-1

I am attempting to set CORS headers on my API server (myserver.com) to allow cross-origin, authenticated requests with cookies from my embedded mobile app or other site (localhost:8080)

Here is the initial request, which appears to be working properly and sets the right cookie.

Summary
URL: https://myserver.com/api/tokens
Status: 200
Source: Network
Address: 1.1.1.1:443

Request
:method: POST
:scheme: https
:authority: myserver.com
:path: /api/tokens
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://localhost:8080
Content-Length: 51
Accept-Language: en-US,en;q=0.9
Host: myserver.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response
:status: 200
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Credentials: true
Set-Cookie: token=removedforsecuritypurposes; path=/; expires=Tue, 02 Aug 2022 03:57:50 GMT; samesite=none; secure; httponly
Vary: Origin
Date: Sun, 03 Jul 2022 03:57:50 GMT
Content-Length: 616
Access-Control-Allow-Origin: http://localhost:8080
Server: nginx/1.14.1

I'm using axios on the frontend, using the withCredentials: true option to send subsequent requests, but the browser doesn't include the cookie. What am I missing?

Summary
URL: https://myserver.com/api/user
Status: 401
Source: Network
Address: 1.1.1.1:443

Request
:method: GET
:scheme: https
:authority: myserver.com
:path: /api/user
Accept: application/json, text/plain, */*
Origin: http://localhost:8080
Accept-Encoding: gzip, deflate, br
Host: myserver.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15
Accept-Language: en-US,en;q=0.9
Referer: http://localhost:8080/
Connection: keep-alive

Response
:status: 401
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Credentials: true
Vary: Origin
Date: Sun, 03 Jul 2022 03:57:50 GMT
Content-Length: 134
Access-Control-Allow-Origin: http://localhost:8080
Server: nginx/1.14.1

I've referenced this post Set cookies for cross origin requests and still can't seem to get it working.

TecumTechCEO
  • 21
  • 6

1 Answers1

0

You have two options:

  1. Allow localhost as origin in your CORS settings on your server.
  2. Use a Capacitor plugin (e.g. @capacitor-community/http) to send HTTP requests natively ( CORS is ignored here).
RGe
  • 1,181
  • 1
  • 10
  • 19
  • Could you explain option 1 in more depth? I’ve tried adding the ‘Access-Control-Allow-Origin’ header, which allows the request to go through, but my server sends back ‘HTTP 401’ because the cookies are not included. – TecumTechCEO Jul 02 '22 at 19:55
  • I don't know what framework you are using server side, for Nest for example you would do it this way: https://docs.nestjs.com/security/cors – RGe Jul 03 '22 at 06:26
  • Cookies are a different problem, but for CORS you only have these two options. – RGe Jul 03 '22 at 06:26
  • I recommend the Capacitor plugin, it also gives you small performance benefits on native platforms. – RGe Jul 03 '22 at 06:27