0

I have my back-end Express.js server that has sign in function. After user sign in, he gets 2 tokens - access token and refresh token. What I want to do, is to make return from server refresh token as httpOnly cookie.

Here is a peace of code of this function:

const { refreshToken, accessToken } = await jwtService.updateTokens({
  userId: client.id, username: client.username
}, { transaction })
logger.info(`Client ${client.email} has been successfully signed in!`)

await transaction.commit()
return res
  .status(200)
  .cookie("refreshToken", JSON.stringify(refreshToken), { httpOnly: true, secure: false })
  .json({ accessToken, reopening: reopening ? client.username : null })

Basically, browser just doesn't set this cookie as httpOnly and doesn't set it at all, actually. So, I was trying to ping this endpoint with postman, and it works:

enter image description here

In reponse body I have access token and in httpOnly cookie I have this refresh token.

So, the problem is, why browser doesn't save it? I have found a couple of solutions and all of them were about cors and axios credentials. I use 2 express servers - 1 is for normal back-end and 1 is for front-end.

Here is how "path" from front-end to back-end looks like:

Sign in function that send request to front-end express server:

const api = axios.create({
  baseURL: apiUrl,
  headers: {
    'Content-Type': 'application/json'
  }
})

export const signIn = async payload => {
  try {
    const { data } = await api.post('s-i', payload)
    return data
  } catch (e) {
    return e.response.data
  }
}

Front-end express server sends request to actual back-end:


const api = axios.create({
  baseURL: process.env.NODE_ENV === "development" ? process.env.PNB_API_DEV : process.env.PNB_API_PROD,
})

const router = Router()

router.post('/s-i', async (req, res) => {
  try {
    const { data } = await api.post('/sign-in', req.body)
    res.json(data)
  } catch (e) {
    return res.status(e.response.status).json(e.response.data)
  }
});

And then that function that was at the very begging.

So - the question is - how to make browser save those httpOnly cookies? If it's really about credentials or cors where should I put those settings?

PS

Back-end port - 3001 and front-end port - 8010.

dokichan
  • 857
  • 2
  • 11
  • 44
  • You cannot (from browser Javascript), set a cookie with `httpOnly`. Only the server can do that. This is because the whole point of the `httpOnly` flag is that browser Javascript cannot access that cookie at all. – jfriend00 Jul 12 '22 at 01:00
  • @jfriend00 I don't need access via JS, I need to make server set `httpOnly` cookie in browser? That's it! – dokichan Jul 12 '22 at 03:55
  • OK, that is not clear from your question. Please make sure each code block is labelled whether it's client or server code. – jfriend00 Jul 12 '22 at 04:13
  • This is a guess. Since it appears you may have two separate servers and thus may be making cross origin requests, you may need `{ withCredentials: true }` in your axios options to make sure and include cookies from the other port server. – jfriend00 Jul 12 '22 at 04:16
  • @jfriend00 I was trying to do this, and I guess this is correct answer, but I don't really understand where exactly I should put this `{withCredentials: true}`. I was trying to put it in almost all places where I have `axios`. And what about `cors`? – dokichan Jul 12 '22 at 04:35
  • As you can see in the axios documentation, you can set `{withCredentials: true}` either as a default for all axios calls from the client or you can pass it as an option with each `axios()` call. Example: `const api = axios.create({ withCredentials: true, baseURL: apiUrl, headers: { 'Content-Type': 'application/json' }})` – jfriend00 Jul 12 '22 at 04:45
  • @jfriend00 I was trying to do this, but it doesn't seem to be working. By the way, using postman, when I directly ping to back-end endpoint (http://localhost:3001/sign-in) I get cookies, but when I do the same ping, but from front API (http://localhost:8010/api/s-i), I got the same body result, but with no headers. – dokichan Jul 12 '22 at 05:01
  • I do not understand your two server layout and what exactly is the whole sequence of things you're trying to do with cookies. Can't help more without that understanding. – jfriend00 Jul 12 '22 at 05:13

0 Answers0