From 8caef371bb34ffd9e403dcde4ed532025f43e780 Mon Sep 17 00:00:00 2001
From: Thomas von Deyen <thomas@vondeyen.com>
Date: Wed, 13 May 2020 13:23:21 +0200
Subject: [PATCH] Allow to configure guest_token cookie options

The guest_token cookie is currently always only allowed for the current domain (including subdomain).

If you want to use the cookie on a static frontend communicating with your Solidus API you want to share the cookie with all subdomains (ie. www.example.com and api.example.com) in order for the cart session to still work.

With this configuration you can do that.
---
 core/lib/spree/app_configuration.rb           |  4 ++++
 .../lib/spree/core/controller_helpers/auth.rb |  4 ++--
 .../core/controller_helpers/auth_spec.rb      | 19 +++++++++++++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/core/lib/spree/app_configuration.rb b/core/lib/spree/app_configuration.rb
index a97ac827877..9ece933a21a 100644
--- a/core/lib/spree/app_configuration.rb
+++ b/core/lib/spree/app_configuration.rb
@@ -56,6 +56,10 @@ class AppConfiguration < Preferences::Configuration
     #   @return [Boolean] When false, customers must create an account to complete an order (default: +true+)
     preference :allow_guest_checkout, :boolean, default: true
 
+    # @!attribute [rw] guest_token_cookie_options
+    #   @return [Hash] Add additional guest_token cookie options here (ie. domain or path)
+    preference :guest_token_cookie_options, :hash, default: {}
+
     # @!attribute [rw] allow_return_item_amount_editing
     #   @return [Boolean] Determines whether an admin is allowed to change a return item's pre-calculated amount (default: +false+)
     preference :allow_return_item_amount_editing, :boolean, default: false
diff --git a/core/lib/spree/core/controller_helpers/auth.rb b/core/lib/spree/core/controller_helpers/auth.rb
index 2bcb6115e15..7c5eecce678 100644
--- a/core/lib/spree/core/controller_helpers/auth.rb
+++ b/core/lib/spree/core/controller_helpers/auth.rb
@@ -42,10 +42,10 @@ def redirect_back_or_default(default)
 
         def set_guest_token
           unless cookies.signed[:guest_token].present?
-            cookies.permanent.signed[:guest_token] = {
+            cookies.permanent.signed[:guest_token] = Spree::Config[:guest_token_cookie_options].merge(
               value: SecureRandom.urlsafe_base64(nil, false),
               httponly: true
-            }
+            )
           end
         end
 
diff --git a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
index 6d0c66d1abe..c4c1a6c785c 100644
--- a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
+++ b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
@@ -45,6 +45,25 @@ def controller.index
       expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
       expect(response.cookies['guest_token']).not_to be_nil
     end
+
+    context 'with guest_token_cookie_options configured' do
+      it 'sends cookie with these options' do
+        stub_spree_preferences(guest_token_cookie_options: {
+          domain: :all,
+          path: '/api'
+        })
+        get :index
+        expect(response.headers["Set-Cookie"]).to match(/domain=\.test\.host; path=\/api/)
+      end
+
+      it 'never overwrites httponly' do
+        stub_spree_preferences(guest_token_cookie_options: {
+          httponly: false
+        })
+        get :index
+        expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
+      end
+    end
   end
 
   describe '#store_location' do