refactor

unandyala · unandyala · commit 39f33cae177b · 2026-03-04T16:50:56.000-06:00
diff --git a/packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js b/packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js
@@ -64,7 +64,7 @@ import {ApiGatewayV1Adapter} from '@h4ad/serverless-adapter/lib/adapters/aws'
 import {ExpressFramework} from '@h4ad/serverless-adapter/lib/frameworks/express'
 import {is as typeis} from 'type-is'
 import {getConfig} from '../../utils/ssr-config'
-import {applyHttpOnlySessionCookies} from './process-token-response'
+import {setHttpOnlySessionCookies} from './process-token-response'
 
 /**
  * An Array of mime-types (Content-Type values) that are considered
@@ -100,7 +100,7 @@ export const isBinary = (headers) => {
  * sets the Authorization header, and appends refresh_token to the query string.
  * @private
  */
-export const injectLogoutTokens = (proxyRequest, incomingRequest) => {
+export const setTokensInLogoutRequest = (proxyRequest, incomingRequest) => {
     const cookieHeader = incomingRequest.headers.cookie
     if (!cookieHeader) return
 
@@ -111,29 +111,26 @@ export const injectLogoutTokens = (proxyRequest, incomingRequest) => {
             'x-site-id header is missing on SLAS logout request. ' +
                 'Token injection skipped. ' +
                 'Ensure the x-site-id header is set in CommerceApiProvider headers.',
-            {namespace: 'injectLogoutTokens'}
+            {namespace: 'setTokensInLogoutRequest'}
         )
         return
     }
 
-    const site = siteId.trim()
-
     // Inject Bearer token from access token cookie
-    const accessToken = cookies[`cc-at_${site}`]
+    const accessToken = cookies[`cc-at_${siteId}`]
     if (accessToken) {
         proxyRequest.setHeader('Authorization', `Bearer ${accessToken}`)
     }
 
     // Inject refresh_token into query string from HttpOnly cookie
-    const refreshToken = cookies[`cc-nx_${site}`]
+    const refreshToken = cookies[`cc-nx_${siteId}`]
     if (refreshToken) {
-        const url = new URL(proxyRequest.path, 'http://localhost')
-        url.searchParams.set('refresh_token', refreshToken)
-        proxyRequest.path = url.pathname + url.search
+        const separator = proxyRequest.path.includes('?') ? '&' : '?'
+        proxyRequest.path += `${separator}refresh_token=${encodeURIComponent(refreshToken)}`
     } else {
         logger.warn(
-            `Refresh token cookie (cc-nx_${site}) not found for ${incomingRequest.path}. The logout request may fail.`,
-            {namespace: 'injectLogoutTokens'}
+            `Refresh token cookie (cc-nx_${siteId}) not found for ${incomingRequest.path}. The logout request may fail.`,
+            {namespace: 'setTokensInLogoutRequest'}
         )
     }
 }
@@ -214,11 +211,6 @@ export const RemoteServerFactory = {
             // cookies applied when that feature is enabled. Users can override this in ssr.js.
             tokenResponseEndpoints: SLAS_TOKEN_RESPONSE_ENDPOINTS,
 
-            // A regex for matching the SLAS logout endpoint. When HttpOnly session cookies are
-            // enabled, the proxy injects the Bearer token and refresh token from HttpOnly cookies
-            // for this endpoint. Users can override this in ssr.js.
-            slasLogoutEndpoint: SLAS_LOGOUT_ENDPOINT,
-
             // Custom callback to modify the SLAS private client proxy request. This callback is invoked
             // after the built-in proxy request handling. Users can provide additional
             // request modifications (e.g., custom headers).
@@ -1011,9 +1003,9 @@ export const RemoteServerFactory = {
                         proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`)
                     } else if (
                         process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES === 'false' &&
-                        incomingRequest.path?.match(options.slasLogoutEndpoint)
+                        incomingRequest.path?.match(SLAS_LOGOUT_ENDPOINT)
                     ) {
-                        injectLogoutTokens(proxyRequest, incomingRequest)
+                        setTokensInLogoutRequest(proxyRequest, incomingRequest)
                     }
 
                     // Allow users to apply additional custom modifications to the proxy request
@@ -1045,7 +1037,7 @@ export const RemoteServerFactory = {
                             isTokenEndpoint
                         ) {
                             try {
-                                workingBuffer = applyHttpOnlySessionCookies(
+                                workingBuffer = setHttpOnlySessionCookies(
                                     workingBuffer,
                                     proxyRes,
                                     req,
@@ -1501,9 +1493,7 @@ export const RemoteServerFactory = {
      * @param {RegExp} [options.tokenResponseEndpoints] - A regex pattern to match SLAS endpoints
      * that return tokens in the response body. Used to determine which responses should have HttpOnly
      * session cookies applied. Defaults to /\/oauth2\/(token|passwordless\/token)$/.
-     * @param {RegExp} [options.slasLogoutEndpoint] - A regex pattern to match the SLAS logout endpoint.
-     * When HttpOnly session cookies are enabled, the proxy injects the Bearer token and refresh token
-     * from HttpOnly cookies for this endpoint. Defaults to /\/oauth2\/logout/.
+
      * @param {function} [options.onSLASPrivateProxyReq] - Custom callback to modify SLAS private client
      * proxy requests. Called after built-in request handling. Signature: (proxyRequest, incomingRequest, res) => void.
      * Use this to add custom headers or modify the proxy request.
diff --git a/packages/pwa-kit-runtime/src/ssr/server/process-token-response.js b/packages/pwa-kit-runtime/src/ssr/server/process-token-response.js
@@ -67,9 +67,9 @@ function getTokenClaims(accessToken) {
  * strip token fields from body, and append our Set-Cookie headers (preserving upstream cookies).
  * @private
  */
-export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res, options) {
+export function setHttpOnlySessionCookies(responseBuffer, proxyRes, req, res, options) {
     const siteId = req.headers?.['x-site-id']
-    if (!siteId || typeof siteId !== 'string' || siteId.trim() === '') {
+    if (!siteId) {
         throw new Error(
             'HttpOnly session cookies are enabled but siteId is missing. ' +
                 'Ensure the x-site-id header is set on the request.'
@@ -83,7 +83,7 @@ export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res,
         return responseBuffer
     }
 
-    const site = siteId.trim()
+    const site = siteId
 
     // Decode JWT and extract claims
     let isGuest = true
diff --git a/packages/pwa-kit-runtime/src/ssr/server/process-token-response.test.js b/packages/pwa-kit-runtime/src/ssr/server/process-token-response.test.js
@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: BSD-3-Clause
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
-import {getRefreshTokenCookieTTL, applyHttpOnlySessionCookies} from './process-token-response'
+import {getRefreshTokenCookieTTL, setHttpOnlySessionCookies} from './process-token-response'
 import {parse as parseSetCookie} from 'set-cookie-parser'
 
 jest.mock('../../utils/logger-instance', () => ({
@@ -24,17 +24,6 @@ function makeJWT(payload) {
     return `${header}.${payloadPart}.sig`
 }
 
-function makeOptions() {
-    return {
-        mobify: {
-            app: {
-                commerceAPI: {
-                    parameters: {}
-                }
-            }
-        }
-    }
-}
 
 function makeReq(siteId = 'testsite') {
     return {headers: {'x-site-id': siteId}}
@@ -126,7 +115,7 @@ describe('getRefreshTokenCookieTTL', () => {
     })
 })
 
-describe('applyHttpOnlySessionCookies', () => {
+describe('setHttpOnlySessionCookies', () => {
     beforeEach(() => {
         jest.clearAllMocks()
     })
@@ -135,24 +124,15 @@ describe('applyHttpOnlySessionCookies', () => {
         const res = makeRes()
         const buf = makeResponseBuffer({access_token: 'x'})
         const req = {headers: {}}
-        expect(() => applyHttpOnlySessionCookies(buf, {}, req, res, makeOptions())).toThrow(
-            /siteId is missing/
-        )
-    })
-
-    test('throws when x-site-id header is empty string', () => {
-        const res = makeRes()
-        const buf = makeResponseBuffer({access_token: 'x'})
-        const req = makeReq('  ')
-        expect(() => applyHttpOnlySessionCookies(buf, {}, req, res, makeOptions())).toThrow(
+        expect(() => setHttpOnlySessionCookies(buf, {}, req, res, {})).toThrow(
             /siteId is missing/
         )
     })
 
     test('returns buffer unchanged for non-JSON response', () => {
         const res = makeRes()
         const buf = Buffer.from('not json', 'utf8')
-        const result = applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        const result = setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
         expect(result).toBe(buf)
         expect(res.append).not.toHaveBeenCalled()
     })
@@ -172,7 +152,7 @@ describe('applyHttpOnlySessionCookies', () => {
             expires_in: 1800,
             customer_id: 'cust123'
         })
-        const result = applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        const result = setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
 
         // cc-at: access token (HttpOnly)
         const atCookie = parseCookie(res.cookies.find((c) => c.includes('cc-at_testsite=')))
@@ -238,7 +218,7 @@ describe('applyHttpOnlySessionCookies', () => {
             refresh_token: 'refresh-value',
             expires_in: 1800
         })
-        const result = applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        const result = setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
 
         // cc-at (HttpOnly)
         const atCookie = parseCookie(res.cookies.find((c) => c.includes('cc-at_testsite=')))
@@ -283,15 +263,15 @@ describe('applyHttpOnlySessionCookies', () => {
             refresh_token: 'refresh-value',
             expires_in: 1800
         })
-        applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
 
         expect(res.cookies.find((c) => c.includes('uido_testsite'))).toBeUndefined()
     })
 
     test('throws when access token JWT is invalid', () => {
         const res = makeRes()
         const buf = makeResponseBuffer({access_token: 'not-a-jwt', expires_in: 1800})
-        expect(() => applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())).toThrow(
+        expect(() => setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})).toThrow(
             /Failed to decode access token JWT/
         )
     })
@@ -300,7 +280,7 @@ describe('applyHttpOnlySessionCookies', () => {
         const res = makeRes()
         const accessToken = makeJWT({iat: 5000, exp: 6800, isb: 'uido:ecom::upn:Guest'})
         const buf = makeResponseBuffer({access_token: accessToken})
-        applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
 
         const expCookie = res.cookies.find((c) => c.includes('cc-at-expires_testsite='))
         const parsed = parseCookie(expCookie)
@@ -310,30 +290,18 @@ describe('applyHttpOnlySessionCookies', () => {
     test('handles response with no tokens (no cookies set, body returned stripped)', () => {
         const res = makeRes()
         const buf = makeResponseBuffer({expires_in: 1800, other_field: 'value'})
-        const result = applyHttpOnlySessionCookies(buf, {}, makeReq(), res, makeOptions())
+        const result = setHttpOnlySessionCookies(buf, {}, makeReq(), res, {})
         const body = JSON.parse(result.toString('utf8'))
 
         expect(res.cookies).toHaveLength(0)
         expect(body.other_field).toBe('value')
     })
 
-    test('trims x-site-id and uses trimmed value in cookie names', () => {
-        const res = makeRes()
-        const accessToken = makeJWT({iat: 1000, isb: 'uido:ecom::upn:Guest'})
-        const buf = makeResponseBuffer({access_token: accessToken, expires_in: 1800})
-        applyHttpOnlySessionCookies(buf, {}, makeReq('  mysite  '), res, makeOptions())
-
-        const atCookie = res.cookies.find((c) => c.includes('cc-at_mysite='))
-        expect(atCookie).toBeDefined()
-        // No leading/trailing spaces in cookie name
-        expect(res.cookies.find((c) => c.includes('cc-at_  mysite'))).toBeUndefined()
-    })
-
     test('uses x-site-id header to resolve correct cookie names', () => {
         const res = makeRes()
         const accessToken = makeJWT({iat: 1000, exp: 2800, isb: 'uido:ecom::upn:Guest'})
         const buf = makeResponseBuffer({access_token: accessToken, expires_in: 1800})
-        applyHttpOnlySessionCookies(buf, {}, makeReq('othersite'), res, makeOptions())
+        setHttpOnlySessionCookies(buf, {}, makeReq('othersite'), res, {})
 
         const atCookie = res.cookies.find((c) => c.includes('cc-at_othersite='))
         expect(atCookie).toBeDefined()
diff --git a/packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js b/packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js
@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: BSD-3-Clause
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
-import {applyProxyRequestHeaders, applyScapiAuthHeaders, configureProxy} from './configure-proxy'
+import {applyProxyRequestHeaders, setScapiAuthRequestHeaders, configureProxy} from './configure-proxy'
 import * as ssrProxying from '../ssr-proxying'
 import * as utils from './utils'
 import cookie from 'cookie'
@@ -100,7 +100,7 @@ describe('configureProxy ALLOWED_CACHING_PROXY_REQUEST_METHODS', () => {
     })
 })
 
-describe('applyScapiAuthHeaders', () => {
+describe('setScapiAuthRequestHeaders', () => {
     beforeEach(() => {
         jest.clearAllMocks()
     })
@@ -121,7 +121,7 @@ describe('applyScapiAuthHeaders', () => {
             }
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: false,
@@ -149,7 +149,7 @@ describe('applyScapiAuthHeaders', () => {
             }
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: true,
@@ -172,7 +172,7 @@ describe('applyScapiAuthHeaders', () => {
             headers: {}
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: false,
@@ -201,7 +201,7 @@ describe('applyScapiAuthHeaders', () => {
             }
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: false,
@@ -223,7 +223,7 @@ describe('applyScapiAuthHeaders', () => {
             headers: {'x-site-id': 'RefArch'}
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: false,
@@ -249,7 +249,7 @@ describe('applyScapiAuthHeaders', () => {
             }
         }
 
-        applyScapiAuthHeaders({
+        setScapiAuthRequestHeaders({
             proxyRequest,
             incomingRequest,
             caching: false,
diff --git a/packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.js b/packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.js
@@ -44,7 +44,12 @@ const generalProxyPathRE = /^\/mobify\/proxy\/([^/]+)(\/.*)$/
  * @param caching {Boolean} true for a caching proxy, false for a standard proxy
  * @param targetHost {String} the target hostname (host+port)
  */
-export const applyScapiAuthHeaders = ({proxyRequest, incomingRequest, caching, targetHost}) => {
+export const setScapiAuthRequestHeaders = ({
+    proxyRequest,
+    incomingRequest,
+    caching,
+    targetHost
+}) => {
     const url = incomingRequest.url
     const resolvedSiteId = incomingRequest.headers?.['x-site-id']
 
@@ -56,7 +61,7 @@ export const applyScapiAuthHeaders = ({proxyRequest, incomingRequest, caching, t
     if (!resolvedSiteId) {
         logger.warn(
             'x-site-id header is missing on SCAPI proxy request. Bearer token injection skipped.',
-            {namespace: 'configureProxy.applyScapiAuthHeaders'}
+            {namespace: 'configureProxy.setScapiAuthRequestHeaders'}
         )
         return
     }
@@ -66,7 +71,7 @@ export const applyScapiAuthHeaders = ({proxyRequest, incomingRequest, caching, t
     if (!cookieHeader) return
 
     const cookies = cookie.parse(cookieHeader)
-    const tokenKey = `cc-at_${resolvedSiteId.trim()}`
+    const tokenKey = `cc-at_${resolvedSiteId}`
     const accessToken = cookies[tokenKey]
 
     if (accessToken) {
@@ -257,7 +262,7 @@ export const configureProxy = ({
 
             // Apply Authorization header with shopper's access token from HttpOnly cookie
             if (process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES === 'false') {
-                applyScapiAuthHeaders({
+                setScapiAuthRequestHeaders({
                     proxyRequest,
                     incomingRequest,
                     caching,
