@W-22699952@ HttpOnly id_token

[vcua-mobify]

This PR flips id_token to HttpOnly and strips the id_token field from the SLAS response body so the JWT is only readable via the cookie. The id_token cookie is intentionally not added to the upstream-proxy strip list — it carries no SCAPI authorization material and follows the same pattern as the other identity-bearing cookies (e.g. customer_id).

The commerce-sdk-react auth module already routes id_token reads/writes through the cookie store when enableHttpOnlySessionCookies is on (HTTPONLY_COOKIE_BACKED_KEYS, added in #3830), so no runtime change is needed there. With the cookie now HttpOnly, JS reads of id_token return '', matching the existing behavior for idp_access_token / idp_refresh_token. The doc comment on that set was updated to reflect this.

Types of Changes

• Other changes (non-breaking change to harden cookie attributes when HttpOnly mode is enabled)

Changes

• pwa-kit-runtime: idToken cookie config now sets httpOnly: true and declares slasKey: 'id_token', so the SLAS proxy emits the cookie HttpOnly and strips the id_token field from the response body.
• pwa-kit-runtime: updated comments in process-token-response.js to reflect the new HttpOnly treatment.
• commerce-sdk-react: updated the HTTPONLY_COOKIE_BACKED_KEYS doc comment to list id_token alongside idp_access_token and idp_refresh_token as HttpOnly/unreadable-from-JS keys included for routing symmetry.
• Tests: moved idToken into the HttpOnly assertion group in httponly-cookie-config.test.js; flipped the cookie attribute assertion and added a body-strip assertion in process-token-response.test.js.
• CHANGELOG entry added under v3.19.0-dev.

How to Test-Drive This PR

1. Run a storefront with enableHttpOnlySessionCookies turned on against a SLAS proxy.
2. Trigger a login (guest or registered) and inspect the response from /shopper/auth/v1/organizations/.../oauth2/token:
   • The Set-Cookie for id_token_{siteId} carries HttpOnly; Secure; Path=/.
   • The JSON response body no longer contains an id_token field.
3. From the browser console, confirm document.cookie does not include id_token_{siteId}, while the cookie is still present in DevTools → Application → Cookies.
4. On logout (/oauth2/revoke or equivalent), confirm id_token_{siteId} is expired (Max-Age=0 / Expires in the past).
5. Run unit tests:
   • cd packages/pwa-kit-runtime && npm test -- --testPathPattern='httponly-cookie-config|process-token-response'

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes

Accessibility Compliance

• There are no changes to UI

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[git2gus]

Git2Gus App is installed but the .git2gus/config.json doesn't have right values. You should add the required configuration.

[cc-prodsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[vcua-mobify]

Closing as requirements have changed and id_token will be non-HttpOnly`. See https://salesforce-internal.slack.com/archives/C09T7DWHYNM/p1779995067480369