Adds support for SLAS proxy req/res callbacks

[clavery]

Summary

This PR adds extensibility to the SLAS private client proxy by introducing two new optional callback hooks that allow developers to customize proxy request and response handling.

We also added test coverage for this use case and other (uncovered) existing behavior of the proxy.

New Options

onSLASPrivateProxyReq

A callback invoked after the built-in proxy request handling. Allows developers to add custom headers or modify the proxy request before it's sent to SLAS.

Signature: (proxyRequest, incomingRequest, res) => void

Example:

onSLASPrivateProxyReq: (proxyRequest, incomingRequest, res) => {
    // Add custom header to all SLAS private client proxy requests
    proxyRequest.setHeader('X-Custom-Header', 'CustomValue')
}

onSLASPrivateProxyRes

A callback invoked after the built-in proxy response handling. Allows developers to modify response headers or transform the response buffer.

Signature: (responseBuffer, proxyRes, req, res) => Buffer

Example:

onSLASPrivateProxyRes: (responseBuffer, proxyRes, req, res) => {
    // Add custom response header
    res.setHeader('X-Custom-Response-Header', 'value')
    
    // Return the response buffer unchanged
    return responseBuffer
}

Use Cases

Cookie Attribute Modification

A common use case is modifying Set-Cookie headers from SLAS /token responses. For example, ensuring that SLAS cookies have the SameSite=None; Secure attributes set for cross-site and <iframe> scenarios.

Example:

// in ssr.js runtime.createHandler options
useSLASPrivateClient: true,
onSLASPrivateProxyRes: (responseBuffer, proxyRes, req, res) => {
    // Cookie name prefixes that need SameSite=None; Secure attributes
    const COOKIE_PREFIXES_TO_MODIFY = ['dwsid', 'dwanonymous_']

    // Process Set-Cookie headers
    const setCookieHeaders = proxyRes.headers['set-cookie']
    if (setCookieHeaders) {
        const modifiedCookies = (
            Array.isArray(setCookieHeaders) ? setCookieHeaders : [setCookieHeaders]
        ).map((cookie) => {
            // Check if cookie starts with any of the prefixes we want to modify
            const shouldModify = COOKIE_PREFIXES_TO_MODIFY.some((prefix) =>
                cookie.startsWith(prefix)
            )

            if (!shouldModify) {
                return cookie
            }

            // Check if SameSite=None and Secure are already present
            const hasSameSiteNone = /SameSite=None/i.test(cookie)
            const hasSecure = /;\s*Secure/i.test(cookie)

            // Add missing attributes
            let modifiedCookie = cookie
            if (!hasSameSiteNone) {
                modifiedCookie += '; SameSite=None'
            }
            if (!hasSecure) {
                modifiedCookie += '; Secure'
            }

            return modifiedCookie
        })

        // Update the response headers with modified cookies
        res.setHeader('set-cookie', modifiedCookies)
    }

    // Return the response buffer unchanged
    return responseBuffer
}

Custom Header Injection

Add custom headers to SLAS proxy requests for debugging, tracing, or integration with other systems.

Response Logging and Monitoring

Log response status codes, timing information, or other metrics for monitoring SLAS API interactions.

Response Transformation

Modify response buffers if needed (though this should be done carefully to avoid breaking API contracts).

User Enumeration Protection

Mask SLAS responses for endpoints that might enumerate users if security controls and privacy requirements necessitate this.

Implementation Details

• Both callbacks are optional and maintain backward compatibility
• Callbacks are invoked after the built-in proxy handling (Authorization header injection, passwordless login 404 masking, etc.)
• Error handling is built-in - exceptions in user callbacks are caught and logged without breaking the proxy
• For onSLASPrivateProxyRes, returning undefined will use the existing buffer

---

Description

Types of Changes

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Documentation update
• Breaking change (could cause existing functionality to not work as expected)
• Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

• Removing a public function or component or prop
• Adding a required argument to a function
• Changing the data type of a function parameter or return value
• Adding a new peer dependency to package.json

Changes

• adds optional callbacks to change slas private proxy behavior from user space

How to Test-Drive This PR

• Implement one of the example callbacks from the description above and observe changes in private proxy (i.e. console log, new headers, cookie changes, etc)

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

• There are no changes to UI

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[cc-prodsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Licenses	0	0	0	0	0 issues
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.