From 9c7904c9e0d5a04a03d3aac8c87481d33cbc6f8c Mon Sep 17 00:00:00 2001
From: Linus Flood <linus.flood@scandichotels.com>
Date: Fri, 19 Sep 2025 12:55:53 +0000
Subject: [PATCH] Merged in fix/webview-auth-fix (pull request #2833)

Fix/webview auth fix

* Test

* Merge branch 'master' of bitbucket.org:scandic-swap/web into fix/webview-auth-fix

* Setting cookie instead of headers


Approved-by: Anton Gunnarsson
---
 apps/scandic-web/middlewares/webView.ts | 95 +++++++++++++++----------
 1 file changed, 57 insertions(+), 38 deletions(-)

diff --git a/apps/scandic-web/middlewares/webView.ts b/apps/scandic-web/middlewares/webView.ts
index b24635bdc..abee15790 100644
--- a/apps/scandic-web/middlewares/webView.ts
+++ b/apps/scandic-web/middlewares/webView.ts
@@ -69,27 +69,21 @@ export const middleware: NextMiddleware = async (request) => {
   const authorizationToken = request.headers.get("X-Authorization")
   const webviewTokenCookie = request.cookies.get("webviewToken")
 
-  if (
-    (webviewTokenCookie && webviewTokenCookie.value === authorizationToken) ||
-    (webviewTokenCookie && !authorizationToken)
-  ) {
-    // If the webviewToken cookie is present and matches the authorization token,
-    // we can skip decryption and just rewrite the request with the existing cookie.
-    // OR
-    // If the webviewToken cookie is present but no authorization token is provided
-    // we can skip the decryption and see if our cookie is valid.
-    // This handles when the app is navigating between pages inside the webview
-
-    return handleWebviewRewrite({
-      nextUrl,
-      headers,
-      decryptedData: null,
-      lang,
-      setCookie: false,
-    })
-  }
-
   try {
+    if (webviewTokenCookie && !authorizationToken) {
+      // If the webviewToken cookie is present but no authorization token is provided
+      // we can skip the decryption and see if our cookie is valid.
+      // This handles when the app is navigating between pages inside the webview
+
+      return handleWebviewRewrite({
+        nextUrl,
+        headers,
+        decryptedData: null,
+        lang,
+        setCookie: false,
+      })
+    }
+
     // Authorization header is required for webviews
     // It should be base64 encoded
     if (!authorizationToken) {
@@ -111,6 +105,19 @@ export const middleware: NextMiddleware = async (request) => {
       authorizationToken
     )
 
+    if (webviewTokenCookie && webviewTokenCookie.value === decryptedData) {
+      // If the webviewToken cookie is present and matches the authorization token,
+      // we can skip decryption and just rewrite the request with the existing cookie.
+
+      return handleWebviewRewrite({
+        nextUrl,
+        headers,
+        decryptedData: null,
+        lang,
+        setCookie: false,
+      })
+    }
+
     return handleWebviewRewrite({
       nextUrl,
       headers,
@@ -143,14 +150,18 @@ async function handleWebviewRewrite({
   const path = nextUrl.pathname
 
   if (myStayWebviews.includes(path)) {
-    return NextResponse.next({
+    const res = NextResponse.next({
       request: { headers },
-      ...(setCookie && {
-        headers: {
-          "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-        },
-      }),
     })
+    if (decryptedData && setCookie) {
+      res.cookies.set("webviewToken", decryptedData, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
+        path: "/",
+      })
+    }
+    return res
   }
 
   const pathNameWithoutLang = path.replace(`/${lang}/webview`, "")
@@ -165,31 +176,39 @@ async function handleWebviewRewrite({
   }
 
   if (myPagesWebviews.includes(path)) {
-    return NextResponse.rewrite(
+    const res = NextResponse.rewrite(
       new URL(`/${lang}/webview/account-page/${uid}`, nextUrl),
       {
         request: { headers },
-        ...(setCookie && {
-          headers: {
-            "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-          },
-        }),
       }
     )
+    if (decryptedData && setCookie) {
+      res.cookies.set("webviewToken", decryptedData, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
+        path: "/",
+      })
+    }
+    return res
   }
 
   if (loyaltyPagesWebviews.includes(path)) {
-    return NextResponse.rewrite(
+    const res = NextResponse.rewrite(
       new URL(`/${lang}/webview/loyalty-page/${uid}`, nextUrl),
       {
         request: { headers },
-        ...(setCookie && {
-          headers: {
-            "Set-Cookie": `webviewToken=${decryptedData}; Secure; HttpOnly; Path=/; SameSite=Strict;`,
-          },
-        }),
       }
     )
+    if (decryptedData && setCookie) {
+      res.cookies.set("webviewToken", decryptedData, {
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
+        path: "/",
+      })
+    }
+    return res
   }
 
   return notFound()