0

I have a react app deployed on Netlify with a custom https domain, and a node/express app deployed on Heroku (free plan, no custom domain).

All unprotected routes work. However, I can't access protected routes, because the auth cookie is never sent by the front-end. How so? Because the cookie is not properly sent by the server!

Here is how the cookie is sent:

 return res
      .status(200)
      .cookie("myApp", token, {
        expires: new Date(Date.now() + msPerDay * 14),
        httpOnly: true,
        secure: true,
      })
      .json({ user });

The index.js is:

app.use(cors({ credentials: true, origin: [process.env.CLIENT as string] }));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(compression());
app.use(cookieParser());

In the chrome's application tab I can see that no cookie is set. However, it's properly filled in localhost!

How to fix this? If you need more code I'd be happy to provide it, but I don't know if the issue comes from the code itself or a network issue between heroku and my netlify domain... The client is of course whitelisted by cors.

DoneDeal0
  • 5,273
  • 13
  • 55
  • 114

1 Answers1

2

had the same issue, I solved it by adding exposedHeaders: ["set-cookie"] this option to cors

Muhammad Semeer A
  • 101
  • 1
  • 7
  • Isn't "lax" the default value for cookies? https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie/SameSite – DoneDeal0 May 19 '21 at 09:44
  • 1
    Opps! Sorry, I had the same issue, I solved it by adding `exposedHeaders: ["set-cookie"]` this option to cors – Muhammad Semeer A May 19 '21 at 09:53
  • Ok, the cookie now appears in the response (check network tab -> cookie), but is never stored in the application -> cookies. So I keep getting forbidden access to my private routes. – DoneDeal0 May 19 '21 at 14:51
  • did you check the privateroutes – Muhammad Semeer A May 19 '21 at 15:19
  • The issue doesn't come from the private routes. There is an authentification middleware that checks the cookie before granting access to these routes. The issue is that this middleware never receives the cookie. I can see that the cookie is properly sent, but it is never stored in the browser cookies (I've allowed them). So any api call I make never attach the cookie. – DoneDeal0 May 19 '21 at 15:26
  • 1
    Ok, when adding ` sameSite: "none"` it works. I think it failed because the server url is heroku.com and thus not the same domain than my client. – DoneDeal0 May 19 '21 at 15:51