Resolve siteId dynamically via x-site-id header for multisite support

With multisite enabled, siteId is request-dependent but was previously
read once at startup from static config, breaking HttpOnly cookie lookups
for non-default sites. This adds an x-site-id header from the per-request
resolved site and reads it in the proxy layers with static config fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: unandyala

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.js

@@ -984,7 +984,10 @@ export const RemoteServerFactory = {
                         const cookieHeader = incomingRequest.headers.cookie
                         if (cookieHeader) {
                             const cookies = cookie.parse(cookieHeader)
-                            const siteId = options.mobify?.app?.commerceAPI?.parameters?.siteId
+                            // Prefer per-request siteId from header, fall back to static config
+                            const siteId =
+                                incomingRequest.headers['x-site-id'] ||
+                                options.mobify?.app?.commerceAPI?.parameters?.siteId
                             if (siteId) {
                                 const site = siteId.trim()
 

packages/pwa-kit-runtime/src/ssr/server/build-remote-server.test.js

@@ -524,6 +524,7 @@ describe('HttpOnly session cookies', () => {
             const response = await request(app)
                 .post('/mobify/slas/private/shopper/auth/v1/oauth2/logout')
                 .set('Cookie', 'cc-at_testsite=mock-access-token; cc-nx_testsite=mock-refresh-token')
+                .set('x-site-id', 'testsite')
 
             expect(response.status).toBe(200)
             expect(response.body.success).toBe(true)
@@ -535,6 +536,62 @@ describe('HttpOnly session cookies', () => {
         }
     })
 
+    test('x-site-id header takes precedence over static config siteId for logout endpoint', async () => {
+        process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES = 'false'
+
+        let capturedAuthHeader
+        let capturedRefreshToken
+        const mockSlasServer = mockExpress()
+        mockSlasServer.post('/shopper/auth/v1/oauth2/logout', (req, res) => {
+            capturedAuthHeader = req.headers.authorization
+            capturedRefreshToken = req.query.refresh_token
+            res.status(200).json({success: true})
+        })
+
+        const mockSlasServerInstance = mockSlasServer.listen(0)
+        const mockSlasPort = mockSlasServerInstance.address().port
+
+        try {
+            const app = mockExpress()
+            // Static config has siteId 'default-site', but x-site-id header will be 'othersite'
+            const options = RemoteServerFactory._configure({
+                useSLASPrivateClient: true,
+                slasTarget: `http://localhost:${mockSlasPort}`,
+                mobify: {
+                    app: {
+                        commerceAPI: {
+                            parameters: {
+                                shortCode: 'test',
+                                organizationId: 'f_ecom_test',
+                                clientId: 'test-client-id',
+                                siteId: 'default-site'
+                            }
+                        }
+                    }
+                }
+            })
+
+            process.env.PWA_KIT_SLAS_CLIENT_SECRET = 'test-secret'
+
+            RemoteServerFactory._setupSlasPrivateClientProxy(app, options)
+
+            // Cookies are keyed to 'othersite', and x-site-id header says 'othersite'
+            const response = await request(app)
+                .post('/mobify/slas/private/shopper/auth/v1/oauth2/logout')
+                .set(
+                    'Cookie',
+                    'cc-at_othersite=other-access-token; cc-nx_othersite=other-refresh-token'
+                )
+                .set('x-site-id', 'othersite')
+
+            expect(response.status).toBe(200)
+            expect(capturedAuthHeader).toBe('Bearer other-access-token')
+            expect(capturedRefreshToken).toBe('other-refresh-token')
+        } finally {
+            mockSlasServerInstance.close()
+        }
+    })
+
     test('sets HttpOnly cookies and strips tokens from response body', async () => {
         process.env.MRT_DISABLE_HTTPONLY_SESSION_COOKIES = 'false'
 

packages/pwa-kit-runtime/src/ssr/server/process-token-response.js

@@ -68,7 +68,9 @@ function getTokenClaims(accessToken) {
  * @private
  */
 export function applyHttpOnlySessionCookies(responseBuffer, proxyRes, req, res, options) {
-    const siteId = options.mobify?.app?.commerceAPI?.parameters?.siteId
+    // Prefer per-request siteId from header, fall back to static config
+    const siteId =
+        req.headers?.['x-site-id'] || options.mobify?.app?.commerceAPI?.parameters?.siteId
     if (!siteId || typeof siteId !== 'string' || siteId.trim() === '') {
         throw new Error(
             'HttpOnly session cookies are enabled but siteId is missing. ' +

packages/pwa-kit-runtime/src/ssr/server/process-token-response.test.js

@@ -314,4 +314,28 @@ describe('applyHttpOnlySessionCookies', () => {
         // No leading/trailing spaces in cookie name
         expect(res.cookies.find((c) => c.includes('cc-at_  mysite'))).toBeUndefined()
     })
+
+    test('x-site-id header overrides static config siteId', () => {
+        const res = makeRes()
+        const accessToken = makeJWT({iat: 1000, exp: 2800, isb: 'uido:ecom::upn:Guest'})
+        const buf = makeResponseBuffer({access_token: accessToken, expires_in: 1800})
+        const req = {headers: {'x-site-id': 'headersite'}}
+        applyHttpOnlySessionCookies(buf, {}, req, res, makeOptions('configsite'))
+
+        // Should use 'headersite' from the x-site-id header, not 'configsite' from options
+        const atCookie = res.cookies.find((c) => c.includes('cc-at_headersite='))
+        expect(atCookie).toBeDefined()
+        expect(res.cookies.find((c) => c.includes('cc-at_configsite='))).toBeUndefined()
+    })
+
+    test('falls back to static config siteId when x-site-id header is absent', () => {
+        const res = makeRes()
+        const accessToken = makeJWT({iat: 1000, exp: 2800, isb: 'uido:ecom::upn:Guest'})
+        const buf = makeResponseBuffer({access_token: accessToken, expires_in: 1800})
+        const req = {headers: {}}
+        applyHttpOnlySessionCookies(buf, {}, req, res, makeOptions('configsite'))
+
+        const atCookie = res.cookies.find((c) => c.includes('cc-at_configsite='))
+        expect(atCookie).toBeDefined()
+    })
 })

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js

@@ -238,4 +238,61 @@ describe('applyScapiAuthHeaders', () => {
 
         expect(proxyRequest.setHeader).not.toHaveBeenCalled()
     })
+
+    it('x-site-id header overrides static siteId param', () => {
+        utils.isScapiDomain.mockReturnValue(true)
+        cookie.parse.mockReturnValue({'cc-at_OtherSite': 'other-access-token'})
+
+        const proxyRequest = {
+            setHeader: jest.fn(),
+            removeHeader: jest.fn()
+        }
+        const incomingRequest = {
+            url: '/shopper/products/v1/products',
+            headers: {
+                cookie: 'cc-at_OtherSite=other-access-token',
+                'x-site-id': 'OtherSite'
+            }
+        }
+
+        applyScapiAuthHeaders({
+            proxyRequest,
+            incomingRequest,
+            caching: false,
+            siteId: 'RefArch', // static fallback — should be overridden by x-site-id
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
+        })
+
+        expect(proxyRequest.setHeader).toHaveBeenCalledWith(
+            'authorization',
+            'Bearer other-access-token'
+        )
+    })
+
+    it('falls back to static siteId when x-site-id header is absent', () => {
+        utils.isScapiDomain.mockReturnValue(true)
+        cookie.parse.mockReturnValue({'cc-at_RefArch': 'test-access-token'})
+
+        const proxyRequest = {
+            setHeader: jest.fn(),
+            removeHeader: jest.fn()
+        }
+        const incomingRequest = {
+            url: '/shopper/products/v1/products',
+            headers: {cookie: 'cc-at_RefArch=test-access-token'}
+        }
+
+        applyScapiAuthHeaders({
+            proxyRequest,
+            incomingRequest,
+            caching: false,
+            siteId: 'RefArch',
+            targetHost: 'abc-001.api.commercecloud.salesforce.com'
+        })
+
+        expect(proxyRequest.setHeader).toHaveBeenCalledWith(
+            'authorization',
+            'Bearer test-access-token'
+        )
+    })
 })

packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.js

@@ -56,9 +56,11 @@ export const applyScapiAuthHeaders = ({
     targetHost
 }) => {
     const url = incomingRequest.url
+    // Prefer per-request siteId from header, fall back to static config
+    const resolvedSiteId = incomingRequest.headers?.['x-site-id'] || siteId
 
     // Skip if: caching proxy, no siteId, not SCAPI domain, or no URL
-    if (caching || !siteId || !isScapiDomain(targetHost) || !url) {
+    if (caching || !resolvedSiteId || !isScapiDomain(targetHost) || !url) {
         return
     }
     // SLAS auth endpoints are handled by the SLAS private client proxy
@@ -71,7 +73,7 @@ export const applyScapiAuthHeaders = ({
     if (!cookieHeader) return
 
     const cookies = cookie.parse(cookieHeader)
-    const tokenKey = `cc-at_${siteId.trim()}`
+    const tokenKey = `cc-at_${resolvedSiteId.trim()}`
     const accessToken = cookies[tokenKey]
 
     if (accessToken) {

packages/template-retail-react-app/app/components/_app-config/index.jsx

@@ -66,7 +66,8 @@ const AppConfig = ({children, locals = {}}) => {
     const {correlationId} = useCorrelationId()
     const headers = {
         'correlation-id': correlationId,
-        sfdc_user_agent: sfdcUserAgent
+        sfdc_user_agent: sfdcUserAgent,
+        'x-site-id': locals.site?.id
     }
 
     const commerceApiConfig = locals.appConfig.commerceAPI