResponse } from "next/server";
 
-// src/host/server/fetch-headers.ts
-function remoteFetchHeaders() {
-  return {
-    /**
-     * Authenticates deployment protection for the remote. Needed for SSR and SSG clients.
-     * If the remote component uses vercel deployment protection, ensure the host and remote vercel
-     * projects share a common automation bypass secret, and the shared secret is used as the
-     * VERCEL_AUTOMATION_BYPASS_SECRET env var in the host project.
-     */
-    ...typeof process === "object" && typeof process.env === "object" && typeof process.env.VERCEL_AUTOMATION_BYPASS_SECRET === "string" ? {
-      "x-vercel-protection-bypass": process.env.VERCEL_AUTOMATION_BYPASS_SECRET
-    } : {},
-    Accept: "text/html"
-  };
-}
-
-// src/utils/constants.ts
-var RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-var CORS_DOCS_URL = "https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components";
-
 // src/host/proxy/protected-fetch.ts
 async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   const url = new URL(requestUrl, "https://fallback.com");

package/dist/host/proxy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/host/proxy/index.ts","../../src/host/server/fetch-headers.ts","../../src/utils/constants.ts","../../src/host/proxy/protected-fetch.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  type HostProxyOptions,\n  handleProtectedRemoteFetchRequest,\n} from './protected-fetch';\n\n/**\n * Wraps a Next.js proxy handler to add remote component support:\n * handles cross-origin asset fetches via the `/rc-fetch-protected-remote` endpoint,\n * then falls through to your proxy handler (or `NextResponse.next()`) for all other requests.\n *\n * Add `/rc-fetch-protected-remote` to your proxy/middleware matchers to activate it.\n *\n * @param proxy - Optional Next.js proxy handler to run for non-remote-component requests\n * @param options - Configuration options for SSRF protection\n */\nexport function withConsumeRemoteComponentsProxy(\n  proxy?: (request: NextRequest) => NextResponse | Promise<NextResponse>,\n  options?: HostProxyOptions,\n) {\n  return async (request: NextRequest) => {\n    // Check if this is a protected remote fetch request\n    const protectedFetchResponse = await handleProtectedRemoteFetchRequest(\n      request.url,\n      options,\n    );\n\n    if (protectedFetchResponse) {\n      return protectedFetchResponse;\n    }\n\n    return typeof proxy === 'function'\n      ? await proxy(request)\n      : NextResponse.next();\n  };\n}\n\nexport type { HostProxyOptions } from './protected-fetch';\n","/**\n * The headers to use when fetching the remote component.\n */\nexport function remoteFetchHeaders() {\n  return {\n    /**\n     * Authenticates deployment protection for the remote. Needed for SSR and SSG clients.\n     * If the remote component uses vercel deployment protection, ensure the host and remote vercel\n     * projects share a common automation bypass secret, and the shared secret is used as the\n     * VERCEL_AUTOMATION_BYPASS_SECRET env var in the host project.\n     */\n    ...(typeof process === 'object' &&\n    typeof process.env === 'object' &&\n    typeof process.env.VERCEL_AUTOMATION_BYPASS_SECRET === 'string'\n      ? {\n          'x-vercel-protection-bypass':\n            process.env.VERCEL_AUTOMATION_BYPASS_SECRET,\n        }\n      : {}),\n    Accept: 'text/html',\n  };\n}\n","export const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\nexport const MISSING_SHARED_MODULES_MESSAGE =\n  'Remote Components shared modules not found. Did you forget to wrap your config with `withRemoteComponentsConfig` on both host and remote?';\n\nexport const CORS_DOCS_URL =\n  'https://vercel.com/docs/remote-components/concepts/cors-external-urls#accessing-cross-site-protected-remote-components';\n","/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/host/server/fetch-headers';\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/utils/constants';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";AAAA,SAA2B,oBAAoB;;;ACGxC,SAAS,qBAAqB;AACnC,SAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOL,GAAI,OAAO,YAAY,YACvB,OAAO,QAAQ,QAAQ,YACvB,OAAO,QAAQ,IAAI,oCAAoC,WACnD;AAAA,MACE,8BACE,QAAQ,IAAI;AAAA,IAChB,IACA,CAAC;AAAA,IACL,QAAQ;AAAA,EACV;AACF;;;ACrBO,IAAM,qCAAqC;AAK3C,IAAM,gBACX;;;ACyBF,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;;;AHzHO,SAAS,iCACd,OACA,SACA;AACA,SAAO,OAAO,YAAyB;AAErC,UAAM,yBAAyB,MAAM;AAAA,MACnC,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,wBAAwB;AAC1B,aAAO;AAAA,IACT;AAEA,WAAO,OAAO,UAAU,aACpB,MAAM,MAAM,OAAO,IACnB,aAAa,KAAK;AAAA,EACxB;AACF;","names":[]}
+{"version":3,"sources":["../../src/host/proxy/index.ts","../../src/host/proxy/protected-fetch.ts"],"sourcesContent":["import { type NextRequest, NextResponse } from 'next/server';\nimport {\n  type HostProxyOptions,\n  handleProtectedRemoteFetchRequest,\n} from './protected-fetch';\n\n/**\n * Wraps a Next.js proxy handler to add remote component support:\n * handles cross-origin asset fetches via the `/rc-fetch-protected-remote` endpoint,\n * then falls through to your proxy handler (or `NextResponse.next()`) for all other requests.\n *\n * Add `/rc-fetch-protected-remote` to your proxy/middleware matchers to activate it.\n *\n * @param proxy - Optional Next.js proxy handler to run for non-remote-component requests\n * @param options - Configuration options for SSRF protection\n */\nexport function withConsumeRemoteComponentsProxy(\n  proxy?: (request: NextRequest) => NextResponse | Promise<NextResponse>,\n  options?: HostProxyOptions,\n) {\n  return async (request: NextRequest) => {\n    // Check if this is a protected remote fetch request\n    const protectedFetchResponse = await handleProtectedRemoteFetchRequest(\n      request.url,\n      options,\n    );\n\n    if (protectedFetchResponse) {\n      return protectedFetchResponse;\n    }\n\n    return typeof proxy === 'function'\n      ? await proxy(request)\n      : NextResponse.next();\n  };\n}\n\nexport type { HostProxyOptions } from './protected-fetch';\n","/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/host/server/fetch-headers';\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/utils/constants';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;;;;AAAA,SAA2B,oBAAoB;;;AC+B/C,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;;;ADzHO,SAAS,iCACd,OACA,SACA;AACA,SAAO,OAAO,YAAyB;AAErC,UAAM,yBAAyB,MAAM;AAAA,MACnC,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,wBAAwB;AAC1B,aAAO;AAAA,IACT;AAEA,WAAO,OAAO,UAAU,aACpB,MAAM,MAAM,OAAO,IACnB,aAAa,KAAK;AAAA,EACxB;AACF;","names":[]}