From 38e00349dc0138b383531d7b4b4c7730af973e0f Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Mon, 11 Nov 2024 14:16:48 +0000 Subject: [PATCH 1/2] CDPT-2227 Delete production CloudFront cookies when browsing dev, staging, & demo. --- .../inc/amazon-s3-and-cloudfront-signing.php | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php b/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php index b4ddcfda7..7b6582e3e 100644 --- a/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php +++ b/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php @@ -292,6 +292,9 @@ public function handlePageRequest(): void return; } + // Clear the production session cookie - avoid sending conflicting cookies to CloudFront. + $this->maybeClearProductionCookies(); + $remaining_time = $this->remainingTimeFromCookie(); if ($remaining_time && $remaining_time > $this::CLOUDFRONT_REFRESH) { @@ -325,16 +328,17 @@ public function handlePageRequest(): void * * Delete the cookies from the user's browser. * + * @param string $domain The domain to revoke the cookies from. * @return void */ - public function revoke(): void + public function revoke(string $domain): void { // Properties for the cookies. $cloudfront_cookie_params = [ 'path=/', 'HttpOnly', - 'Domain=' . $this->cloudfront_cookie_domain, + 'Domain=' . $domain, 'SameSite=Strict', 'Expires=' . gmdate('D, d M Y H:i:s T', 0), ...($this->https ? ['Secure'] : []), @@ -346,6 +350,38 @@ public function revoke(): void header(sprintf('Set-Cookie: %s=; %s', $name, $cloudfront_cookie_params_string), false); } } + + /** + * Clear the production session cookies. + * + * If we are on a non-production environment e.g. dev or staging, + * delete production CloudFront session cookie. + * + * This is necessary, otherwise CDN requests will include the production + * session cookie. Resulting in 401 errors from the CloudFront. + * + * @return void + */ + + public function maybeClearProductionCookies(): void + { + // Do nothing if we are on production. + if ($_ENV['WP_ENV'] === 'production') { + return; + } + + // Does the home host start with dev, demo or staging? + preg_match('/^(dev|demo|staging)\.(.*)/', parse_url($_ENV['WP_HOME'], PHP_URL_HOST), $matches); + + // If there is no match, return early. + if (!$matches) { + return; + } + + // Delete production cookies - $matches[2] will be the production domain. + // e.g. if WP_HOME is dev.intranet.justice.gov.uk, it will be intranet.justice.gov.uk + $this->revoke($matches[2]); + } } new AmazonS3AndCloudFrontSigning(); From 65a0ff0b654674080f21522b4b183ab999a9d2fd Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Mon, 11 Nov 2024 14:19:40 +0000 Subject: [PATCH 2/2] Update amazon-s3-and-cloudfront-signing.php --- .../clarity/inc/amazon-s3-and-cloudfront-signing.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php b/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php index 7b6582e3e..0537f8891 100644 --- a/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php +++ b/public/app/themes/clarity/inc/amazon-s3-and-cloudfront-signing.php @@ -328,12 +328,15 @@ public function handlePageRequest(): void * * Delete the cookies from the user's browser. * - * @param string $domain The domain to revoke the cookies from. + * @param ?string $domain Optional domain to revoke the cookies. * @return void */ - public function revoke(string $domain): void + public function revoke(?string $domain): void { + // If $domain is not passed in, default to the CloudFront cookie domain. + $domain = $domain ?? $this->cloudfront_cookie_domain; + // Properties for the cookies. $cloudfront_cookie_params = [ 'path=/',