hydrogen
hydrogen copied to clipboard
Shopify
Consolidate Hydrogen Reserved Routes Under Single Path
Currently, Hydrogen has 3 different reserved routes:
-
__events- Analytics events -
__health- Basic health check for deployments -
__rsc- For React Server Components
Instead of many top-level routes that need to be reserved and expanded in future versions if we need more, we should consolidate all of these under a single subfolder so that it is easy to whitelist and is fully future proof.
I recommend the __h2/* path to be reserved by Hydrogen, so that the new routes would be:
-
__h2/events -
__h2/health -
__h2/rsc -
__health- We should keep this and just deprecate it for a bit since Oxygen uses it for a health check
We should probably reserve the top-level /account path as well, as Shopify's 1P customer accounts all use this for things like account activation, reset password, etc.
@benjaminsehl any others you're aware of?
@davecyen The /account path is specific to the demo store though, not the base framework itself when used in any context. I personally don't think it should be reserved and prevented from use by users.
It's actually hard coded into Shopify's auth system.
For example, when a customer triggers a password reset, an email is sent to them that links to [domain]/account/reset...
A merchant can change the domain for this link, so that they can target their Hydrogen storefront domain, but they can't change the /account/ path.
On second thoughts though, if a merchant isn't using customer accounts, then /account wouldn't need be reserved.
So yeah, you're right and I think the answer to this comes back to plugins and packaging auth.
@davecyen they also could setup a 300 redirect API route to forward the email URLs if they wanted something different.
@davecyen I think this is something that a future official auth plug could handle though - it would automatically just take/hijack the /account path and add all the necessary required pages under it.