Fix setting multiple cookies (#3508)

* Fix multi cookies

* Cleanup

* Refactor

Author: kieran-sf

packages/pwa-kit-runtime/CHANGELOG.md

@@ -1,4 +1,5 @@
-## v3.15.0-dev (Nov 05, 2025)
+## v3.15.0-dev (Dec 11, 2025)
+- Fix multiple set-cookie headers [#3508](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3508)
 
 ## v3.14.0 (Nov 04, 2025)
 - Replace aws-serverless-express with @h4ad/serverless-adapter [#3325](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3325)

packages/pwa-kit-runtime/src/utils/ssr-server.test.js

@@ -621,6 +621,86 @@ describe('processLambdaResponse', () => {
             testCase.validate(res.headers)
         })
     })
+
+    test('preserves single cookie in multiValueHeaders', () => {
+        const response = {
+            multiValueHeaders: {
+                'set-cookie': ['test-cookie=test-value; Path=/']
+            }
+        }
+        const event = {}
+        const result = processLambdaResponse(response, event)
+
+        expect(result.multiValueHeaders).toBeDefined()
+        expect(result.multiValueHeaders['set-cookie']).toEqual(['test-cookie=test-value; Path=/'])
+        expect(result.headers['set-cookie']).toBeUndefined()
+    })
+
+    test('preserves multiple cookies in multiValueHeaders', () => {
+        const response = {
+            multiValueHeaders: {
+                'set-cookie': ['test-cookie=test-value; Path=/', 'test-value2', 'test-value3']
+            }
+        }
+        const event = {}
+        const result = processLambdaResponse(response, event)
+
+        expect(result.multiValueHeaders).toBeDefined()
+        expect(result.multiValueHeaders['set-cookie']).toEqual([
+            'test-cookie=test-value; Path=/',
+            'test-value2',
+            'test-value3'
+        ])
+        expect(result.headers['set-cookie']).toBeUndefined()
+    })
+
+    test('removes set-cookie from headers when cookies are in multiValueHeaders', () => {
+        const response = {
+            multiValueHeaders: {
+                'set-cookie': ['test-cookie=test-value; Path=/'],
+                'Accept-Language': ['en-US']
+            }
+        }
+        const event = {}
+        const result = processLambdaResponse(response, event)
+
+        // set-cookie should be removed from headers
+        expect(result.headers['set-cookie']).toBeUndefined()
+        // Other headers should still be present
+        expect(result.headers['accept-language']).toBe('en-US')
+        // Cookies should be in multiValueHeaders
+        expect(result.multiValueHeaders['set-cookie']).toEqual(['test-cookie=test-value; Path=/'])
+    })
+
+    test('does not add multiValueHeaders when no cookies are present', () => {
+        const response = {
+            multiValueHeaders: {
+                'Accept-Language': ['en-US']
+            }
+        }
+        const event = {}
+        const result = processLambdaResponse(response, event)
+
+        // multiValueHeaders should be an empty object when no cookies are present
+        expect(result.multiValueHeaders).toEqual({})
+        expect(result.headers['accept-language']).toBe('en-US')
+    })
+
+    test('handles cookies with correlation ID', () => {
+        const response = {
+            multiValueHeaders: {
+                'set-cookie': ['test-cookie=test-value; Path=/']
+            }
+        }
+        const event = {
+            headers: {'x-correlation-id': 'e46cd109-39b7-4173-963e-2c5de78ba087'}
+        }
+        const result = processLambdaResponse(response, event)
+
+        expect(result.headers['x-correlation-id']).toBe('e46cd109-39b7-4173-963e-2c5de78ba087')
+        expect(result.multiValueHeaders['set-cookie']).toEqual(['test-cookie=test-value; Path=/'])
+        expect(result.headers['set-cookie']).toBeUndefined()
+    })
 })
 
 describe('processExpressResponse', () => {

packages/pwa-kit-runtime/src/utils/ssr-server/process-lambda-response.js

@@ -8,32 +8,88 @@
 import {CONTENT_TYPE, X_ORIGINAL_CONTENT_TYPE} from '../../ssr/server/constants'
 import {getFlattenedHeadersMap} from '@h4ad/serverless-adapter'
 
+/**
+ * Processes multi-value headers by flattening them into a single headers object,
+ * while preserving cookies in multiValueHeaders format.
+ * Cookies are extracted from multiValueHeaders and kept separate, as they need
+ * to remain in multiValueHeaders format for AWS Lambda responses.
+ * Also restores the original content type if it was temporarily replaced
+ * (e.g., when binary content encoding is used).
+ *
+ * @private
+ * @param {Object} multiValueHeaders - An object containing multi-value headers,
+ * where each key maps to an array of header values (e.g., {'set-cookie': ['cookie1', 'cookie2']})
+ * @returns {Object} An object containing:
+ *   - headers: A flattened headers object with all headers joined by commas,
+ *     excluding set-cookie headers, with a 'date' header added and content-type
+ *     restored from x-original-content-type if present
+ *   - multiValueHeaders: An object containing only the 'set-cookie' header if cookies were present,
+ *     otherwise an empty object
+ */
+export const processHeaders = (multiValueHeaders) => {
+    const cookies = multiValueHeaders?.['set-cookie']
+    let headers = getFlattenedHeadersMap(multiValueHeaders || {}, ',', true)
+    headers['date'] = new Date().toUTCString()
+    let newMultiValueHeaders = {}
+
+    // Only allow set-cookie headers to be in multiValueHeaders
+    // to return multiple set-cookie headers instead of a single set-cookie header with multiple values
+    if (cookies) {
+        delete headers['set-cookie']
+        newMultiValueHeaders = {'set-cookie': cookies}
+    }
+
+    // If the response contains an X_ORIGINAL_CONTENT_TYPE header,
+    // then replace the current CONTENT_TYPE header with it.
+    const originalContentType = headers[X_ORIGINAL_CONTENT_TYPE]
+    if (originalContentType) {
+        headers[CONTENT_TYPE] = originalContentType
+        delete headers[X_ORIGINAL_CONTENT_TYPE]
+    }
+
+    return {headers, multiValueHeaders: newMultiValueHeaders}
+}
+
+/**
+ * Processes a Lambda response by converting multi-value headers to a flattened format,
+ * preserving cookies in multiValueHeaders, and adding correlation ID from the event.
+ *
+ * This function is used to transform Express response headers into the format
+ * expected by AWS Lambda/API Gateway, ensuring that:
+ * - Multi-value headers are properly flattened (except for set-cookie)
+ * - Cookies remain in multiValueHeaders format for proper handling
+ * - Correlation IDs are propagated from the request to the response
+ * - Original content types are restored when they were temporarily replaced
+ *   (handled by processHeaders)
+ *
+ * @param {Object} response - The Lambda response object containing multiValueHeaders
+ * @param {Object} event - The Lambda event object containing request headers
+ * @param {Object} [event.headers] - Request headers from the Lambda event
+ * @param {string} [event.headers['x-correlation-id']] - Correlation ID to add to response headers
+ * @returns {Object} The processed response object with:
+ *   - headers: Flattened headers object (all headers joined by commas, except set-cookie)
+ *   - multiValueHeaders: Object containing set-cookie headers if present
+ *   - All other properties from the original response object
+ */
 export const processLambdaResponse = (response, event) => {
     if (!response) return response
 
     // Retrieve the correlation ID from the event headers
     const correlationId = event.headers?.['x-correlation-id']
 
-    let joinedHeaders = getFlattenedHeadersMap(response.multiValueHeaders || {}, ',', true)
-    joinedHeaders['date'] = new Date().toUTCString()
-    delete response['multiValueHeaders']
+    // The response only has multiValueHeaders but the updated response needs joined single value headers
+    // except for the set-cookie headers
+    let {headers, multiValueHeaders} = processHeaders(response.multiValueHeaders)
 
     // Add the correlation ID to the response headers if it exists
     if (correlationId) {
-        joinedHeaders['x-correlation-id'] = correlationId
-    }
-
-    // If the response contains an X_ORIGINAL_CONTENT_TYPE header,
-    // then replace the current CONTENT_TYPE header with it.
-    const originalContentType = joinedHeaders[X_ORIGINAL_CONTENT_TYPE]
-    if (originalContentType) {
-        joinedHeaders[CONTENT_TYPE] = originalContentType
-        delete joinedHeaders[X_ORIGINAL_CONTENT_TYPE]
+        headers['x-correlation-id'] = correlationId
     }
 
     const result = {
         ...response,
-        headers: joinedHeaders
+        headers,
+        multiValueHeaders
     }
     return result
 }

packages/template-mrt-reference-app/app/ssr.js

@@ -194,6 +194,13 @@ const cookieTest = async (req, res) => {
     res.json(jsonFromRequest(req))
 }
 
+const multiCookies = async (req, res) => {
+    res.cookie('test-cookie', 'test-value')
+    res.append('Set-Cookie', 'test-value2')
+    res.append('Set-Cookie', 'test-value3')
+    res.json(jsonFromRequest(req))
+}
+
 /**
  * Express handler that sets single and multi-value response headers
  * and returns a JSON response with diagnostic values.
@@ -369,6 +376,7 @@ const {handler, app, server} = runtime.createHandler(options, (app) => {
     app.get('/cache/:duration(\\d+)', cacheTest)
     app.get('/memtest', memoryTest)
     app.get('/cookie', cookieTest)
+    app.get('/multi-cookies', multiCookies)
     app.get('/headers', headerTest)
     app.get('/isolation', isolationTests)
     app.get('/set-response-headers', responseHeadersTest)

packages/template-mrt-reference-app/app/ssr.test.js

@@ -58,6 +58,7 @@ describe('server', () => {
         ['/exception', 500, 'text/html; charset=utf-8'],
         ['/cache', 200, 'application/json; charset=utf-8'],
         ['/cookie', 200, 'application/json; charset=utf-8'],
+        ['/multi-cookies', 200, 'application/json; charset=utf-8'],
         ['/set-response-headers', 200, 'application/json; charset=utf-8'],
         ['/isolation', 200, 'application/json; charset=utf-8'],
         ['/memtest', 200, 'application/json; charset=utf-8']
@@ -88,6 +89,21 @@ describe('server', () => {
             .expect('set-cookie', 'test-cookie=test-value; Path=/')
     })
 
+    test('Path "/multi-cookies" sets multiple cookies', async () => {
+        const response = await request(app).get('/multi-cookies')
+        const setCookieHeaders = response.headers['set-cookie']
+        expect(setCookieHeaders).toBeDefined()
+        expect(Array.isArray(setCookieHeaders)).toBe(true)
+        expect(setCookieHeaders.length).toBeGreaterThanOrEqual(3)
+        // Check that the first cookie is set using res.cookie (includes Path=/)
+        expect(setCookieHeaders.some((cookie) => cookie.includes('test-cookie=test-value'))).toBe(
+            true
+        )
+        // Check that the appended cookies are present
+        expect(setCookieHeaders.some((cookie) => cookie.includes('test-value2'))).toBe(true)
+        expect(setCookieHeaders.some((cookie) => cookie.includes('test-value3'))).toBe(true)
+    })
+
     test('Path "/set-response-headers" sets response header', () => {
         return request(app)
             .get('/set-response-headers?header1=value1&header2=test-value')