0

I can't seem to set cookies with secure flag. It worked on all my other projects but not with this one. I checked many other guides but nothing seems to be working for this specific setup.

Note that I am using both graphql and rest endpoints, and setting cookies does not work on either of them.

  • Domain is hosted over https
  • Frontend is on something.example.com
  • API is on something.example.com/graphql and /auth

Server index.tsx

  const app = express();
  if (process.env.NODE_ENV === 'production') {
    app.set('trust proxy', 1);
  }

 app.use(
    session({
      name: 'uId',
      store: new RedisStore({ client: redisClient, disableTouch: true }),
      saveUninitialized: false,
      secret: process.env.SESSION_SECRET as string,
      resave: false,
      proxy: process.env.NODE_ENV === 'production',

      cookie: {
        maxAge: 1000 * 60 * 60 * 24 * 90, //3 months
        secure: process.env.NODE_ENV === 'production',
        httpOnly: process.env.NODE_ENV === 'production',
        sameSite: 'lax', //same with "none"
      },
    }),
  );

  const server = new ApolloServer({
    schema,
    introspection: false,
    context: ({ req, res }: { req: Request; res: Response }) => ({
      req,
      res,
    }),
  });

  await server.start();

  app.use(express.json({ limit: '50mb' }));
  app.use(express.urlencoded({ limit: '50mb', extended: true }));

  server.applyMiddleware({
    app,
    cors: {
      credentials: true,
      origin: [
        process.env.ORIGIN as string,
        'http://localhost:4000/',
        'https://studio.apollographql.com',
      ],
    },
    bodyParserConfig: false,
  });
//needed for REST?
  app.use(cors({ origin: process.env.ORIGIN as string, credentials: true }));

  app.use(cookies());
//Rest API
  app.use('/auth', require('./src/auth/aai').router);

Nginx (same for api, rest api but with different port)

        proxy_pass http://localhost:3000; #whatever port your app runs on
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;

Apollo setup

export const apolloClient = new ApolloClient({
  uri: process.env.REACT_APP_API_ENDPOINT_GRAPHQL,
  cache: new InMemoryCache(),
  credentials: "include",
});

It works perfectly fine with unsecure cookies on both localhost and https domain What am I missing?

SlothOverlord
  • 1,655
  • 1
  • 6
  • 16
  • Does this help? https://cheatcode.co/tutorials/how-to-implement-secure-httponly-cookies-in-node-js-with-express – Jplus2 Aug 28 '22 at 01:24
  • Also cookieSession seemed to have httpOnly option https://expressjs.com/en/resources/middleware/cookie-session.html – Jplus2 Aug 28 '22 at 01:24
  • This might also help, this using express-session https://stackoverflow.com/questions/33872956/how-to-set-httponly-flag-in-node-js-express-js-application – Jplus2 Aug 28 '22 at 01:29

0 Answers0