Add Bearer token and refresh token injection for SLAS private client logout

When HttpOnly session cookies are enabled, the shopper's access token and
refresh token are stored in HttpOnly cookies and are not accessible to
client-side JavaScript. The SLAS /oauth2/logout endpoint requires both
a Bearer token in the Authorization header and a refresh_token query
parameter. This change injects both from HttpOnly cookies in the SLAS
private client proxy.

Also moves SLAS-specific Bearer token logic out of configure-proxy.js
(regular /mobify/proxy path) into the SLAS private client proxy where
it belongs, since SLAS calls don't go through the regular proxy when
useSLASPrivateClient is enabled.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: unandyala

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js

@@ -5,6 +5,7 @@
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
 import path from 'path'
+import cookie from 'cookie'
 import {
     BUILD,
     CONTENT_TYPE,
@@ -399,13 +400,7 @@ export const RemoteServerFactory = {
      */
     _configureProxyConfigs(options) {
         const siteId = options.siteId || null
-        const slasEndpointsRequiringAccessToken = options.slasEndpointsRequiringAccessToken
-        configureProxyConfigs(
-            options.appHostname,
-            options.protocol,
-            siteId,
-            slasEndpointsRequiringAccessToken
-        )
+        configureProxyConfigs(options.appHostname, options.protocol, siteId)
     },
 
     /**
@@ -982,6 +977,34 @@ export const RemoteServerFactory = {
                         // SLAS logout (/oauth2/logout), use the Authorization header for a different
                         // purpose so we don't want to overwrite the header for those calls.
                         proxyRequest.setHeader('Authorization', `Basic ${encodedSlasCredentials}`)
+                    } else if (
+                        incomingRequest.path?.match(options.slasEndpointsRequiringAccessToken)
+                    ) {
+                        // Inject tokens from HttpOnly cookies for endpoints like /oauth2/logout
+                        const cookieHeader = incomingRequest.headers.cookie
+                        if (cookieHeader) {
+                            const cookies = cookie.parse(cookieHeader)
+                            const siteId = options.mobify?.app?.commerceAPI?.parameters?.siteId
+                            if (siteId) {
+                                const site = siteId.trim()
+
+                                // Inject Bearer token from access token cookie
+                                const accessToken = cookies[`cc-at_${site}`]
+                                if (accessToken) {
+                                    proxyRequest.setHeader('Authorization', `Bearer ${accessToken}`)
+                                }
+
+                                // Inject refresh_token into query string from HttpOnly cookie
+                                // Try registered user cookie first, then guest
+                                const refreshToken =
+                                    cookies[`cc-nx_${site}`] || cookies[`cc-nx-g_${site}`]
+                                if (refreshToken) {
+                                    const url = new URL(proxyRequest.path, 'http://localhost')
+                                    url.searchParams.set('refresh_token', refreshToken)
+                                    proxyRequest.path = url.pathname + url.search
+                                }
+                            }
+                        }
                     }
 
                     // Allow users to apply additional custom modifications to the proxy request

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.test.js

@@ -483,11 +483,15 @@ describe('HttpOnly session cookies', () => {
         }
     })
 
-    test('skips non-token endpoints like logout', async () => {
+    test('injects Bearer token and refresh token from HttpOnly cookies for logout endpoint', async () => {
         process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES = 'false'
 
+        let capturedAuthHeader
+        let capturedRefreshToken
         const mockSlasServer = mockExpress()
         mockSlasServer.post('/shopper/auth/v1/oauth2/logout', (req, res) => {
+            capturedAuthHeader = req.headers.authorization
+            capturedRefreshToken = req.query.refresh_token
             res.status(200).json({success: true})
         })
 
@@ -517,12 +521,14 @@ describe('HttpOnly session cookies', () => {
 
             RemoteServerFactory._setupSlasPrivateClientProxy(app, options)
 
-            const response = await request(app).post(
-                '/mobify/slas/private/shopper/auth/v1/oauth2/logout'
-            )
+            const response = await request(app)
+                .post('/mobify/slas/private/shopper/auth/v1/oauth2/logout')
+                .set('Cookie', 'cc-at_testsite=mock-access-token; cc-nx_testsite=mock-refresh-token')
 
             expect(response.status).toBe(200)
             expect(response.body.success).toBe(true)
+            expect(capturedAuthHeader).toBe('Bearer mock-access-token')
+            expect(capturedRefreshToken).toBe('mock-refresh-token')
             expect(response.headers['set-cookie']).toBeUndefined()
         } finally {
             mockSlasServerInstance.close()

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js

@@ -113,8 +113,7 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: false,
             siteId: 'RefArch',
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
         })
 
         expect(proxyRequest.setHeader).toHaveBeenCalledWith(
@@ -123,7 +122,7 @@ describe('applyScapiAuthHeaders', () => {
         )
     })
 
-    it('applies Bearer token for SLAS logout endpoint', () => {
+    it('skips all SLAS auth endpoints (handled by SLAS private proxy)', () => {
         utils.isScapiDomain.mockReturnValue(true)
         cookie.parse.mockReturnValue({'cc-at_RefArch': 'test-access-token'})
 
@@ -140,38 +139,10 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: false,
             siteId: 'RefArch',
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
         })
 
-        expect(proxyRequest.setHeader).toHaveBeenCalledWith(
-            'authorization',
-            'Bearer test-access-token'
-        )
-    })
-
-    it('does not apply Bearer token for SLAS token endpoint', () => {
-        utils.isScapiDomain.mockReturnValue(true)
-        cookie.parse.mockReturnValue({'cc-at_RefArch': 'test-access-token'})
-
-        const proxyRequest = {
-            setHeader: jest.fn()
-        }
-        const incomingRequest = {
-            url: '/shopper/auth/v1/oauth2/token',
-            headers: {cookie: 'cc-at_RefArch=test-access-token'}
-        }
-
-        applyScapiAuthHeaders({
-            proxyRequest,
-            incomingRequest,
-            caching: false,
-            siteId: 'RefArch',
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
-        })
-
-        // Should not set authorization header for token endpoint (uses Basic Auth)
+        // SLAS auth endpoints are handled by the SLAS private client proxy
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
     })
 
@@ -192,8 +163,7 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: true,
             siteId: 'RefArch',
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
         })
 
         // Caching proxies don't use auth
@@ -217,8 +187,7 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: false,
             siteId: null,
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
         })
 
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
@@ -241,8 +210,7 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: false,
             siteId: 'RefArch',
-            targetHost: 'external-api.example.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'external-api.example.com'
         })
 
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
@@ -265,8 +233,7 @@ describe('applyScapiAuthHeaders', () => {
             incomingRequest,
             caching: false,
             siteId: 'RefArch',
-            targetHost: 'abc-001.api.commercecloud.salesforce.com',
-            slasEndpointsRequiringAccessToken: /\/oauth2\/logout/
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
         })
 
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.js

@@ -12,7 +12,6 @@ import {processExpressResponse} from './process-express-response'
 import {isRemote, localDevLog, verboseProxyLogging, isScapiDomain} from './utils'
 import logger from '../logger-instance'
 import {getEnvBasePath} from '../ssr-namespace-paths'
-import {SLAS_ENDPOINTS_REQUIRING_ACCESS_TOKEN} from '../../ssr/server/constants'
 
 export const ALLOWED_CACHING_PROXY_REQUEST_METHODS = ['HEAD', 'GET', 'OPTIONS']
 
@@ -37,8 +36,8 @@ const generalProxyPathRE = /^\/mobify\/proxy\/([^/]+)(\/.*)$/
  * 1. Caching proxies never use auth (skip)
  * 2. siteId must be provided (skip if not)
  * 3. Target must be SCAPI domain (skip if not)
- * 4. For SLAS auth endpoints (/shopper/auth/*): Only apply if they match the regex
- *    - Most use Basic Auth (client credentials), but some like /oauth2/logout need Bearer token
+ * 4. SLAS auth endpoints (/shopper/auth/*) are skipped — Bearer injection for SLAS
+ *    is handled by the SLAS private client proxy in build-remote-server.js
  * 5. For non-SLAS auth endpoints (e.g., /shopper/products, /shopper/baskets): Always apply Bearer token
  *
  * @private
@@ -48,32 +47,24 @@ const generalProxyPathRE = /^\/mobify\/proxy\/([^/]+)(\/.*)$/
  * @param caching {Boolean} true for a caching proxy, false for a standard proxy
  * @param siteId {String} the site ID for the current request
  * @param targetHost {String} the target hostname (host+port)
- * @param slasEndpointsRequiringAccessToken {RegExp} regex for SLAS auth endpoints that need Bearer token
  */
 export const applyScapiAuthHeaders = ({
     proxyRequest,
     incomingRequest,
     caching,
     siteId,
-    targetHost,
-    slasEndpointsRequiringAccessToken
+    targetHost
 }) => {
     const url = incomingRequest.url
 
     // Skip if: caching proxy, no siteId, not SCAPI domain, or no URL
     if (caching || !siteId || !isScapiDomain(targetHost) || !url) {
         return
     }
+    // SLAS auth endpoints are handled by the SLAS private client proxy
     if (url.startsWith('/shopper/auth/')) {
-        // For SLAS auth endpoints, only apply if they match the configured regex
-        // Most SLAS endpoints use Basic Auth, only specific ones like /oauth2/logout need Bearer token
-        if (!slasEndpointsRequiringAccessToken || !url.match(slasEndpointsRequiringAccessToken)) {
-            return
-        }
+        return
     }
-    // If we reach here, either:
-    // 1. It's a SLAS auth endpoint that matched the regex, OR
-    // 2. It's a non-SLAS auth endpoint (which always requires Bearer token)
 
     // Get access token from HttpOnly cookie
     const cookieHeader = incomingRequest.headers.cookie
@@ -185,7 +176,6 @@ export const applyProxyRequestHeaders = ({
  * @param caching {Boolean} true for a caching proxy, false for a
  * standard proxy.
  * @param siteId {String} the site ID for the current request
- * @param slasEndpointsRequiringAccessToken {RegExp} regex for SLAS auth endpoints that require Bearer token
  * @returns {middleware} function to pass to expressApp.use()
  */
 export const configureProxy = ({
@@ -195,8 +185,7 @@ export const configureProxy = ({
     targetHost,
     appProtocol = /* istanbul ignore next */ 'https',
     caching,
-    siteId = null,
-    slasEndpointsRequiringAccessToken = SLAS_ENDPOINTS_REQUIRING_ACCESS_TOKEN
+    siteId = null
 }) => {
     // This configuration must match the behaviour of the proxying
     // in CloudFront.
@@ -279,8 +268,7 @@ export const configureProxy = ({
                 incomingRequest,
                 caching,
                 siteId,
-                targetHost,
-                slasEndpointsRequiringAccessToken
+                targetHost
             })
         },
 
@@ -374,15 +362,9 @@ export const configureProxy = ({
  * @param {String} appProtocol {String} the protocol to use to make requests to
  * the origin ('http' or 'https', defaults to 'https')
  * @param {String} siteId - the site ID for the current request
- * @param {RegExp} slasEndpointsRequiringAccessToken - regex for SLAS auth endpoints that require Bearer token
  * @private
  */
-export const configureProxyConfigs = (
-    appHostname,
-    appProtocol,
-    siteId = null,
-    slasEndpointsRequiringAccessToken = SLAS_ENDPOINTS_REQUIRING_ACCESS_TOKEN
-) => {
+export const configureProxyConfigs = (appHostname, appProtocol, siteId = null) => {
     localDevLog('')
     proxyConfigs.forEach((config) => {
         localDevLog(
@@ -395,8 +377,7 @@ export const configureProxyConfigs = (
             appProtocol,
             appHostname,
             caching: false,
-            siteId,
-            slasEndpointsRequiringAccessToken
+            siteId
         })
         config.cachingProxy = configureProxy({
             proxyPath: config.cachingPath,