1

I have an issue with cookie-session when using Firebase Functions in production. I have a React app in Firebase Hosting, and an Express app in Functions (that I'm using as my API), and I've created a template repo that demonstrates this setup for all to see (https://github.com/cjmyles/firebase-react-express).

I'm making fetch calls from the React app to /api/* (notice the lack of a fully qualified url) and the request is proxied to the API in development mode using the proxy config value in package.json; and proxied to the API in production using the rewrites config value in firebase.json.

This works fine until I start to use sessions. I have some code that mimics a login request using PassportJS where the user information is stored in the session, and this works in development mode, but not in production. I have a feeling it's something to do with the cookies. I'm using cookie-session in my express app and I've made sure that the secure flag is set to true in production (as it's served over https), but I think the cookie isn't being passed to the API properly when the request is proxied via the Firebase rewrites.

Do I need to add something to firebase.json to enable cookie-session in production?

Craig Myles
  • 5,206
  • 3
  • 40
  • 37
  • Did you manage to resolve your issue? I'm with the same problem now. – Rafael Maiolla Mar 02 '20 at 22:50
  • Yes, I used the "__session" cookie which can be set using `res.cookie` and retrieved using `req.cookies` in your Express middleware, after the npm module `cookie-parser` has been initialized. I've accepted Rafael's answer below which covers the solution in more detail. I can provide a full answer if required. – Craig Myles Mar 28 '20 at 15:46

2 Answers2

2

When requests are proxied using the rewrite rules for firebase hosting, the only cookie permitted is __session.

This is documented in https://firebase.google.com/docs/hosting/manage-cache#using_cookies.

Rafael Maiolla
  • 373
  • 1
  • 3
  • 13
-1

You will definitely get your query resolved here.

Abhinav
  • 530
  • 8
  • 21
  • Any idea how I'd get that to work with passport js? The documentation looks like it requires an `idToken` obtained from executing the `signInWithEmailAndPassword` function which I won't be doing, as I have passport js set up with Facebook. – Craig Myles Nov 06 '18 at 00:48