refactor

Author: unandyala

packages/commerce-sdk-react/src/auth/index.test.ts

@@ -1507,25 +1507,24 @@ describe('HttpOnly Session Cookies', () => {
     const expiresAtFuture = Math.floor(Date.now() / 1000) + 3600
 
     const httpOnlyTokenResponse: ShopperLoginTypes.TokenResponse = {
-        ...TOKEN_RESPONSE,
-        // When HttpOnly cookies are enabled, the proxy strips tokens from the body
-        // and adds access_token_expires_at for client-side expiry checks
-        access_token_expires_at: expiresAtFuture
+        ...TOKEN_RESPONSE
     }
 
     beforeEach(() => {
         jest.clearAllMocks()
     })
 
-    test('loginGuestUser stores access_token_expires_at but not tokens', async () => {
+    test('loginGuestUser does not store tokens when HttpOnly cookies are enabled', async () => {
         const auth = new Auth({...config, useHttpOnlySessionCookies: true})
         const loginGuestMock = helpers.loginGuestUser as jest.Mock
         loginGuestMock.mockResolvedValueOnce(httpOnlyTokenResponse)
 
+        // Set cc-at-expires cookie (as server would via Set-Cookie header)
+        // @ts-expect-error private method
+        auth.set('cc-at-expires', String(expiresAtFuture))
+
         await auth.loginGuestUser()
 
-        // access_token_expires_at should be stored for client-side expiry checks
-        expect(auth.get('access_token_expires_at')).toBe(String(expiresAtFuture))
         // Tokens should NOT be stored in localStorage (they're in HttpOnly cookies)
         expect(auth.get('access_token')).toBeFalsy()
         expect(auth.get('refresh_token_guest')).toBeFalsy()
@@ -1534,27 +1533,32 @@ describe('HttpOnly Session Cookies', () => {
         expect(auth.get('usid')).toBe(TOKEN_RESPONSE.usid)
     })
 
-    test('ready re-uses data when access_token_expires_at is still valid', async () => {
+    test('ready re-uses data when cc-at-expires cookie is still valid', async () => {
         const auth = new Auth({...config, useHttpOnlySessionCookies: true})
         const loginGuestMock = helpers.loginGuestUser as jest.Mock
         loginGuestMock.mockResolvedValueOnce(httpOnlyTokenResponse)
 
         // First call: triggers loginGuestUser
         await auth.ready()
+
+        // Set cc-at-expires cookie (as server would via Set-Cookie header)
+        // @ts-expect-error private method
+        auth.set('cc-at-expires', String(expiresAtFuture))
+
         expect(helpers.loginGuestUser).toHaveBeenCalledTimes(1)
 
-        // Second call: access_token_expires_at is in the future, so it should re-use data
+        // Second call: cc-at-expires is in the future, so it should re-use data
         await auth.ready()
         expect(helpers.loginGuestUser).toHaveBeenCalledTimes(1) // Not called again
     })
 
-    test('ready triggers refresh when access_token_expires_at is expired', async () => {
+    test('ready triggers refresh when cc-at-expires cookie is expired', async () => {
         const auth = new Auth({...config, useHttpOnlySessionCookies: true})
 
         // Simulate a previous login that left behind stored data with an expired token
         const expiredTime = Math.floor(Date.now() / 1000) - 100
         // @ts-expect-error private method
-        auth.set('access_token_expires_at', String(expiredTime))
+        auth.set('cc-at-expires', String(expiredTime))
         // @ts-expect-error private method
         auth.set('refresh_token_guest', 'refresh_token')
         // @ts-expect-error private method

packages/commerce-sdk-react/src/auth/index.ts

@@ -138,7 +138,7 @@ type AuthDataKeys =
     | 'uido'
     | 'idp_refresh_token'
     | 'dnt'
-    | 'access_token_expires_at'
+    | 'cc-at-expires'
 
 type AuthDataMap = Record<
     AuthDataKeys,
@@ -254,9 +254,9 @@ const DATA_MAP: AuthDataMap = {
         storageType: 'local',
         key: 'uido'
     },
-    access_token_expires_at: {
-        storageType: 'local',
-        key: 'access_token_expires_at'
+    'cc-at-expires': {
+        storageType: 'cookie',
+        key: 'cc-at-expires'
     }
 }
 
@@ -528,11 +528,11 @@ class Auth {
 
     /**
      * Returns whether the access token is expired. When useHttpOnlySessionCookies is true,
-     * uses access_token_expires_at from store; otherwise decodes the JWT from getAccessToken().
+     * uses cc-at-expires cookie from store; otherwise decodes the JWT from getAccessToken().
      */
     private isAccessTokenExpired(): boolean {
         if (this.useHttpOnlySessionCookies) {
-            const expiresAt = this.get('access_token_expires_at')
+            const expiresAt = this.get('cc-at-expires')
             if (expiresAt == null || expiresAt === '') return true
             const expiresAtSec = Number(expiresAt)
             if (Number.isNaN(expiresAtSec)) return true
@@ -735,14 +735,6 @@ class Auth {
             const refreshTokenKey = isGuest ? 'refresh_token_guest' : 'refresh_token_registered'
             this.set(refreshTokenKey, res.refresh_token, {expires: expiresDate})
         }
-        if (
-            res &&
-            typeof res === 'object' &&
-            'access_token_expires_at' in res &&
-            res.access_token_expires_at != null
-        ) {
-            this.set('access_token_expires_at', String(res.access_token_expires_at))
-        }
     }
 
     async refreshAccessToken() {

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.test.js

@@ -582,7 +582,7 @@ describe('HttpOnly session cookies', () => {
             expect(response.headers['set-cookie']).toBeDefined()
             const cookies = response.headers['set-cookie']
             expect(cookies.some((c) => c.includes('cc-at_testsite'))).toBe(true)
-            expect(cookies.some((c) => c.includes('cc-at-expires-at_testsite'))).toBe(true)
+            expect(cookies.some((c) => c.includes('cc-at-expires_testsite'))).toBe(true)
             expect(cookies.some((c) => c.includes('cc-nx-g_testsite'))).toBe(true)
         } finally {
             mockSlasServerInstance.close()
@@ -692,7 +692,7 @@ describe('HttpOnly session cookies', () => {
             expect(response.headers['set-cookie']).toBeDefined()
             const cookies = response.headers['set-cookie']
             expect(cookies.some((c) => c.includes('cc-at_testsite'))).toBe(true)
-            expect(cookies.some((c) => c.includes('cc-at-expires-at_testsite'))).toBe(true)
+            expect(cookies.some((c) => c.includes('cc-at-expires_testsite'))).toBe(true)
         } finally {
             mockSlasServerInstance.close()
         }

packages/pwa-kit-runtime/src/ssr/server/process-token-response.js

@@ -35,56 +35,19 @@ export function getRefreshTokenCookieTTL(refreshTokenExpiresInSLASValue, isGuest
 }
 
 /**
- * Decodes the SLAS access token JWT, extracts claims, and sets non-HttpOnly metadata cookies
- * (expires-at, dnt, uido) so the client can read them. Same field extraction as
+ * Decodes the SLAS access token JWT and extracts claims. Same field extraction as
  * commerce-sdk-react parseSlasJWT.
- *
- * Returns {isGuest} for the caller to determine the refresh token cookie name.
  * @private
  */
-function setTokenClaimCookies(res, siteId, accessToken, expiresInSeconds) {
+function getTokenClaims(accessToken) {
     let payload
     try {
         payload = jwtDecode(accessToken)
     } catch (error) {
         throw new Error(`Failed to decode access token JWT: ${error.message || error}. `)
     }
 
-    const accessExpires = new Date(Date.now() + expiresInSeconds * 1000)
-
-    // Expiry timestamp — use JWT iat when available (non-HttpOnly so client can check expiry)
-    let expiresAt = Math.floor(Date.now() / 1000) + expiresInSeconds
-    if (typeof payload.iat === 'number') {
-        expiresAt = payload.iat + expiresInSeconds
-    }
-    res.append(
-        SET_COOKIE,
-        cookieAsString({
-            name: `cc-at-expires-at_${siteId}`,
-            value: String(expiresAt),
-            path: '/',
-            secure: true,
-            sameSite: 'lax',
-            httpOnly: false,
-            expires: accessExpires
-        })
-    )
-
-    // Do-not-track flag from JWT (non-HttpOnly so client can read it)
-    if (payload.dnt !== undefined) {
-        res.append(
-            SET_COOKIE,
-            cookieAsString({
-                name: `cc-at-dnt_${siteId}`,
-                value: String(payload.dnt),
-                path: '/',
-                secure: true,
-                sameSite: 'lax',
-                httpOnly: false,
-                expires: accessExpires
-            })
-        )
-    }
+    const accessExpires = new Date(payload.exp * 1000)
 
     // Extract isGuest and uido from JWT isb claim
     let isGuest = true
@@ -96,66 +59,7 @@ function setTokenClaimCookies(res, siteId, accessToken, expiresInSeconds) {
         if (uidoPart) uido = uidoPart
     }
 
-    // uido: IDP origin (e.g. "slas", "ecom"); non-HttpOnly so client can read for useCustomerType/isExternal
-    if (uido) {
-        res.append(
-            SET_COOKIE,
-            cookieAsString({
-                name: `uido_${siteId}`,
-                value: uido,
-                path: '/',
-                secure: true,
-                sameSite: 'lax',
-                httpOnly: false,
-                expires: accessExpires
-            })
-        )
-    }
-
-    return {isGuest}
-}
-
-/**
- * Sets the IDP access token as an HttpOnly cookie.
- * @private
- */
-function setIdpAccessTokenCookie(res, siteId, idpAccessToken, expiresInSeconds) {
-    const idpExpires = new Date(Date.now() + expiresInSeconds * 1000)
-    res.append(
-        SET_COOKIE,
-        cookieAsString({
-            name: `idp_access_token_${siteId}`,
-            value: idpAccessToken,
-            path: '/',
-            secure: true,
-            sameSite: 'lax',
-            httpOnly: true,
-            expires: idpExpires
-        })
-    )
-}
-
-/**
- * Sets the refresh token as an HttpOnly cookie. Cookie name depends on guest vs registered user.
- * @private
- */
-function setRefreshTokenCookie(res, siteId, refreshToken, refreshTokenExpiresIn, isGuest) {
-    const refreshTTL = getRefreshTokenCookieTTL(refreshTokenExpiresIn, isGuest)
-    const refreshExpires = new Date(Date.now() + refreshTTL * 1000)
-    const refreshCookieName = isGuest ? `cc-nx-g_${siteId}` : `cc-nx_${siteId}`
-
-    res.append(
-        SET_COOKIE,
-        cookieAsString({
-            name: refreshCookieName,
-            value: refreshToken,
-            path: '/',
-            secure: true,
-            sameSite: 'lax',
-            httpOnly: true,
-            expires: refreshExpires
-        })
-    )
+    return {accessExpires, expiresAt: payload.exp, dnt: payload.dnt, isGuest, uido}
 }
 
 /**
@@ -180,13 +84,20 @@ export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res,
     }
 
     const site = siteId.trim()
-    const expiresInSeconds = typeof parsed.expires_in === 'number' ? parsed.expires_in : 1800
 
-    // Decode JWT, set metadata cookies (expires-at, dnt, uido), get isGuest
+    // Decode JWT and extract claims
     let isGuest = true
     if (parsed.access_token) {
+        const {
+            accessExpires,
+            expiresAt,
+            dnt,
+            uido,
+            isGuest: guest
+        } = getTokenClaims(parsed.access_token)
+        isGuest = guest
+
         // Access token (HttpOnly)
-        const accessExpires = new Date(Date.now() + expiresInSeconds * 1000)
         res.append(
             SET_COOKIE,
             cookieAsString({
@@ -200,23 +111,91 @@ export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res,
             })
         )
 
-        const claims = setTokenClaimCookies(res, site, parsed.access_token, expiresInSeconds)
-        isGuest = claims.isGuest
-    }
+        // Expiry timestamp from JWT exp claim (non-HttpOnly so client can check expiry)
+        res.append(
+            SET_COOKIE,
+            cookieAsString({
+                name: `cc-at-expires_${site}`,
+                value: String(expiresAt),
+                path: '/',
+                secure: true,
+                sameSite: 'lax',
+                httpOnly: false,
+                expires: accessExpires
+            })
+        )
 
-    // IDP access token
-    if (parsed.idp_access_token) {
-        setIdpAccessTokenCookie(res, site, parsed.idp_access_token, expiresInSeconds)
+        // Do-not-track flag from JWT (non-HttpOnly so client can read it)
+        if (dnt !== undefined) {
+            res.append(
+                SET_COOKIE,
+                cookieAsString({
+                    name: `cc-at-dnt_${site}`,
+                    value: String(dnt),
+                    path: '/',
+                    secure: true,
+                    sameSite: 'lax',
+                    httpOnly: false,
+                    expires: accessExpires
+                })
+            )
+        }
+
+        // uido: IDP origin (e.g. "slas", "ecom"); non-HttpOnly so client can read for useCustomerType/isExternal
+        if (uido) {
+            res.append(
+                SET_COOKIE,
+                cookieAsString({
+                    name: `uido_${site}`,
+                    value: uido,
+                    path: '/',
+                    secure: true,
+                    sameSite: 'lax',
+                    httpOnly: false,
+                    expires: accessExpires
+                })
+            )
+        }
+
+        // IDP access token (HttpOnly)
+        if (parsed.idp_access_token) {
+            res.append(
+                SET_COOKIE,
+                cookieAsString({
+                    name: `idp_access_token_${site}`,
+                    value: parsed.idp_access_token,
+                    path: '/',
+                    secure: true,
+                    sameSite: 'lax',
+                    httpOnly: true,
+                    expires: accessExpires
+                })
+            )
+        }
     }
 
-    // Refresh token
+    // Refresh token (HttpOnly) — uses its own TTL, independent of access token expiry
     if (parsed.refresh_token) {
-        setRefreshTokenCookie(
-            res,
-            site,
-            parsed.refresh_token,
+        const commerceAPI = options.mobify?.app?.commerceAPI || {}
+        const refreshTTL = getRefreshTokenCookieTTL(
             parsed.refresh_token_expires_in,
-            isGuest
+            isGuest,
+            commerceAPI
+        )
+        const refreshExpires = new Date(Date.now() + refreshTTL * 1000)
+        const refreshCookieName = isGuest ? `cc-nx-g_${site}` : `cc-nx_${site}`
+
+        res.append(
+            SET_COOKIE,
+            cookieAsString({
+                name: refreshCookieName,
+                value: parsed.refresh_token,
+                path: '/',
+                secure: true,
+                sameSite: 'lax',
+                httpOnly: true,
+                expires: refreshExpires
+            })
         )
     }