I am currently developing a React app. I am currently integrating some APIs, that are already live. However, I run into the issue that cookies are not send by the browser.
- I have an endpoint at
https://my-domain.com/api/auth/loginandhttps://my-domain.com/api/auth/login/renew - I start my react app
npm run startand access it onlocalhost:3000 - I can successfully login via the first endpoint which returns 200 and sets a http-only, secure cookie.
set-cookie: refresh=a.b.c; Path=/api/auth; Domain=my-domain.com; Max-Age=2592000; HttpOnly; Secure
- But when requesting the second endpoint, the cookies are not sent. The pre-flight OPTIONS request works fine and I get a 200 back. But the GET request returns a 401 as the cookie is not set.
I have tested this with fetch and axios and set credentials: include (fetch) and withCredential: true (axios).
// fetch
fetch(`${process.env.REACT_APP_BACKEND_BASE_URL}/api/auth/login/renew`, {
method: 'GET',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
},
})
// axios
const customAxios = applyCaseMiddleware(axios.create({
baseURL: process.env.REACT_APP_BACKEND_BASE_URL,
headers: {
'Content-Type': 'application/json',
},
withCredentials: true,
}));
customAxios.get('/api/auth/login/renew')
I tested on:
- Chromium: Version 99.0.4844.51 (Official Build) Arch Linux (64-bit)
- Firefox Developer Edition: 99.0b3 (64-bit) for Arch Linux
Edit: Can be solved by setting same-site attribute of the cookie to none. However, I would prefer a solution where the server can keep its configuration. How are you doing this, are you locally proxying when developing locally?
