feat: password protected stores

.gitignore

@@ -1,5 +1,6 @@
 .turbo
 .next
+*.tsbuildinfo
 
 # Logs
 logs

packages/cli/src/utils/generate.ts

@@ -469,40 +469,6 @@ function validateAndInstallMissingDependencies(basePath: string) {
   })
 }
 
-// TODO: Read the value from an environment variable
-const ENABLE_REDIRECTS_MIDDLEWARE = false
-
-// Enable redirects middleware by renaming the file from middleware__DISABLED.ts to middleware.tsß
-function enableRedirectsMiddleware(basePath: string) {
-  if (!ENABLE_REDIRECTS_MIDDLEWARE) {
-    return
-  }
-
-  try {
-    const { tmpDir } = withBasePath(basePath)
-
-    const disabledMiddlewarePath = path.join(
-      tmpDir,
-      'src',
-      'middleware__DISABLED.ts'
-    )
-
-    /* Rename the file to enable middleware functionality and then remove the disabled middleware file */
-    if (existsSync(disabledMiddlewarePath)) {
-      const enabledMiddlewarePath = path.join(tmpDir, 'src', 'middleware.ts')
-      copyFileSync(disabledMiddlewarePath, enabledMiddlewarePath)
-      removeSync(disabledMiddlewarePath)
-
-      logger.log(
-        `${chalk.green('success')} Redirects middleware has been enabled`
-      )
-    }
-  } catch (error) {
-    logger.error(error)
-    throw error
-  }
-}
-
 function enableSearchSSR(basePath: string) {
   const storeConfigPath = getCurrentUserStoreConfigFile(basePath)
 
@@ -551,7 +517,6 @@ export async function generate(options: GenerateOptions) {
     copyUserStarterToCustomizations(basePath),
     copyTheme(basePath),
     createCmsWebhookUrlsJsonFile(basePath),
-    enableRedirectsMiddleware(basePath),
 
     installPlugins(basePath),
   ])

packages/core/package.json

@@ -88,6 +88,7 @@
     "idb-keyval": "^5.1.3",
     "include-media": "^1.4.10",
     "isomorphic-unfetch": "^3.1.0",
+    "jose": "^6.1.3",
     "lexical": "^0.34.0",
     "next": "^13.5.9",
     "next-seo": "^6.6.0",

packages/core/src/middleware.ts

@@ -0,0 +1,83 @@
+/*
+ * Middleware is always active. It runs:
+ * 1. Password protection (AuthenticationService) — when applicable (default/custom domains per env).
+ * 2. Redirects — only when ENABLE_REDIRECTS_MIDDLEWARE is set at runtime.
+ */
+
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+import storeConfig from 'discovery.config'
+
+import { AuthenticationService } from './server/authentication-service'
+
+type Redirect = {
+  from: string
+  to: string
+  type: 'permanent' | 'temporary'
+}
+interface RedirectsClient {
+  get(from: string): Promise<Redirect | null>
+}
+
+class DynamoRedirectsClient implements RedirectsClient {
+  async get(_from: string): Promise<Redirect | null> {
+    // TODO: Implement DynamoDB client. Ensure that the cluster has access to DynamoDB first.
+    return null
+  }
+}
+
+const redirectsClient = new DynamoRedirectsClient()
+
+export async function middleware(request: NextRequest) {
+  const path = request.nextUrl.pathname
+
+  try {
+    const authService = new AuthenticationService()
+    const authResult = await authService.authenticateRequest(request)
+
+    if (authResult.response.status !== 200) {
+      return authResult.response
+    }
+
+    if (process.env.ENABLE_REDIRECTS_MIDDLEWARE === 'true') {
+      const redirect = await redirectsClient.get(path)
+
+      if (redirect) {
+        const redirectUrl = new URL(redirect.to, storeConfig.storeUrl)
+        const redirectStatusCode = redirect.type === 'permanent' ? 301 : 302
+        const response = NextResponse.redirect(redirectUrl, redirectStatusCode)
+
+        for (const cookie of authResult.response.cookies.getAll()) {
+          response.cookies.set(cookie)
+        }
+
+        response.headers.set(
+          'Cache-Control',
+          'public, max-age=300, stale-while-revalidate=31536000'
+        )
+
+        return response
+      }
+    }
+
+    return authResult.response
+  } catch {
+    return NextResponse.next()
+  }
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all paths including `/`
+     * Exclude:
+     * - api (e.g. api/fs/auth/login)
+     * - _next/static, _next/image
+     * - favicon.ico
+     * - fs-auth-login (login page)
+     * - ~partytown (partytown scripts)
+     */
+    '/',
+    '/((?!api|_next/static|_next/image|favicon.ico|fs-auth-login|~partytown).*)',
+  ],
+}

packages/core/src/pages/api/fs/auth/login.ts

@@ -0,0 +1,98 @@
+import type { NextApiHandler, NextApiRequest, NextApiResponse } from 'next'
+
+import storeConfig from 'discovery.config'
+
+import { isSecureAuthCookieForPagesApi } from '../../../../server/password-protection/auth-cookie'
+import {
+  sessionUrl,
+  passwordProtectionTimeouts,
+} from '../../../../server/password-protection/webops-api'
+
+const COOKIE_NAME = '__fs_auth_token'
+const TOKEN_TTL_SECONDS = 10 * 60
+
+const isSafeReturnToPath = (value: string): boolean => {
+  return value.startsWith('/') && !value.startsWith('//')
+}
+
+const handler: NextApiHandler = async (
+  request: NextApiRequest,
+  response: NextApiResponse
+) => {
+  if (request.method !== 'POST') {
+    response.status(405).end()
+    return
+  }
+
+  const storeId = storeConfig.api.storeId
+
+  try {
+    const { password } = request.body ?? {}
+
+    if (!password || typeof password !== 'string') {
+      response.status(400).json({
+        success: false,
+        error: 'Password is required',
+      })
+      return
+    }
+
+    const webopsResponse = await fetch(sessionUrl(), {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ storeId, password }),
+      signal: AbortSignal.timeout(passwordProtectionTimeouts.defaultMs),
+    })
+
+    if (!webopsResponse.ok) {
+      if (webopsResponse.status === 401 || webopsResponse.status === 403) {
+        response.status(401).json({
+          success: false,
+          error: 'Invalid password',
+        })
+        return
+      }
+
+      response.status(503).json({
+        success: false,
+        error: 'Service temporarily unavailable',
+      })
+      return
+    }
+
+    const data = await webopsResponse.json()
+
+    if (data.valid && data.token) {
+      const returnTo =
+        typeof request.query.returnTo === 'string'
+          ? request.query.returnTo
+          : '/'
+      const sanitizedReturnTo = isSafeReturnToPath(returnTo) ? returnTo : '/'
+
+      const securePart = isSecureAuthCookieForPagesApi(request)
+        ? '; Secure'
+        : ''
+
+      response.setHeader('Set-Cookie', [
+        `${COOKIE_NAME}=${data.token}; HttpOnly${securePart}; SameSite=Lax; Path=/; Max-Age=${TOKEN_TTL_SECONDS}`,
+      ])
+
+      response.status(200).json({
+        success: true,
+        redirectUrl: sanitizedReturnTo,
+      })
+    } else {
+      response.status(401).json({
+        success: false,
+        error: 'Invalid password',
+      })
+    }
+  } catch {
+    response.status(503).json({
+      success: false,
+      error: 'Service temporarily unavailable',
+    })
+  }
+}
+
+export default handler

packages/core/src/pages/fs-auth-login/fs-auth-login.module.scss

@@ -0,0 +1,41 @@
+@layer components {
+  .fsAuthLogin {
+    @import "@faststore/ui/src/components/atoms/Button/styles.scss";
+    @import "@faststore/ui/src/components/atoms/Input/styles.scss";
+    @import "@faststore/ui/src/components/atoms/Loader/styles.scss";
+    @import "@faststore/ui/src/components/molecules/InputField/styles.scss";
+  }
+}
+
+.page {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  padding: var(--fs-spacing-3);
+}
+
+.title {
+  margin: 0 0 var(--fs-spacing-6) 0;
+  font-size: var(--fs-text-size-title-section);
+  font-weight: var(--fs-text-weight-bold);
+}
+
+.subtitle {
+  margin: 0 0 var(--fs-spacing-3) 0;
+  font-size: var(--fs-text-size-body);
+}
+
+.form {
+  display: flex;
+  flex-direction: column;
+  gap: var(--fs-spacing-2);
+  align-items: stretch;
+  width: 100%;
+  max-width: 20rem;
+
+  button {
+    align-self: center;
+  }
+}