Allow ssr cookies #1318
Allow ssr cookies #1318
Conversation
…into ssr-allow-cookies
…into ssr-allow-cookies
There was a problem hiding this comment.
@bredmond-sf don't we want to test this in local dev / build-dev-server.js?
I was thinking about our recent conversation and realized that although we don't have .env.development you could still test this locally via SSR_ALLOW_COOKIES=true && npm start if you add the change there
There was a problem hiding this comment.
Also... @bredmond-sf you need to run npm run lint:fix from the monorepo root to get passing tests and fix your linting errors
| @@ -138,6 +141,12 @@ export const RemoteServerFactory = { | |||
| // This is the ORIGIN under which we are serving the page. | |||
| // because it's an origin, it does not end with a slash. | |||
| options.appOrigin = process.env.APP_ORIGIN = `${options.protocol}://${options.appHostname}` | |||
|
|
|||
| if ('SSR_ALLOW_COOKIES' in process.env) { | |||
There was a problem hiding this comment.
superr nit: based on this discussion we could strip the ssr_ prefix everywhere and just use allow_cookies throughout the codebase
There was a problem hiding this comment.
As per our Slack discussion, we'll want to use a reserved prefix here to avoid clashes with user provided environment variables.
A good name would MRT_ALLOW_COOKIES as the MRT prefix is reserved and there is emerging precedent for using it in the code.
| // Toggle cookies being passed and set | ||
| ssrAllowCookies: false |
There was a problem hiding this comment.
The impact of this setting, is that when set during local development, the development server will not strip cookies sent in HTTP requests and will not strip cookies set in HTTP responses.
I don't believe we need the ssr prefix here.
Is there a name we could use that suggests that this setting is only for local development and is not respected in MRT?
There was a problem hiding this comment.
localAllowCookies would work for me. devAllowCookies could work but seems less clear to me.
|
|
||
| if ('SSR_ALLOW_COOKIES' in process.env) { | ||
| // Toggle cookies being passed and set | ||
| options.ssrAllowCookies = process.env.SSR_ALLOW_COOKIES?.toLowerCase() === 'true' |
There was a problem hiding this comment.
Nice guard. This is also the right typing here, because Lambda will pass us in a string.
@bfeister I dug a bit and understand this better. I'm using the mixin now in dev server |
@johnboxall I think I've got this right now |
@bfeister thank you, done! |
…into ssr-allow-cookies
| @@ -899,6 +915,9 @@ export const RemoteServerFactory = { | |||
| * contain both the certificate and the private key. | |||
| * @param {function} customizeApp - a callback that takes an express app | |||
| * as an argument. Use this to customize the server. | |||
| * @param {Boolean} [options.ssrAllowCookies] - This boolean value indicates | |||
There was a problem hiding this comment.
should this now be:
| * @param {Boolean} [options.ssrAllowCookies] - This boolean value indicates | |
| * @param {Boolean} [options.allowCookies] - This boolean value indicates |
| @@ -920,8 +939,9 @@ export const RemoteServerFactory = { | |||
| * ExpressJS middleware that processes any non-proxy request passing | |||
| * through the Express app. | |||
| * | |||
| * Strips Cookie headers from incoming requests, and configures the | |||
| * Response so that it cannot have cookies set on it. | |||
| * If ssrAllowCookies is false, strips Cookie headers from incoming requests, and | |||
There was a problem hiding this comment.
| * If ssrAllowCookies is false, strips Cookie headers from incoming requests, and | |
| * If allowCookies is false, strips Cookie headers from incoming requests, and |
| /** | ||
| * Express handler that sets a simple cookie and returns a JSON response with | ||
| * diagnostic values. | ||
| */ | ||
| const cookieTest = async (req, res) => { |
There was a problem hiding this comment.
is it worth including a comment stating that you need to use /cookie?name=xxx&value=xxx to set the cookie?
There was a problem hiding this comment.
absolutely, done
There was a problem hiding this comment.
@bredmond-sf – thinking ahead, do you also need an endpoint that returns a "private" cache-control directive so that can we can confirm that not caching works correctly?
There was a problem hiding this comment.
Good plan, done!
…into ssr-allow-cookies
| * ?name=test-name&value=test-value to set a cookie. | ||
| */ | ||
| const cookieTest = async (req, res) => { | ||
| if (Object.hasOwn(req.query, 'name')) { |
There was a problem hiding this comment.
curious why did you choose to do Object.hasOwn instead of just
if (req.query.name) {
Description
SSR currently blocks setting cookies and strips them from requests because our CloudFront doesn't pass cookies. We are adding an environment setting to allow it in CloudFront and this allows the setting to disable the cookie blocking code from here.
Types of Changes
Changes
How to Test-Drive This PR
Checklists
General
Accessibility Compliance
You must check off all items in one of the follow two lists:
or...
Localization