Merge pull request #3151 from SalesforceCommerceCloud/hotfix/skip-deleting-ecom-session-hybrid-auth

@W-19391396: [Bugfix] Do not delete DWSID on shopper login if hybrid auth is enabled

Author: shethj

packages/commerce-sdk-react/CHANGELOG.md

@@ -2,6 +2,8 @@
 
 - Update USID expiry to match SLAS refresh token expiry[#2854](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2854)
 
+- [Bugfix] Skip deleting dwsid on shopper login if hybrid auth is enabled for current site. [#3151](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3151)
+
 ## v3.4.0 (Jul 22, 2025)
 
 - Optionally disable auth init in CommerceApiProvider [#2629](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2629)

packages/commerce-sdk-react/src/auth/index.test.ts

@@ -1212,3 +1212,45 @@ describe('Auth service sends credentials fetch option to the ShopperLogin API',
         expect(shopperLogin.clientConfig.fetchOptions.credentials).toBe('same-origin')
     })
 })
+
+describe('hybridAuthEnabled property toggles clearECOMSession', () => {
+    beforeEach(() => {
+        jest.clearAllMocks()
+    })
+
+    test('clears DWSID cookie when hybridAuthEnabled is false', () => {
+        const auth = new Auth({...config, hybridAuthEnabled: false})
+
+        // Set a DWSID cookie value
+        // @ts-expect-error private method
+        auth.set('dwsid', 'test-dwsid-value')
+
+        // Verify the cookie was set
+        expect(auth.get('dwsid')).toBe('test-dwsid-value')
+
+        // Call clearECOMSession
+        // @ts-expect-error private method
+        auth.clearECOMSession()
+
+        // Verify the cookie was cleared
+        expect(auth.get('dwsid')).toBeFalsy()
+    })
+
+    test('does NOT clear DWSID cookie when hybridAuthEnabled is true', () => {
+        const auth = new Auth({...config, hybridAuthEnabled: true})
+
+        // Set a DWSID cookie value
+        // @ts-expect-error private method
+        auth.set('dwsid', 'test-dwsid-value')
+
+        // Verify the cookie was set
+        expect(auth.get('dwsid')).toBe('test-dwsid-value')
+
+        // Call clearECOMSession
+        // @ts-expect-error private method
+        auth.clearECOMSession()
+
+        // Verify the cookie was NOT cleared
+        expect(auth.get('dwsid')).toBe('test-dwsid-value')
+    })
+})

packages/commerce-sdk-react/src/auth/index.ts

@@ -53,6 +53,7 @@ interface AuthConfig extends ApiClientConfigParams {
     passwordlessLoginCallbackURI?: string
     refreshTokenRegisteredCookieTTL?: number
     refreshTokenGuestCookieTTL?: number
+    hybridAuthEnabled?: boolean
 }
 
 interface JWTHeaders {
@@ -243,6 +244,8 @@ class Auth {
         | ((loginId: string, usid: string, refresh: boolean) => Promise<TokenResponse>)
         | undefined
 
+    private hybridAuthEnabled: boolean
+
     constructor(config: AuthConfig) {
         // Special endpoint for injecting SLAS private client secret.
         const baseUrl = config.proxy.split(MOBIFY_PATH)[0]
@@ -339,6 +342,8 @@ class Auth {
                 ? passwordlessLoginCallbackURI
                 : `${baseUrl}${passwordlessLoginCallbackURI}`
             : ''
+
+        this.hybridAuthEnabled = config.hybridAuthEnabled || false
     }
 
     get(name: AuthDataKeys) {
@@ -576,6 +581,14 @@ class Auth {
      * registered shopper refresh-token and restores session and basket on SFRA.
      */
     private clearECOMSession() {
+        /**
+         * If `hybridAuthEnabled` is true, dwsid cookie must not be cleared.
+         * This makes sure the session-bridged dwsid, received from `/oauth2/token` call on shopper login
+         * is NOT cleared and can be used to maintain the server affinity.
+         */
+        if (this.hybridAuthEnabled) {
+            return
+        }
         const {key, storageType} = DATA_MAP[DWSID_COOKIE_NAME]
         const store = this.stores[storageType]
         store.delete(key)

packages/commerce-sdk-react/src/provider.tsx

@@ -50,6 +50,7 @@ export interface CommerceApiProviderProps extends ApiClientConfigParams {
     refreshTokenGuestCookieTTL?: number
     apiClients?: ApiClients
     disableAuthInit?: boolean
+    hybridAuthEnabled?: boolean
 }
 
 /**
@@ -108,6 +109,17 @@ export const AuthContext = React.createContext({} as Auth)
  * Non-PWA Kit users can enable private client mode by passing in a client secret
  * directly to the provider. However, be careful when doing this as you will have
  * to make sure the secret is not unexpectedly exposed to the client.
+ * 
+ * 
+ * `hybridAuthEnabled` is an optional flag that indicates the current Site has Hybrid Auth enabled.
+ * This drives the behavior of the `clearECOMSession` method. If `hybridAuthEnabled` is true,
+ * the `clearECOMSession` method will not be called. This makes sure the session-bridged dwsid, received from `/oauth2/token` call
+ * on shopper login is NOT cleared and can be used to maintain the server affinity.
+ * 
+ * `hybridAuthEnabled` flag can also be used to drive other Hybrid Auth specific behaviors in the future.
+ * 
+ * Note: `hybridAuthEnabled` should NOT be set to true for hybrid storefronts using Plugin SLAS as we need the dwsid to be deleted
+ * to force session-bridging on SFRA as in this case, the `oauth2/token` call does not return a dwsid.
  *
  * @returns Provider to wrap your app with
  */
@@ -134,7 +146,8 @@ const CommerceApiProvider = (props: CommerceApiProviderProps): ReactElement => {
         refreshTokenRegisteredCookieTTL,
         refreshTokenGuestCookieTTL,
         apiClients,
-        disableAuthInit = false
+        disableAuthInit = false,
+        hybridAuthEnabled = false
     } = props
 
     // Set the logger based on provided configuration, or default to the console object if no logger is provided
@@ -157,7 +170,8 @@ const CommerceApiProvider = (props: CommerceApiProviderProps): ReactElement => {
             defaultDnt,
             passwordlessLoginCallbackURI,
             refreshTokenRegisteredCookieTTL,
-            refreshTokenGuestCookieTTL
+            refreshTokenGuestCookieTTL,
+            hybridAuthEnabled
         })
     }, [
         clientId,
@@ -176,7 +190,8 @@ const CommerceApiProvider = (props: CommerceApiProviderProps): ReactElement => {
         passwordlessLoginCallbackURI,
         refreshTokenRegisteredCookieTTL,
         refreshTokenGuestCookieTTL,
-        apiClients
+        apiClients,
+        hybridAuthEnabled
     ])
 
     const dwsid = auth.get(DWSID_COOKIE_NAME)

packages/pwa-kit-create-app/CHANGELOG.md

@@ -1,6 +1,8 @@
 ## v3.12.0-dev (Jul 28, 2025)
 - This feature introduces an AI-powered shopping assistant that integrates Salesforce Embedded Messaging Service with PWA Kit applications. The shopper agent provides real-time chat support, search assistance, and personalized shopping guidance directly within the e-commerce experience. [#2658](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2658)
 
+- Update _app-config generator template to include `hybridAuthEnabled` prop [#3151](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3151)
+
 ## v3.11.0 (Jul 22, 2025)
 - Fix the demo instance details in `program.json`[#2800](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2800)
 - Fix exiting before `program.json` content can be flushed [#2699](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2699)

packages/pwa-kit-create-app/assets/bootstrap/js/overrides/app/components/_app-config/index.jsx.hbs

@@ -87,6 +87,8 @@ const AppConfig = ({children, locals = {}}) => {
             // Make sure to also enable useSLASPrivateClient in ssr.js when enabling this setting.
             enablePWAKitPrivateClient={true}
             {{/if}}
+            // Uncomment 'hybridAuthEnabled' if the current site has Hybrid Auth enabled. Do NOT set this flag for hybrid storefronts using Plugin SLAS.
+            // hybridAuthEnabled={true}
         >
             <MultiSiteProvider site={locals.site} locale={locals.locale} buildUrl={locals.buildUrl}>
                 <StoreLocatorProvider config={storeLocatorConfig}>

packages/pwa-kit-create-app/assets/templates/@salesforce/retail-react-app/app/components/_app-config/index.jsx.hbs

@@ -87,6 +87,8 @@ const AppConfig = ({children, locals = {}}) => {
             // Make sure to also enable useSLASPrivateClient in ssr.js when enabling this setting.
             enablePWAKitPrivateClient={true}
             {{/if}}
+            // Uncomment 'hybridAuthEnabled' if the current site has Hybrid Auth enabled. Do NOT set this flag for hybrid storefronts using Plugin SLAS.
+            // hybridAuthEnabled={true}
         >
             <MultiSiteProvider site={locals.site} locale={locals.locale} buildUrl={locals.buildUrl}>
                 <StoreLocatorProvider config={storeLocatorConfig}>

packages/template-retail-react-app/CHANGELOG.md

@@ -6,6 +6,8 @@
 
 - [Bugfix] Pin `@chakra-ui/react` version to 2.7.0 to avoid breaking changes from 2.10.9 [#2658](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2658)
 
+- Introduce optional prop `hybridAuthEnabled` to control Hybrid Auth specific behaviors in commerce-sdk-react [#3151](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3151)
+
 ## v7.0.0 (July 22, 2025)
 
 - Improved the layout of product tiles in product scroll and product list [#2446](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/2446)

packages/template-retail-react-app/app/components/_app-config/index.jsx

@@ -92,6 +92,8 @@ const AppConfig = ({children, locals = {}}) => {
             // Uncomment 'enablePWAKitPrivateClient' to use SLAS private client login flows.
             // Make sure to also enable useSLASPrivateClient in ssr.js when enabling this setting.
             // enablePWAKitPrivateClient={true}
+            // Uncomment 'hybridAuthEnabled' if the current site has Hybrid Auth enabled. Do NOT set this flag for hybrid storefronts using Plugin SLAS.
+            // hybridAuthEnabled={true}
             logger={createLogger({packageName: 'commerce-sdk-react'})}
         >
             <MultiSiteProvider site={locals.site} locale={locals.locale} buildUrl={locals.buildUrl}>