fix: set unleash-session-id into cookie

[stalniy]

Why

It's important to have the same session id on FE, SSR, API to have stable feature flag selection in case of gradual FF rollout or when specifying strategy with filters by sessionId

Summary by CodeRabbit

• New Features

  • Session tracking now uses a client-readable session cookie and exposes a session identifier to the app for more consistent session behavior.

• Chores

  • Migrated session persistence away from local browser storage to cookies.
  • Added a migration that removes the legacy session key from local storage.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds client-visible session ID handling: middleware ensures an unleash-session-id cookie, FlagProvider exposes that sessionId in Unleash context, and a localStorage migration removes a legacy session key.

Changes

Cohort / File(s)	Summary
Session ID Cookie Generation apps/deploy-web/src/middleware.ts	If unleash-session-id cookie is missing, generate a UUID and set a non-HttpOnly, client-readable cookie (SameSite=Lax, Secure in production) with 1-year max age; return the augmented response.
Session ID Context Integration apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx	Add sessionId to the Unleash flag context by reading the unleash-session-id cookie via a new module helper getSessionId().
Legacy Data Cleanup apps/deploy-web/src/utils/localStorage.ts	Add migration 3.11.1 that removes the legacy unleash:repository:sessionId key from localStorage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify cookie attributes (client-readability, SameSite, Secure behavior in prod).
• Confirm FlagProvider's cookie-reading helper handles server/client contexts safely.
• Ensure localStorage migration version ordering and execution path are correct.

Possibly related PRs

• feat: make Unleash session id visible for backend #1935 — Related change handling the same unleash-session-id propagation between frontend middleware and backend Unleash evaluation.
• feat(auth): uses user aware feature flagging in console web #1494 — Prior change that added userId to the Unleash context in FlagProvider, related to expanding context fields.
• fix(notifications): allows alert pages to registered users only #1393 — Previous adjustments to session ID handling and propagation across app layers.

Suggested reviewers

• baktun14

Poem

🐰 A tiny ID tucked in a treat,
Cookie warm and ready to greet,
Middleware plants the little seed,
FlagProvider reads it when flags need,
Old keys cleared — hop, clean, repeat! 🍪✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: setting the unleash-session-id into a cookie. It is concise, clear, and directly reflects the primary objective of the pull request.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/unleash-sessionid

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7ee9add and 95f14aa.

📒 Files selected for processing (3)

• apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx (2 hunks)
• apps/deploy-web/src/middleware.ts (1 hunks)
• apps/deploy-web/src/utils/localStorage.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx
• apps/deploy-web/src/utils/localStorage.ts
• apps/deploy-web/src/middleware.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 21.42857% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.88%. Comparing base (46d0b23) to head (95f14aa).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
apps/deploy-web/src/middleware.ts	0.00%	6 Missing and 2 partials ⚠️
apps/deploy-web/src/utils/localStorage.ts	0.00%	3 Missing ⚠️

❌ Your patch status has failed because the patch coverage (21.42%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2347      +/-   ##
==========================================
- Coverage   51.19%   50.88%   -0.32%     
==========================================
  Files        1059     1049      -10     
  Lines       28854    28518     -336     
  Branches     6302     6293       -9     
==========================================
- Hits        14771    14510     -261     
+ Misses      13690    13612      -78     
- Partials      393      396       +3     

Flag	Coverage Δ		*Carryforward flag
api	80.78% <ø> (ø)		Carriedforward from 46d0b23
deploy-web	31.03% <21.42%> (-0.02%)	⬇️
log-collector	?
notifications	87.94% <ø> (ø)		Carriedforward from 46d0b23
provider-console	81.48% <ø> (ø)		Carriedforward from 46d0b23
provider-proxy	84.35% <ø> (ø)		Carriedforward from 46d0b23

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines	Coverage Δ
...ploy-web/src/context/FlagProvider/FlagProvider.tsx	42.42% <100.00%> (+5.75%)	⬆️
apps/deploy-web/src/utils/localStorage.ts	15.38% <0.00%> (-1.29%)	⬇️
apps/deploy-web/src/middleware.ts	0.00% <0.00%> (ø)

... and 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c8cb0a4 and 7ee9add.

📒 Files selected for processing (3)

• apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx (2 hunks)
• apps/deploy-web/src/middleware.ts (1 hunks)
• apps/deploy-web/src/utils/localStorage.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/general.mdc)

**/*.{ts,tsx,js}: Never use type any or cast to type any. Always define the proper TypeScript types.
Never use deprecated methods from libraries.
Don't add unnecessary comments to the code.

Files:

• apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx
• apps/deploy-web/src/middleware.ts
• apps/deploy-web/src/utils/localStorage.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

apps/deploy-web/src/context/FlagProvider/FlagProvider.tsx (1)

25-28: LGTM! Session ID properly integrated into flag context.

The addition of sessionId to the Unleash context aligns with the PR objective of providing stable session identification across FE, SSR, and API for consistent feature flag evaluation.

apps/deploy-web/src/middleware.ts (1)

23-39: LGTM! Session cookie generation is well-implemented.

The session ID generation and cookie configuration are appropriate for the use case:

• crypto.randomUUID() provides sufficient randomness for feature flag session tracking
• Cookie attributes (SameSite, Secure, MaxAge) are properly configured
• httpOnly: false is correctly documented as necessary for client-side access

The security trade-off of making the cookie JavaScript-accessible is acceptable since the session ID is used only for feature flag evaluation, not authentication or authorization.

apps/deploy-web/src/utils/localStorage.ts (1)

9-11: LGTM! Migration properly cleans up legacy session storage.

The new migration correctly removes the old localStorage-based session ID (unleash:repository:sessionId), which is now replaced by the cookie-based implementation. The migration follows the established pattern and will execute automatically for users upgrading from older versions.