Skip to content

Handle refresh token errors#3771

Merged
unandyala merged 3 commits intofeature/httponly-session-cookiesfrom
unandyala.fix-token-error
Mar 31, 2026
Merged

Handle refresh token errors#3771
unandyala merged 3 commits intofeature/httponly-session-cookiesfrom
unandyala.fix-token-error

Conversation

@unandyala
Copy link
Copy Markdown
Contributor

@unandyala unandyala commented Mar 30, 2026
edited
Loading

  • Add cc-nx-exists non-HttpOnly indicator cookie so the client SDK can detect whether an HttpOnly refresh token cookie exists (JavaScript cannot read HttpOnly cookies directly)
  • Fix first-visit unnecessary refresh token request by checking cc-nx-exists before attempting a refresh call — previously, with enableHttpOnlySessionCookies=true, every first visit made a wasted /oauth2/token call that failed with 400
  • Return 401 early from the server proxy when the refresh token HttpOnly cookie is missing, instead of forwarding a bad request to SLAS

Changes

  • commerce-sdk-react/src/auth/index.ts: Add cc-nx-exists to AuthDataKeys/DATA_MAP, add hasHttpOnlyRefreshToken() helper that checks the indicator cookie, update refreshAccessToken() to use it
  • pwa-kit-runtime/src/ssr/server/build-remote-server.js: Add RefreshTokenNotFoundError, make setRefreshTokenHeader throw when the refresh token cookie is missing, handle the error in the proxy to return 401 with "invalid refresh_token" message
  • pwa-kit-runtime/src/ssr/server/process-token-response.js: Set cc-nx-exists_{siteId} cookie alongside the HttpOnly refresh token cookie with the same expiry

Before the fix

httponly-refresh-before.mov

After the fix

httponly-refresh-after.mov

Test plan

  • Clear all cookies, verify first visit goes directly to guest login (no 400 on refresh attempt)
  • Verify cc-nx-exists_{siteId}=1 cookie is set after successful login
  • Verify refresh token flow works on subsequent visits when cc-nx-exists is present
  • Verify clearing only cc-nx-exists causes fallback to guest login (not a 400/409)

@unandyala unandyala requested a review from a team as a code owner March 30, 2026 21:29
@cc-prodsec
Copy link
Copy Markdown
Collaborator

cc-prodsec commented Mar 30, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@unandyala unandyala changed the base branch from develop to feature/httponly-session-cookies March 30, 2026 21:50
shethj
shethj reviewed Mar 30, 2026
View reviewed changes
packages/commerce-sdk-react/src/auth/index.ts
| 'idp_refresh_token'
| 'dnt'
| 'cc-at-expires'
| 'cc-nx-exists'
Copy link
Copy Markdown
Contributor

@shethj shethj Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wanted to understand better: Why is this just a logged in shopper problem ? Why don't we need a cc-nx-g-exists ?

Copy link
Copy Markdown
Contributor Author

@unandyala unandyala Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shethj this is for both. We don't need both cc-nx-g-exists or cc-nx-exists as there will be only (either cc-nx-g or cc-nx) at a time.

@unandyala unandyala merged commit 6f3f9f1 into feature/httponly-session-cookies Mar 31, 2026
42 checks passed
@unandyala unandyala deleted the unandyala.fix-token-error branch March 31, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shethj shethj shethj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@unandyala @cc-prodsec @shethj