orcaqubits/sf-b2c-controllers
dist/codex/salesforce-commerce/skills/sf-b2c-controllers/SKILL.md
Build SFRA controllers — server.get/post/use route handlers, middleware chain with server.append/prepend/replace, CSRF protection, form validation, response rendering, and route-level caching. Use when implementing request handling in B2C Commerce.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins sf-b2c-controllersInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:00 AM237.2s1 file scanned
SKILL.md
- name:
- sf-b2c-controllers
- description:
- >
sf-b2c-controllers
Build SFRA controllers for request handling in Salesforce B2C Commerce Cloud.
Before Writing Code
Fetch live documentation FIRST:
-
Web-search for:
- "Salesforce B2C Commerce SFRA controllers documentation 2026"
- "SFCC server module middleware patterns"
- "B2C Commerce controller CSRF protection best practices"
-
Web-fetch official sources:
github.com/SalesforceCommerceCloud/storefront-reference-architecture(SFRA controllers)- Salesforce B2C Commerce server module API reference
-
Verify before coding: current server module syntax, middleware chain methods, CSRF validation requirements, form validation patterns in latest SFRA.
Conceptual Architecture
Controller Basics
Controllers are route handlers defined using the server module. Routes follow the naming convention ControllerName-ActionName (e.g., Product-Show, Cart-AddProduct).
- Controller file:
controllers/Product.js - Route:
Product-Show - URL:
https://site.com/Product-Show?pid=12345
Every controller file ends with module.exports = server.exports();
Server Module Methods
| Method | HTTP | Purpose | Example |
|--------|------|---------|---------|
| server.get(name, ...mw, handler) | GET | Display pages | Product-Show, Cart-Show |
| server.post(name, ...mw, handler) | POST | Form submissions | Cart-AddProduct, Account-Register |
| server.use(name, ...mw, handler) | Any | Shared logic, API endpoints | Method-agnostic handlers |
Middleware Chain
Middleware functions execute left to right before the final handler. Each must call next() to continue the chain.
server.post('Action',
server.middleware.https, -> 1. Force HTTPS
csrfProtection.validateRequest, -> 2. Validate CSRF
userLoggedIn.validateLoggedIn, -> 3. Require login
function (req, res, next) {} -> 4. Handler
);
Common built-in middleware:
server.middleware.https-- force HTTPScsrfProtection.validateRequest-- CSRF token validationcsrfProtection.generateToken-- generate CSRF token for formsuserLoggedIn.validateLoggedIn-- require authenticated userconsentTracking.consent-- consent tracking check
Extend vs Replace
| Method | What Happens | When to Use |
|--------|-------------|-------------|
| server.extend(base) | Inherit all base routes | Always start with this |
| server.append('Route', fn) | Run AFTER base handler | Add data to response, logging, analytics |
| server.prepend('Route', fn) | Run BEFORE base handler | Validation, guards, tracking |
| server.replace('Route', fn) | Completely override base | Fundamentally different logic (rare) |
| server.get/post('Route', fn) | Define new route | New functionality not in base |
// Pattern: Extend a base controller
var base = module.superModule;
server.extend(base);
// Fetch live docs for append/prepend behavior
Route Handling Lifecycle
HTTP Request
-> Route resolution (cartridge path, left-to-right)
-> server.use middleware (guards, validation)
-> server.prepend extensions
-> Base route handler (if extended)
-> server.append extensions
-> Response (render / json / redirect)
Response Types
| Method | Use Case |
|--------|----------|
| res.render(template, data) | Render ISML template (HTML page) |
| res.json(object) | Return JSON (AJAX responses) |
| res.redirect(url) | HTTP redirect |
| res.setStatusCode(code) | Set HTTP status (404, 500, etc.) |
| res.setViewData(data) | Set data for middleware chain sharing |
| res.getViewData() | Get data set by previous middleware |
Route-Level Caching
Cache GET responses via property assignment on res:
| Property | Type | Values |
|----------|------|--------|
| res.cachePeriod | Number | Duration value (e.g., 24) |
| res.cachePeriodUnit | String | 'minutes', 'hours', 'days' |
Never cache: cart, checkout, account pages. Always cache: product pages, category pages.
CSRF Protection
All state-changing requests (POST, DELETE) must validate CSRF tokens. The token is generated in the controller, passed to the ISML template as a hidden form field, and validated on submission via csrfProtection.validateRequest middleware.
Form Validation
Server-side form validation uses server.forms.getForm('formName'). Form definitions live in forms/default/*.xml. Always validate server-side -- never trust client-side validation alone.
Best Practices
Route Design
- RESTful naming:
Product-Show(view),Cart-AddProduct(action) - Separate GET and POST -- never use
server.usefor method-specific routes - Keep controllers thin -- move business logic to models and
scripts/helpers
Middleware
- Chain security checks before business logic (HTTPS, CSRF, auth)
- Always call
next()-- forgetting breaks the chain silently - Create reusable middleware in
scripts/middleware/ - Use
server.middleware.httpsfor all sensitive operations
Response Patterns
- Consistent JSON:
{ success: boolean, data?: object, errors?: array } - Set appropriate status codes (404, 400, 500)
- Use
res.setViewData/res.getViewDatato share data across middleware chain
Security
- CSRF protection on all state-changing operations
- Sanitize all user inputs (
req.querystring,req.form) - Wrap data mutations in
Transaction.wrap() - Log security events with
dw/system/Logger
Fetch the SFRA GitHub repository and server module API reference for exact method signatures, middleware patterns, and req/res property details before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026