Add Bearer and refresh token injection for SLAS logout with HttpOnly cookies#3699
Merged
unandyala merged 7 commits intofeature/httponly-session-cookiesfrom Mar 4, 2026
Merged
Conversation
…logout When HttpOnly session cookies are enabled, the shopper's access token and refresh token are stored in HttpOnly cookies and are not accessible to client-side JavaScript. The SLAS /oauth2/logout endpoint requires both a Bearer token in the Authorization header and a refresh_token query parameter. This change injects both from HttpOnly cookies in the SLAS private client proxy. Also moves SLAS-specific Bearer token logic out of configure-proxy.js (regular /mobify/proxy path) into the SLAS private client proxy where it belongs, since SLAS calls don't go through the regular proxy when useSLASPrivateClient is enabled. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
unandyala
changed the base branch from
develop
to
feature/httponly-session-cookies
unandyala
commented
Mar 3, 2026
| */ | ||
| _configureProxyConfigs(options) { | ||
| const siteId = options.siteId || null | ||
| const slasEndpointsRequiringAccessToken = options.slasEndpointsRequiringAccessToken |
Contributor
Author
There was a problem hiding this comment.
Moved slasEndpointsRequiringAccessToken to slas private proxy because slas calls do not go through the scapi proxy (/mobify/proxy)
vcua-mobify
approved these changes
Mar 4, 2026
Contributor
vcua-mobify
left a comment
vcua-mobify
left a comment
There was a problem hiding this comment.
These changes make sense to me. Thanks for cleaning up configure-proxy
shethj
reviewed
Mar 4, 2026
| } | ||
|
|
||
| // Inject refresh_token into query string from HttpOnly cookie | ||
| // refresh_token ishouls required for /oauth2/logout |
Contributor
There was a problem hiding this comment.
Suggested change
| // refresh_token ishouls required for /oauth2/logout | |
| // refresh_token is required for /oauth2/logout |
shethj
approved these changes
Mar 4, 2026
unandyala
merged commit 6dd7f28
into
feature/httponly-session-cookies
45 of 47 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cc-at_{siteId}HttpOnly cookie) and refresh token (fromcc-nx_{siteId}orcc-nx-g_{siteId}HttpOnly cookie) into SLAS private client proxy requests for endpoints like/oauth2/logoutconfigure-proxy.js(regular/mobify/proxypath) into the SLAS private client proxy inbuild-remote-server.js, since SLAS calls don't go through the regular proxy whenuseSLASPrivateClientis enabledconfigure-proxy.jsby removingslasEndpointsRequiringAccessTokenparameter — all/shopper/auth/endpoints are now skipped in the regular proxyhttponly-logout.mov
Test plan
build-remote-servertests pass (53/53) — includes new test verifying Bearer token and refresh_token injection from HttpOnly cookies for logoutconfigure-proxytests pass (10/10) — updated to reflect SLAS auth endpoints being fully handled by SLAS private proxy🤖 Generated with Claude Code