Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Storefront Protection 🔐 #2136

Open
johnboxall opened this issue Nov 18, 2024 · 0 comments
Open

[FEATURE] Storefront Protection 🔐 #2136

johnboxall opened this issue Nov 18, 2024 · 0 comments

Comments

@johnboxall
Copy link
Collaborator

johnboxall commented Nov 18, 2024

For non-production storefronts, it is common to gate/block access to prevent unauthorized users or bots from seeing what is under development.

Managed Runtime provides the ability to set a list of allowed IPs and to deny requests that don't include an access control header: https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#admin-tools

eCDN provides similar abilities: https://developer.salesforce.com/docs/commerce/commerce-api/guide/cdn-zones-custom-rules.html

However, to implement a zero-trust authentication, you need more!

It would be useful to be able to mark a storefront as protected and validate that the user was authenticated with B2C Commerce Account Manager similar/the same as the Storefront Preview feature:

https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/storefront-preview.html#3-confirm-that-your-account-manager-user-has-access-to-the-b2c-commerce-instance

Today, its possible to implement this in user space using either Account Manager's OIDC endpoints or the SLAS Trusted Agent Authorization:

You could couple this with a Express.js middleware approach like shown here:

https://github.com/auth0/express-openid-connect

Ideally, this could be a flag in Runtime Admin that you could enable on a per environment basis, with the configuration coming from the B2C Commerce instance info of that environment.

@taurgis wrote a blog post with additional details: https://www.rhino-inquisitor.com/storefront-protection-in-the-pwa-kit/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant