-
Notifications
You must be signed in to change notification settings - Fork 212
Expand file tree
/
Copy pathssr.js
More file actions
481 lines (428 loc) · 21.8 KB
/
ssr.js
File metadata and controls
481 lines (428 loc) · 21.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
/*
* Copyright (c) 2023, Salesforce, Inc.
* All rights reserved.
* SPDX-License-Identifier: BSD-3-Clause
* For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
*/
/*
* Developer note! When updating this file, make sure to also update the
* ssr.js template files in pwa-kit-create-app.
*
* In the pwa-kit-create-app, the templates are found under:
* - assets/bootstrap/js/overrides/app/ssr.js.hbs
* - assets/templates/@salesforce/retail-react-app/app/ssr.js.hbs
*/
'use strict'
import crypto from 'crypto'
import express from 'express'
import helmet from 'helmet'
import {createRemoteJWKSet as joseCreateRemoteJWKSet, jwtVerify, decodeJwt} from 'jose'
import path from 'path'
import {getRuntime} from '@salesforce/pwa-kit-runtime/ssr/server/express'
import {defaultPwaKitSecurityHeaders} from '@salesforce/pwa-kit-runtime/utils/middleware'
import {getConfig} from '@salesforce/pwa-kit-runtime/utils/ssr-config'
import {getAppOrigin} from '@salesforce/pwa-kit-react-sdk/utils/url'
const config = getConfig()
const options = {
// The build directory (an absolute path)
buildDir: path.resolve(process.cwd(), 'build'),
// The cache time for SSR'd pages (defaults to 600 seconds)
defaultCacheTimeSeconds: 600,
// The contents of the config file for the current environment
mobify: config,
// The port that the local dev server listens on
port: 3000,
// The protocol on which the development Express app listens.
// Note that http://localhost is treated as a secure context for development,
// except by Safari.
protocol: 'http',
// Option for whether to set up a special endpoint for handling
// private SLAS clients
// Set this to false if using a SLAS public client
// When setting this to true, make sure to also set the PWA_KIT_SLAS_CLIENT_SECRET
// environment variable as this endpoint will return HTTP 501 if it is not set
useSLASPrivateClient: true,
// If you wish to use additional SLAS endpoints that require private clients,
// customize this regex to include the additional endpoints the custom SLAS
// private client secret handler will inject an Authorization header.
// The default regex is defined in this file: https://github.com/SalesforceCommerceCloud/pwa-kit/blob/develop/packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js
// applySLASPrivateClientToEndpoints:
// /\/oauth2\/(token|passwordless\/(login|token)|password\/(reset|action))/,
// If this is enabled, any HTTP header that has a non ASCII value will be URI encoded
// If there any HTTP headers that have been encoded, an additional header will be
// passed, `x-encoded-headers`, containing a comma separated list
// of the keys of headers that have been encoded
// There may be a slight performance loss with requests/responses with large number
// of headers as we loop through all the headers to verify ASCII vs non ASCII
encodeNonAsciiHttpHeaders: true,
// Cookie handling configuration for security and session management.
//
// SECURITY CONSIDERATIONS:
// - Set to 'false' in production for enhanced security (prevents XSS attacks via client-side cookie access)
// - Set to 'true' only in development when testing SFCC session integration or Hybrid Proxy functionality
// - When false: cookies are stripped from requests and cannot be set in responses (server-only cookies)
// - When true: allows client-side JavaScript access to cookies (development/testing only)
//
// HYBRID PROXY REQUIREMENT:
// - Hybrid Proxy requires this to be 'true' for SFCC session management to work properly
// - Only enable Hybrid Proxy in development environments, never in production
localAllowCookies: false,
// Hybrid Proxy configuration for local development and MRT to ODS connection testing.
//
// IMPORTANT SECURITY NOTES:
// - This should ONLY be used for local development and testing
// - NEVER enable in production - use eCDN rules instead for production routing
// - When enabled, localAllowCookies must be set to 'true' for SFCC sessions to work
// - Production deployments should use eCDN to direct requests to SFCC instances
//
// REFERENCE: https://developer.salesforce.com/docs/commerce/commerce-api/guide/hybrid-authentication.html
hybridProxy: {
// If this is enabled, the Hybrid Proxy will be enabled to proxy requests to the SFCC instance.
// IMPORTANT: This should only be used for local development. For production, this should be disabled and use eCDN to direct requests to the SFCC instance.
// Refer to https://developer.salesforce.com/docs/commerce/commerce-api/guide/hybrid-authentication.html for more details.
enabled: false,
// The origin of the SFCC instance (i.e. the instance that is being proxied to which hosts the storefront).
sfccOrigin: 'https://zzrf-001.dx.commercecloud.salesforce.com',
// The MRT rules to apply to the hybrid proxy.
// These rules determine which requests are handled by PWA Kit (MRT) vs proxied to SFCC. The same rules should be used in the eCDN rules for the same requests.
// Paths excluded from the rules will be re-directed to SFCC instance. In the following example, the Cart and checkout pages are excluded from the rules.
// Refer to the following links for more details:
// * https://developer.salesforce.com/docs/commerce/commerce-api/references/cdn-api-process-apis?meta=MrtRules
// * https://developer.salesforce.com/docs/commerce/commerce-api/guide/ecdn-rules-for-phased-headless-rollout.html
routingRules: [
'http.request.uri.path eq "/" or http.request.uri.path matches "^/callback" or http.request.uri.path matches "^/mobify" or http.request.uri.path matches "^/worker.js" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/$" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/login" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/reset-password" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/registration" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/account" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/account/orders" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/account/orders/(\\\\w+)" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/account/wishlist" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/product/(\\\\w+)" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/search" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/category/(\\\\w+)" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/order-status" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/page/(\\\\w+)" or http.request.uri.path matches "^/(\\\\w+)/([-\\\\w]+)/page-viewer/(\\\\w+)"'
]
}
}
const runtime = getRuntime()
/**
* Tokens are valid for 20 minutes. We store it at the top level scope to reuse
* it during the lambda invocation. We'll refresh it after 15 minutes.
*/
let marketingCloudToken = ''
let marketingCloudTokenExpiration = new Date()
/**
* Generates a unique ID for the email message.
*
* @return {string} A unique ID for the email message.
*/
function generateUniqueId() {
return crypto.randomBytes(16).toString('hex')
}
/**
* Sends an email to a specified contact using the Marketing Cloud API. The template email must have a
* `%%magic-link%%` personalization string inserted.
* https://help.salesforce.com/s/articleView?id=mktg.mc_es_personalization_strings.htm&type=5
*
* @param {string} email - The email address of the contact to whom the email will be sent.
* @param {string} templateId - The ID of the email template to be used for the email.
* @param {string} magicLink - The magic link to be included in the email.
*
* @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
*/
async function sendMarketingCloudEmail(emailId, marketingCloudConfig) {
// Refresh token if expired
if (new Date() > marketingCloudTokenExpiration) {
const {clientId, clientSecret, subdomain} = marketingCloudConfig
const tokenUrl = `https://${subdomain}.auth.marketingcloudapis.com/v2/token`
const tokenResponse = await fetch(tokenUrl, {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({
grant_type: 'client_credentials',
client_id: clientId,
client_secret: clientSecret
})
})
if (!tokenResponse.ok)
throw new Error(
'Failed to fetch Marketing Cloud access token. Check your Marketing Cloud credentials and try again.'
)
const {access_token} = await tokenResponse.json()
marketingCloudToken = access_token
// Set expiration to 15 mins
marketingCloudTokenExpiration = new Date(Date.now() + 15 * 60 * 1000)
}
// Send the email
const emailUrl = `https://${
marketingCloudConfig.subdomain
}.rest.marketingcloudapis.com/messaging/v1/email/messages/${generateUniqueId()}`
const emailResponse = await fetch(emailUrl, {
method: 'POST',
headers: {
Authorization: `Bearer ${marketingCloudToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
definitionKey: marketingCloudConfig.templateId,
recipient: {
contactKey: emailId,
to: emailId,
attributes: {'magic-link': marketingCloudConfig.magicLink}
}
})
})
if (!emailResponse.ok) throw new Error('Failed to send email to Marketing Cloud')
return await emailResponse.json()
}
/**
* Generates a unique ID, constructs an email message URL, and sends the email to the specified contact
* using the Marketing Cloud API.
*
* @param {string} email - The email address of the contact to whom the email will be sent.
* @param {string} templateId - The ID of the email template to be used for the email.
* @param {string} magicLink - The magic link to be included in the email.
*
* @return {Promise<object>} A promise that resolves to the response object received from the Marketing Cloud API.
*/
export async function emailLink(emailId, templateId, magicLink) {
if (!process.env.MARKETING_CLOUD_CLIENT_ID) {
console.warn('MARKETING_CLOUD_CLIENT_ID is not set in the environment variables.')
}
if (!process.env.MARKETING_CLOUD_CLIENT_SECRET) {
console.warn(' MARKETING_CLOUD_CLIENT_SECRET is not set in the environment variables.')
}
if (!process.env.MARKETING_CLOUD_SUBDOMAIN) {
console.warn('MARKETING_CLOUD_SUBDOMAIN is not set in the environment variables.')
}
const marketingCloudConfig = {
clientId: process.env.MARKETING_CLOUD_CLIENT_ID,
clientSecret: process.env.MARKETING_CLOUD_CLIENT_SECRET,
magicLink: magicLink,
subdomain: process.env.MARKETING_CLOUD_SUBDOMAIN,
templateId: templateId
}
return await sendMarketingCloudEmail(emailId, marketingCloudConfig)
}
const resetPasswordCallback =
config.app.login?.resetPassword?.callbackURI || '/reset-password-callback'
const passwordlessLoginCallback =
config.app.login?.passwordless?.callbackURI || '/passwordless-login-callback'
// Reusable function to handle sending a magic link email.
// By default, this implementation uses Marketing Cloud.
async function sendMagicLinkEmail(req, res, landingPath, emailTemplate, redirectUrl) {
// Extract the base URL from the request
const base = req.protocol + '://' + req.get('host')
// Extract the email_id and token from the request body
const {email_id, token} = req.body
// Construct the magic link URL
let magicLink = `${base}${landingPath}?token=${encodeURIComponent(token)}`
if (landingPath === config.app.login?.resetPassword?.landingPath) {
// Add email query parameter for reset password flow
magicLink += `&email=${encodeURIComponent(email_id)}`
}
if (landingPath === config.app.login?.passwordless?.landingPath && redirectUrl) {
magicLink += `&redirect_url=${encodeURIComponent(redirectUrl)}`
}
// Call the emailLink function to send an email with the magic link using Marketing Cloud
const emailLinkResponse = await emailLink(email_id, emailTemplate, magicLink)
// Send the response
res.send(emailLinkResponse)
}
const CLAIM = {
ISSUER: 'iss'
}
const DELIMITER = {
ISSUER: '/'
}
const throwSlasTokenValidationError = (message, code) => {
throw new Error(`SLAS Token Validation Error: ${message}`, code)
}
export const createRemoteJWKSet = (tenantId) => {
const appOrigin = getAppOrigin()
const {app: appConfig} = getConfig()
const shortCode = appConfig.commerceAPI?.parameters?.shortCode
const configTenantId = appConfig.commerceAPI?.parameters?.organizationId?.replace(
/^f_ecom_/,
''
)
if (!shortCode || !configTenantId) {
throw new Error(
'Cannot find `commerceAPI.parameters.(shortCode|organizationId)` in your config file. Please check the config file.'
)
}
if (tenantId !== configTenantId) {
throw new Error(
`The tenant ID in your PWA Kit configuration ("${configTenantId}") does not match the tenant ID in the SLAS callback token ("${tenantId}").`
)
}
const JWKS_URI = `${appOrigin}/${shortCode}/${tenantId}/oauth2/jwks`
return joseCreateRemoteJWKSet(new URL(JWKS_URI))
}
export const validateSlasCallbackToken = async (token) => {
const payload = decodeJwt(token)
const subClaim = payload[CLAIM.ISSUER]
const tokens = subClaim.split(DELIMITER.ISSUER)
const tenantId = tokens[2]
try {
const jwks = createRemoteJWKSet(tenantId)
const {payload} = await jwtVerify(token, jwks, {})
return payload
} catch (error) {
throwSlasTokenValidationError(error.message, 401)
}
}
const tenantIdRegExp = /^[a-zA-Z]{4}_([0-9]{3}|s[0-9]{2}|stg|dev|prd)$/
const shortCodeRegExp = /^[a-zA-Z0-9-]+$/
/**
* Handles JWKS (JSON Web Key Set) caching the JWKS response for 2 weeks.
*
* @param {object} req Express request object.
* @param {object} res Express response object.
* @param {object} options Options for fetching B2C Commerce API JWKS.
* @param {string} options.shortCode - The Short Code assigned to the realm.
* @param {string} options.tenantId - The Tenant ID for the ECOM instance.
* @returns {Promise<*>} Promise with the JWKS data.
*/
export async function jwksCaching(req, res, options) {
const {shortCode, tenantId} = options
const isValidRequest = tenantIdRegExp.test(tenantId) && shortCodeRegExp.test(shortCode)
if (!isValidRequest)
return res
.status(400)
.json({error: 'Bad request parameters: Tenant ID or short code is invalid.'})
try {
const JWKS_URI = `https://${shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/f_ecom_${tenantId}/oauth2/jwks`
const response = await fetch(JWKS_URI)
if (!response.ok) {
throw new Error('Request failed with status: ' + response.status)
}
// JWKS rotate every 30 days. For now, cache response for 14 days so that
// fetches only need to happen twice a month
res.set('Cache-Control', 'public, max-age=1209600, stale-while-revalidate=86400')
return res.json(await response.json())
} catch (error) {
res.status(400).json({error: `Error while fetching data: ${error.message}`})
}
}
const {handler} = runtime.createHandler(options, (app) => {
app.use(express.json()) // To parse JSON payloads
app.use(express.urlencoded({extended: true}))
// Set default HTTP security headers required by PWA Kit
app.use(defaultPwaKitSecurityHeaders)
// Set custom HTTP security headers
app.use(
helmet({
contentSecurityPolicy: {
useDefaults: true,
directives: {
'img-src': [
// Default source for product images - replace with your CDN
'*.commercecloud.salesforce.com',
'checkoutshopper-test.adyen.com',
// Allow Google Pay specific images
'https://www.gstatic.com/',
'*.demandware.net',
'*.sfcc-store-internal.net',
's3.amazonaws.com',
'https://*.exp-delivery.com',
'https://*.exp-delivery-soak.com',
'*.cc.salesforce.com'
],
'script-src': [
// Used by the service worker in /worker/main.js
'storage.googleapis.com',
'maps.googleapis.com',
'places.googleapis.com',
'*.adyen.com',
'https://checkoutshopper-test.adyen.com',
'https://pay.google.com/gp/p/js/pay.js',
'*.site.com',
'*.commercecloud.com',
'*.test1.my.pc-rnd.site.com',
'*.test2.my.pc-rnd.site.com',
'https://*.exp-delivery.com',
'https://*.exp-delivery-soak.com'
],
'connect-src': [
// Connect to Einstein APIs
'api.cquotient.com',
// Connect to DataCloud APIs
'*.c360a.salesforce.com',
'maps.googleapis.com',
'places.googleapis.com',
// Connect to SCRT2 URLs
'*.salesforce-scrt.com',
'*.site.com',
'checkoutshopper-test.adyen.com',
'*.pc-rnd.site.com',
'*.test1.my.pc-rnd.salesforce-scrt.com',
'*.test2.my.pc-rnd.salesforce-scrt.com',
'*.test2.my.pc-rnd.site.com',
'https://*.exp-delivery.com',
'*.test1.my.pc-rn.site.com',
'https://*.exp-delivery-soak.com',
'https://pay.google.com'
],
'frame-src': [
// Allow frames from Salesforce site.com (Needed for MIAW)
'*.site.com',
'checkoutshopper-test.adyen.com',
// Allow Google Pay Specific frames
'https://pay.google.com'
],
'frame-ancestors': [
'self',
'https://*.test1.my.pc-rnd.site.com',
'https://*.test2.my.pc-rnd.site.com',
'https://*.mobify-storefront.com',
'https://runtime.commercecloud.com',
'https://*.exp-delivery.com',
'https://*.exp-delivery-soak.com',
'https://*.force.com',
'https://*.lightning.force.com'
]
}
}
})
)
// Handle the redirect from SLAS as to avoid error
app.get('/callback', (req, res) => {
// This endpoint does nothing and is not expected to change
// Thus we cache it for a year to maximize performance
res.set('Cache-Control', `max-age=31536000`)
res.send()
})
app.get('/:shortCode/:tenantId/oauth2/jwks', (req, res) => {
jwksCaching(req, res, {shortCode: req.params.shortCode, tenantId: req.params.tenantId})
})
// Handles the passwordless login callback route. SLAS makes a POST request to this
// endpoint sending the email address and passwordless token. Then this endpoint calls
// the sendMagicLinkEmail function to send an email with the passwordless login magic link.
// https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-passwordless-login.html#receive-the-callback
app.post(passwordlessLoginCallback, (req, res) => {
const slasCallbackToken = req.headers['x-slas-callback-token']
const redirectUrl = req.query.redirectUrl
validateSlasCallbackToken(slasCallbackToken).then(() => {
sendMagicLinkEmail(
req,
res,
config.app.login?.passwordless?.landingPath,
process.env.MARKETING_CLOUD_PASSWORDLESS_LOGIN_TEMPLATE,
redirectUrl
)
})
})
// Handles the reset password callback route. SLAS makes a POST request to this
// endpoint sending the email address and reset password token. Then this endpoint calls
// the sendMagicLinkEmail function to send an email with the reset password magic link.
// https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-password-reset.html#slas-password-reset-flow
app.post(resetPasswordCallback, (req, res) => {
const slasCallbackToken = req.headers['x-slas-callback-token']
validateSlasCallbackToken(slasCallbackToken).then(() => {
sendMagicLinkEmail(
req,
res,
config.app.login?.resetPassword?.landingPath,
process.env.MARKETING_CLOUD_RESET_PASSWORD_TEMPLATE
)
})
})
app.get('/robots.txt', runtime.serveStaticFile('static/robots.txt'))
app.get('/favicon.ico', runtime.serveStaticFile('static/ico/favicon.ico'))
app.get('/worker.js(.map)?', runtime.serveServiceWorker)
app.get('*', runtime.render)
})
// SSR requires that we export a single handler function called 'get', that
// supports AWS use of the server that we created above.
export const get = handler