From 93c3cd473d35f371b49816e2e5d38d8f6abff8f5 Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Wed, 28 Aug 2024 20:31:57 -0400
Subject: [PATCH] docs: add comment for USE-JWT-COOKIE header

Although we may no longer need the USE-JWT-COOKIE
header, it could break ecommerce if this were
removed at this time. So, we are leaving
a comment so we'll see this in any searches, and
avoid updating for now.

Once all backends, including ecommerce, have edx-drf-extensions>=10.2.0, this could be removed.

See "[DEPR]: USE-JWT-COOKIE header" for more details:
- https://github.com/openedx/edx-drf-extensions/issues/371
---
 .../edx/app/nginx/sites-available/concerns/cors-add-header.j2 | 4 ++++
 .../edx/app/nginx/sites-available/concerns/cors-add-header.j2 | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2 b/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
index 8c693f4f9ca..fd3f99f5027 100644
--- a/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
+++ b/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
@@ -1,6 +1,10 @@
     if ($request_method = 'OPTIONS') {
         add_header 'Access-Control-Allow-Origin' $cors_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        {# Leaving USE-JWT-COOKIE header in place, even though this could possibly be
+           cleaned up. We don't want to chance breaking ecommerce. Most backends
+           are using edx-drf-extensions>=10.2.0, and no longer use this header.
+        #}
         add_header 'Access-Control-Allow-Headers' 'Authorization, USE-JWT-COOKIE';
         {% if edx_django_service_allow_cors_credentials %}
             add_header 'Access-Control-Allow-Credentials' true;
diff --git a/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2 b/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
index fa96d4d179f..d98ff77815b 100644
--- a/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
+++ b/playbooks/roles/edx_django_service_with_rendered_config/templates/edx/app/nginx/sites-available/concerns/cors-add-header.j2
@@ -1,6 +1,10 @@
     if ($request_method = 'OPTIONS') {
         add_header 'Access-Control-Allow-Origin' $cors_origin;
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        {# Leaving USE-JWT-COOKIE header in place, even though this could possibly be
+           cleaned up. We don't want to chance breaking ecommerce. Most backends
+           are using edx-drf-extensions>=10.2.0, and no longer use this header.
+        #}
         add_header 'Access-Control-Allow-Headers' 'Authorization, USE-JWT-COOKIE';
         {% if edx_django_service_with_rendered_config_allow_cors_credentials %}
             add_header 'Access-Control-Allow-Credentials' true;