Skip to main content

Server-First Pattern

The storefront follows a server-first architecture where all API calls are made server-side. The Spree API key is never exposed to the browser.
  • Server Actions (src/lib/data/) — call @spree/sdk directly with auth/cookie helpers from src/lib/spree
  • httpOnly Cookies — auth tokens, cart tokens, and locale are stored securely
  • No Client-Side API Calls — the Spree API key stays on the server
  • Auto-Localization — locale and country are read from cookies via getLocaleOptions()

Project Structure

Authentication Flow

  1. User submits login form
  2. Server action calls @spree/sdk to authenticate
  3. JWT token is stored in an httpOnly cookie via src/lib/spree cookie helpers
  4. Subsequent requests use withAuthRefresh() which reads the token from cookies automatically
  5. Token is never accessible to client-side JavaScript

Multi-Region Support

The storefront supports multiple countries and currencies via URL segments:
A middleware (src/proxy.ts) uses createSpreeMiddleware from src/lib/spree to detect the visitor’s country and locale, then redirects to the correct URL prefix. The CountrySwitcher component lets users change regions manually.

Server Actions

All data fetching is done through server actions in src/lib/data/. These call @spree/sdk directly, using src/lib/spree helpers for auth and locale: