@W-22283814: Forward x-sfdc-access-control header and preserve User-Agent in local dev proxy

Update the local dev proxy to conditionally forward the x-sfdc-access-control
header to SCAPI proxy targets whose hostname matches a configured suffix list,
mirroring the Lambda@Edge behavior from portal_app PRs 7680 and 7712. Also
preserve the original User-Agent header in non-caching proxy requests instead
of overwriting it with 'Amazon CloudFront'.

Author: kieran-sf

packages/mrt-utilities/src/middleware/middleware.ts

@@ -15,7 +15,7 @@
  * @version 0.0.1
  */
 
-import {Headers} from '../utils/ssr-proxying.js';
+import {Headers, DEFAULT_ACCESS_CONTROL_FORWARDING_HOSTNAMES} from '../utils/ssr-proxying.js';
 import {
   configureProxying,
   type ProxyResult,
@@ -327,12 +327,21 @@ export const createMRTProxyMiddlewares = (
   appProtocol: string = 'http',
   includeCaching: boolean = false,
   createProxyFn?: CreateProxyMiddlewareFn,
+  accessControlHeaderForwardingHostnames: string[] = DEFAULT_ACCESS_CONTROL_FORWARDING_HOSTNAMES,
+  preserveUserAgent: boolean = true,
 ): ProxyResult[] => {
   if (!proxyConfigs) {
     return [];
   }
   const {appHostname} = getRequestProcessorParameters();
-  const proxies: ProxyResult[] = configureProxying(proxyConfigs, appHostname, appProtocol, createProxyFn);
+  const proxies: ProxyResult[] = configureProxying(
+    proxyConfigs,
+    appHostname,
+    appProtocol,
+    createProxyFn,
+    accessControlHeaderForwardingHostnames,
+    preserveUserAgent,
+  );
   const middlewares: ProxyResult[] = [];
   proxies.forEach((proxy) => {
     const proxyPath = `${PROXY_PATH_BASE}/${proxy.path}`;

packages/mrt-utilities/src/utils/configure-proxying.ts

@@ -35,6 +35,10 @@ interface ApplyProxyRequestHeadersParams {
   targetHost: string;
   /** The protocol to use for the target */
   targetProtocol: string;
+  /** Hostname suffixes for which x-sfdc-access-control should be forwarded */
+  accessControlHeaderForwardingHostnames?: string[];
+  /** When true, preserve the original User-Agent header in non-caching proxy requests */
+  preserveUserAgent?: boolean;
   /** @internal Test hook: override rewrite function */
   rewriteRequestHeaders?: (
     opts: Parameters<typeof rewriteProxyRequestHeaders>[0],
@@ -57,6 +61,10 @@ interface ConfigureProxyParams {
   appProtocol?: string;
   /** Whether this is a caching proxy */
   caching?: boolean;
+  /** Hostname suffixes for which x-sfdc-access-control should be forwarded */
+  accessControlHeaderForwardingHostnames?: string[];
+  /** When true, preserve the original User-Agent header in non-caching proxy requests */
+  preserveUserAgent?: boolean;
 }
 
 /**
@@ -122,6 +130,8 @@ export const applyProxyRequestHeaders = ({
   proxyPath,
   targetHost,
   targetProtocol,
+  accessControlHeaderForwardingHostnames,
+  preserveUserAgent,
   rewriteRequestHeaders: rewriteFn,
 }: ApplyProxyRequestHeadersParams): void => {
   const headers = incomingRequest.headers;
@@ -133,6 +143,8 @@ export const applyProxyRequestHeaders = ({
     headerFormat: 'http',
     targetHost,
     targetProtocol,
+    accessControlHeaderForwardingHostnames,
+    preserveUserAgent,
   });
 
   // Copy any new and updated headers to the proxyRequest
@@ -195,6 +207,8 @@ export const configureProxy = (
     targetHost,
     appProtocol = /* istanbul ignore next */ 'https',
     caching,
+    accessControlHeaderForwardingHostnames,
+    preserveUserAgent,
   }: ConfigureProxyParams,
   createProxyFn?: CreateProxyMiddlewareFn,
 ): ProxyResult => {
@@ -242,6 +256,8 @@ export const configureProxy = (
         proxyPath,
         targetHost,
         targetProtocol,
+        accessControlHeaderForwardingHostnames,
+        preserveUserAgent,
       });
     },
 
@@ -302,6 +318,8 @@ export const configureProxying = (
   appHostname: string,
   appProtocol: string = 'https',
   createProxyFn?: CreateProxyMiddlewareFn,
+  accessControlHeaderForwardingHostnames?: string[],
+  preserveUserAgent?: boolean,
 ): ProxyResult[] => {
   const proxies: ProxyResult[] = [];
   proxyConfigs.forEach((config) => {
@@ -315,6 +333,8 @@ export const configureProxying = (
         appProtocol,
         appHostname,
         caching: false,
+        accessControlHeaderForwardingHostnames,
+        preserveUserAgent,
       },
       createProxyFn,
     );

packages/mrt-utilities/src/utils/ssr-proxying.ts

@@ -766,7 +766,24 @@ export const rewriteProxyResponseHeaders = ({
  * List of x- headers that are removed from proxied requests.
  * @private
  */
-export const X_HEADERS_TO_REMOVE_PROXY: string[] = ['x-mobify-access-key', 'x-sfdc-access-control'];
+export const X_HEADERS_TO_REMOVE_PROXY: string[] = ['x-mobify-access-key'];
+
+const X_SFDC_ACCESS_CONTROL = 'x-sfdc-access-control';
+
+export const DEFAULT_ACCESS_CONTROL_FORWARDING_HOSTNAMES: string[] = [
+  '.commercecloud.salesforce.com',
+];
+
+export const hostnameMatchesTransformationList = (
+  hostname: string,
+  hostnameSuffixes?: string[] | null,
+): boolean => {
+  if (!hostnameSuffixes || hostnameSuffixes.length === 0) {
+    return false;
+  }
+  const hostnameOnly = hostname.split(':')[0];
+  return hostnameSuffixes.some((suffix) => hostnameOnly.endsWith(suffix));
+};
 
 /**
  * List of x- headers that are removed from origin requests.
@@ -846,6 +863,10 @@ interface RewriteProxyRequestHeadersParams {
   targetHost: string;
   /** true to log operations */
   logging?: boolean;
+  /** hostname suffixes for which x-sfdc-access-control should be forwarded; empty/undefined = always strip */
+  accessControlHeaderForwardingHostnames?: string[];
+  /** when true, preserve the original User-Agent header in non-caching proxy requests */
+  preserveUserAgent?: boolean;
 }
 
 /**
@@ -869,6 +890,8 @@ export const rewriteProxyRequestHeaders = ({
   targetProtocol,
   targetHost,
   logging = false,
+  accessControlHeaderForwardingHostnames,
+  preserveUserAgent = false,
 }: RewriteProxyRequestHeadersParams): AWSHeaders | HTTPHeaders | IncomingHttpHeaders => {
   if (!headers) {
     return {};
@@ -878,6 +901,12 @@ export const rewriteProxyRequestHeaders = ({
   // Strip out some specific X-headers
   X_HEADERS_TO_REMOVE_PROXY.forEach((key) => workingHeaders.deleteHeader(key));
 
+  // Conditionally strip x-sfdc-access-control.
+  // Forward it only for non-caching requests to hosts matching the suffix list.
+  if (caching || !hostnameMatchesTransformationList(targetHost, accessControlHeaderForwardingHostnames)) {
+    workingHeaders.deleteHeader(X_SFDC_ACCESS_CONTROL);
+  }
+
   // For a caching proxy, apply special header processing
   if (caching) {
     // Remove any headers that are not on the allowlist
@@ -912,9 +941,9 @@ export const rewriteProxyRequestHeaders = ({
     workingHeaders.setHeader(ORIGIN, targetOrigin);
   }
 
-  // Replace some headers with hardwired values
-  if (workingHeaders.getHeader(USER_AGENT)) {
-    // Mimic the behaviour of CloudFront
+  // Replace User-Agent unless preserveUserAgent is set for non-caching proxies.
+  // Caching proxies always override User-Agent (handled above).
+  if (!preserveUserAgent && workingHeaders.getHeader(USER_AGENT)) {
     workingHeaders.setHeader(USER_AGENT, 'Amazon CloudFront');
   }
 

packages/mrt-utilities/test/utils/configure-proxying.test.ts

@@ -96,6 +96,45 @@ describe('proxying', () => {
       expect(mockProxyRequest.setHeader.called).to.be.false;
       expect(mockProxyRequest.removeHeader.called).to.be.false;
     });
+
+    it('forwards x-sfdc-access-control when hostname matches forwarding list', () => {
+      mockIncomingRequest.headers = {
+        'x-sfdc-access-control': 'test-value',
+        'content-type': 'application/json',
+      };
+
+      applyProxyRequestHeaders({
+        proxyRequest: mockProxyRequest as unknown as ClientRequest,
+        incomingRequest: mockIncomingRequest as unknown as IncomingMessage,
+        caching: false,
+        proxyPath: '/api',
+        targetHost: 'api.commercecloud.salesforce.com',
+        targetProtocol: 'https',
+        accessControlHeaderForwardingHostnames: ['.commercecloud.salesforce.com'],
+      });
+
+      expect(mockProxyRequest.setHeader.calledWith('x-sfdc-access-control', 'test-value')).to.be.true;
+      expect(mockProxyRequest.removeHeader.calledWith('x-sfdc-access-control')).to.be.false;
+    });
+
+    it('strips x-sfdc-access-control when hostname does not match forwarding list', () => {
+      mockIncomingRequest.headers = {
+        'x-sfdc-access-control': 'test-value',
+        'content-type': 'application/json',
+      };
+
+      applyProxyRequestHeaders({
+        proxyRequest: mockProxyRequest as unknown as ClientRequest,
+        incomingRequest: mockIncomingRequest as unknown as IncomingMessage,
+        caching: false,
+        proxyPath: '/api',
+        targetHost: 'other.example.com',
+        targetProtocol: 'https',
+        accessControlHeaderForwardingHostnames: ['.commercecloud.salesforce.com'],
+      });
+
+      expect(mockProxyRequest.removeHeader.calledWith('x-sfdc-access-control')).to.be.true;
+    });
   });
 
   describe('configureProxy', () => {