[FEATURE] Storefront Protection 🔐

[johnboxall]

For non-production storefronts, it is common to gate/block access to prevent unauthorized users or bots from seeing what is under development.

Managed Runtime provides the ability to set a list of allowed IPs and to deny requests that don't include an access control header: https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/mrt-overview.html#admin-tools

eCDN provides similar abilities: https://developer.salesforce.com/docs/commerce/commerce-api/guide/cdn-zones-custom-rules.html

However, to implement a zero-trust authentication, you need more!

It would be useful to be able to mark a storefront as protected and validate that the user was authenticated with B2C Commerce Account Manager similar/the same as the Storefront Preview feature:

https://developer.salesforce.com/docs/commerce/pwa-kit-managed-runtime/guide/storefront-preview.html#3-confirm-that-your-account-manager-user-has-access-to-the-b2c-commerce-instance

Today, its possible to implement this in user space using either Account Manager's OIDC endpoints or the SLAS Trusted Agent Authorization:

• https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-trusted-agent.html
• https://account.demandware.com/dw/oidc/.well-known/openid-configuration

You could couple this with a Express.js middleware approach like shown here:

https://github.com/auth0/express-openid-connect

Ideally, this could be a flag in Runtime Admin that you could enable on a per environment basis, with the configuration coming from the B2C Commerce instance info of that environment.

@taurgis wrote a blog post with additional details: https://www.rhino-inquisitor.com/storefront-protection-in-the-pwa-kit/