clear cookies

Author: unandyala

packages/pwa-kit-runtime/src/ssr/server/process-token-response.js

@@ -197,6 +197,23 @@ export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res,
                 expires: refreshExpires
             })
         )
+
+        // Delete the opposite refresh token cookie to mirror client-side behavior:
+        // Login (guest → registered): delete guest cookie cc-nx-g
+        // Logout (registered → guest): delete registered cookie cc-nx
+        const staleCookieName = isGuest ? `cc-nx_${site}` : `cc-nx-g_${site}`
+        res.append(
+            SET_COOKIE,
+            cookieAsString({
+                name: staleCookieName,
+                value: '',
+                path: '/',
+                secure: true,
+                sameSite: 'lax',
+                httpOnly: true,
+                expires: new Date(0)
+            })
+        )
     }
 
     // Strip token fields from body so they are not exposed to the client

packages/pwa-kit-runtime/src/ssr/server/process-token-response.test.js

@@ -204,8 +204,12 @@ describe('applyHttpOnlySessionCookies', () => {
         expect(uidoCookie.value).toBe('ecom')
         expect(uidoCookie.httpOnly).toBeUndefined()
 
-        // Should NOT have registered refresh cookie
-        expect(res.cookies.find((c) => c.startsWith('cc-nx_testsite='))).toBeUndefined()
+        // Registered refresh cookie should be expired (deleted)
+        const staleRegisteredCookie = parseCookie(
+            res.cookies.find((c) => c.startsWith('cc-nx_testsite='))
+        )
+        expect(staleRegisteredCookie.value).toBe('')
+        expect(staleRegisteredCookie.expires).toEqual(new Date(0))
 
         // Tokens stripped from body, other fields preserved
         const body = JSON.parse(result.toString('utf8'))
@@ -249,8 +253,12 @@ describe('applyHttpOnlySessionCookies', () => {
         const uidoCookie = parseCookie(res.cookies.find((c) => c.includes('uido_testsite=')))
         expect(uidoCookie.value).toBe('ecom')
 
-        // Should NOT have guest refresh cookie
-        expect(res.cookies.find((c) => c.includes('cc-nx-g_testsite='))).toBeUndefined()
+        // Guest refresh cookie should be expired (deleted)
+        const staleGuestCookie = parseCookie(
+            res.cookies.find((c) => c.startsWith('cc-nx-g_testsite='))
+        )
+        expect(staleGuestCookie.value).toBe('')
+        expect(staleGuestCookie.expires).toEqual(new Date(0))
 
         // No dnt cookie when dnt absent from JWT
         expect(res.cookies.find((c) => c.includes('cc-at-dnt_testsite'))).toBeUndefined()