Guard applyScapiAuthHeaders behind HttpOnly flag, remove SLAS auth check, warn on missing x-site-id

Only invoke applyScapiAuthHeaders when HttpOnly session cookies are
enabled. Remove the unnecessary SLAS auth endpoint guard since SLAS
requests use a separate proxy. Log a warning when x-site-id header
is missing on SCAPI requests to aid debugging if the template is
misconfigured.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: unandyala

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.test.js

@@ -523,7 +523,10 @@ describe('HttpOnly session cookies', () => {
 
             const response = await request(app)
                 .post('/mobify/slas/private/shopper/auth/v1/oauth2/logout')
-                .set('Cookie', 'cc-at_testsite=mock-access-token; cc-nx_testsite=mock-refresh-token')
+                .set(
+                    'Cookie',
+                    'cc-at_testsite=mock-access-token; cc-nx_testsite=mock-refresh-token'
+                )
                 .set('x-site-id', 'testsite')
 
             expect(response.status).toBe(200)

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js

@@ -14,6 +14,16 @@ jest.mock('./utils', () => ({
     ...jest.requireActual('./utils'),
     isScapiDomain: jest.fn()
 }))
+jest.mock('../logger-instance', () => ({
+    __esModule: true,
+    default: {
+        warn: jest.fn(),
+        info: jest.fn(),
+        error: jest.fn()
+    }
+}))
+
+import logger from '../logger-instance'
 
 describe('applyProxyRequestHeaders', () => {
     it('removes a header not present in new headers', () => {
@@ -124,32 +134,6 @@ describe('applyScapiAuthHeaders', () => {
         )
     })
 
-    it('skips all SLAS auth endpoints (handled by SLAS private proxy)', () => {
-        utils.isScapiDomain.mockReturnValue(true)
-        cookie.parse.mockReturnValue({'cc-at_RefArch': 'test-access-token'})
-
-        const proxyRequest = {
-            setHeader: jest.fn()
-        }
-        const incomingRequest = {
-            url: '/shopper/auth/v1/oauth2/logout',
-            headers: {
-                cookie: 'cc-at_RefArch=test-access-token',
-                'x-site-id': 'RefArch'
-            }
-        }
-
-        applyScapiAuthHeaders({
-            proxyRequest,
-            incomingRequest,
-            caching: false,
-            targetHost: 'abc-001.api.commercecloud.salesforce.com'
-        })
-
-        // SLAS auth endpoints are handled by the SLAS private client proxy
-        expect(proxyRequest.setHeader).not.toHaveBeenCalled()
-    })
-
     it('does not apply Bearer token when caching is true', () => {
         utils.isScapiDomain.mockReturnValue(true)
         cookie.parse.mockReturnValue({'cc-at_RefArch': 'test-access-token'})
@@ -176,7 +160,7 @@ describe('applyScapiAuthHeaders', () => {
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
     })
 
-    it('does not apply Bearer token when x-site-id header is missing', () => {
+    it('logs warning and skips when x-site-id header is missing on SCAPI request', () => {
         utils.isScapiDomain.mockReturnValue(true)
         cookie.parse.mockReturnValue({})
 
@@ -196,6 +180,10 @@ describe('applyScapiAuthHeaders', () => {
         })
 
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
+        expect(logger.warn).toHaveBeenCalledWith(
+            expect.stringContaining('x-site-id header is missing'),
+            expect.any(Object)
+        )
     })
 
     it('does not apply Bearer token when target is not SCAPI domain', () => {

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.js

@@ -36,9 +36,6 @@ const generalProxyPathRE = /^\/mobify\/proxy\/([^/]+)(\/.*)$/
  * 1. Caching proxies never use auth (skip)
  * 2. x-site-id header must be present (skip if not)
  * 3. Target must be SCAPI domain (skip if not)
- * 4. SLAS auth endpoints (/shopper/auth/*) are skipped — Bearer injection for SLAS
- *    is handled by the SLAS private client proxy in build-remote-server.js
- * 5. For non-SLAS auth endpoints (e.g., /shopper/products, /shopper/baskets): Always apply Bearer token
  *
  * @private
  * @function
@@ -47,21 +44,20 @@ const generalProxyPathRE = /^\/mobify\/proxy\/([^/]+)(\/.*)$/
  * @param caching {Boolean} true for a caching proxy, false for a standard proxy
  * @param targetHost {String} the target hostname (host+port)
  */
-export const applyScapiAuthHeaders = ({
-    proxyRequest,
-    incomingRequest,
-    caching,
-    targetHost
-}) => {
+export const applyScapiAuthHeaders = ({proxyRequest, incomingRequest, caching, targetHost}) => {
     const url = incomingRequest.url
     const resolvedSiteId = incomingRequest.headers?.['x-site-id']
 
-    // Skip if: caching proxy, no siteId, not SCAPI domain, or no URL
-    if (caching || !resolvedSiteId || !isScapiDomain(targetHost) || !url) {
+    // Skip if: caching proxy, not SCAPI domain, or no URL
+    if (caching || !isScapiDomain(targetHost) || !url) {
         return
     }
-    // SLAS auth endpoints are handled by the SLAS private client proxy
-    if (url.startsWith('/shopper/auth/')) {
+
+    if (!resolvedSiteId) {
+        logger.warn(
+            'x-site-id header is missing on SCAPI proxy request. Bearer token injection skipped.',
+            {namespace: 'configureProxy.applyScapiAuthHeaders'}
+        )
         return
     }
 
@@ -260,12 +256,14 @@ export const configureProxy = ({
             })
 
             // Apply Authorization header with shopper's access token from HttpOnly cookie
-            applyScapiAuthHeaders({
-                proxyRequest,
-                incomingRequest,
-                caching,
-                targetHost
-            })
+            if (process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES === 'false') {
+                applyScapiAuthHeaders({
+                    proxyRequest,
+                    incomingRequest,
+                    caching,
+                    targetHost
+                })
+            }
         },
 
         onProxyRes: (proxyResponse, req) => {