Add HttpOnly session cookies for SLAS private client proxy#3679
Closed
Add HttpOnly session cookies for SLAS private client proxy#3679
Conversation
…es (#3635) * Add config flag to enable httponly session cookies
* One click checkout * changes to fix install, tests and lint - needs to be reviewed * revert the test change in pwa-kit-runtime * @W-20892497 Show Phone number in Contact Info summary (#3576) * W-20892497 Show Phone number in Contact Info summary * fix lint * @W-20892592 Remove gift messaging for multi shipment (#3579) * W-20892592 Remove gift messaging for multi shipment * translations * @W-20892530 @W-20892577 Billing Address Validation and Using contact phone for user registration (#3583) * W-20892530 Billing Address Validation * W-20892577 save contact info phone * Fix SDK tests (#3593) * fix sdk tests and app bundle size * fix lint * @ W-20540715 Address 1CC feature branch review comments (#3619) * address first set of comments * address rest of code review comments * reverting default.js changes * fix package versions * shipping options fix * attempt to fix flaky tests * passwordless mode updates * @W-21094171: Fix Resend Code for OTP modal Signed-off-by: d.phan <d.phan@salesforce.com> * add translations Signed-off-by: d.phan <d.phan@salesforce.com> * fix lint Signed-off-by: d.phan <d.phan@salesforce.com> * update component per UX alignment Signed-off-by: d.phan <d.phan@salesforce.com> * no actions during verification Signed-off-by: d.phan <d.phan@salesforce.com> * revert to generic error message as per code review comment * transaltion changes * fix the rebase issue * update isomorphic version * update isomorhic in dev dependencies * Updating another dev dependency for isomorphic version * @W-21094171: Fix Resend Code for OTP modal Signed-off-by: d.phan <d.phan@salesforce.com> * fix package versions --------- Signed-off-by: d.phan <d.phan@salesforce.com> Co-authored-by: Sushma Yadupathi <syadupathi@salesforce.com> Co-authored-by: syadupathi-sf <66088780+syadupathi-sf@users.noreply.github.com>
#3639) * Default to ECOM Shipping when OMS does not return shipping * Add changelog * lint fix * nit optional check * variable rename
…leware, test query strings are preserved, resolved path does not include base path, and base path exists in environment
* @W-21109850: Continue as Guest skips entering phone number (#3626) * One click checkout * changes to fix install, tests and lint - needs to be reviewed * revert the test change in pwa-kit-runtime * @W-20892497 Show Phone number in Contact Info summary (#3576) * W-20892497 Show Phone number in Contact Info summary * fix lint * @W-20892592 Remove gift messaging for multi shipment (#3579) * W-20892592 Remove gift messaging for multi shipment * translations * @W-20892530 @W-20892577 Billing Address Validation and Using contact phone for user registration (#3583) * W-20892530 Billing Address Validation * W-20892577 save contact info phone * Fix SDK tests (#3593) * fix sdk tests and app bundle size * fix lint * @ W-20540715 Address 1CC feature branch review comments (#3619) * address first set of comments * address rest of code review comments * reverting default.js changes * fix package versions * shipping options fix * attempt to fix flaky tests * passwordless mode updates * @W-21109850: Continue as Guest skips entering phone number Signed-off-by: d.phan <d.phan@salesforce.com> * fix import Signed-off-by: d.phan <d.phan@salesforce.com> * translations * fix user not found error --------- Signed-off-by: d.phan <d.phan@salesforce.com> Co-authored-by: Sushma Yadupathi <syadupathi@salesforce.com> Co-authored-by: syadupathi-sf <66088780+syadupathi-sf@users.noreply.github.com> * W-21111863 Hide user registration for returning shoppers who chose to checkout as guest (#3634) * @W-21005976 Save newly registered user's info when they leave checkout… (#3632) * W-21005976 Save newly registered user's info when they leave checkout and return * code review comments * @W-21109829 Editing shipping options in multi shipment scenarios (#3637) * W-21109829 Editing shipping options in multi shipment scenarios * minor text changes * remove unnecessary test --------- Signed-off-by: d.phan <d.phan@salesforce.com> Signed-off-by: syadupathi-sf <66088780+syadupathi-sf@users.noreply.github.com> Co-authored-by: Danny Phan <125327707+dannyphan2000@users.noreply.github.com>
* Update button alignment in OtpAuth component to center for improved UX
When MRT_DISABLE_HTTPONLY_SESSION_COOKIES is 'false', token responses from SLAS are intercepted: access_token, refresh_token, and idp_access_token are set as HttpOnly cookies and stripped from the response body. The client receives access_token_expires_at for expiry checks without needing the JWT. Server-side (pwa-kit-runtime): - applyHttpOnlySessionCookies() intercepts token responses, sets HttpOnly cookies with siteId suffix, and strips tokens from body - applyProxyRequestAuthHeader() reads access token from HttpOnly cookie and sets Authorization header for SCAPI proxy requests - isScapiDomain() utility for identifying Commerce API domains - Configurable tokenResponseEndpoints and slasEndpointsRequiringAccessToken regexes for controlling which endpoints are processed Client-side (commerce-sdk-react): - useHttpOnlySessionCookies flag on Auth and CommerceApiProvider - isAccessTokenExpired() uses access_token_expires_at when HttpOnly enabled - handleTokenResponse() skips storing tokens in localStorage when HttpOnly - Provider ensures fetch credentials allow cookies to be sent Note: TAOB (Trusted Agent on Behalf) and refresh token flows with HttpOnly cookies will be handled in follow-up work. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MRT_DISABLE_HTTPONLY_SESSION_COOKIESis'false', SLAS token responses are intercepted by the proxy:access_token,refresh_token, andidp_access_tokenare set as HttpOnly cookies (with siteId suffix) and stripped from the response bodyaccess_token_expires_atin the response body for expiry checks without needing the JWTAuthorization: Bearerheader for SCAPI requests automatically viaapplyProxyRequestAuthHeader()useHttpOnlySessionCookiesflag onAuthandCommerceApiProvidercontrols client-side behavior: skips storing tokens in localStorage, usesaccess_token_expires_atfor expiry checks, and ensures fetch credentials allow cookiestokenResponseEndpointsandslasEndpointsRequiringAccessTokenregexes allow customization inssr.jsFollow-up work
Test plan
MRT_DISABLE_HTTPONLY_SESSION_COOKIES=falseaccess_token_expires_atis presentAuthorization: Bearerheader from cookieMRT_DISABLE_HTTPONLY_SESSION_COOKIESis not'false'access_token_expires_atnpm testin pwa-kit-runtime and commerce-sdk-react)🤖 Generated with Claude Code