Merge pull request #3621 from tvdeyen/allow-guest-token-cookie-domain

Allow to configure guest_token cookie options
solidusio · May 14, 2020 · b8296bd · b8296bd
2 parents 43cacf4 + 8caef37
commit b8296bd
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/core/lib/spree/app_configuration.rb b/core/lib/spree/app_configuration.rb
@@ -56,6 +56,10 @@ class AppConfiguration < Preferences::Configuration
     #   @return [Boolean] When false, customers must create an account to complete an order (default: +true+)
     preference :allow_guest_checkout, :boolean, default: true
 
+    # @!attribute [rw] guest_token_cookie_options
+    #   @return [Hash] Add additional guest_token cookie options here (ie. domain or path)
+    preference :guest_token_cookie_options, :hash, default: {}
+
     # @!attribute [rw] allow_return_item_amount_editing
     #   @return [Boolean] Determines whether an admin is allowed to change a return item's pre-calculated amount (default: +false+)
     preference :allow_return_item_amount_editing, :boolean, default: false

diff --git a/core/lib/spree/core/controller_helpers/auth.rb b/core/lib/spree/core/controller_helpers/auth.rb
@@ -42,10 +42,10 @@ def redirect_back_or_default(default)
 
         def set_guest_token
           unless cookies.signed[:guest_token].present?
-            cookies.permanent.signed[:guest_token] = {
+            cookies.permanent.signed[:guest_token] = Spree::Config[:guest_token_cookie_options].merge(
               value: SecureRandom.urlsafe_base64(nil, false),
               httponly: true
-            }
+            )
           end
         end
 

diff --git a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
@@ -45,6 +45,25 @@ def controller.index
       expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
       expect(response.cookies['guest_token']).not_to be_nil
     end
+
+    context 'with guest_token_cookie_options configured' do
+      it 'sends cookie with these options' do
+        stub_spree_preferences(guest_token_cookie_options: {
+          domain: :all,
+          path: '/api'
+        })
+        get :index
+        expect(response.headers["Set-Cookie"]).to match(/domain=\.test\.host; path=\/api/)
+      end
+
+      it 'never overwrites httponly' do
+        stub_spree_preferences(guest_token_cookie_options: {
+          httponly: false
+        })
+        get :index
+        expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
+      end
+    end
   end
 
   describe '#store_location' do