I haven't been able to solve this problem for 2 days, node js api heroku is also deployed, my client is on netlify, the backend does not send cookies when requesting from the client, you set the corss, I added withCredintels, but in vain, what can I do, (I allowed google cookies)
client expample fetch
const response = await axios(`${client}api/csrf`, {
method: "GET",
withCredentials: true,
header: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Credentials": true,
mode: "same-origin",
redirect: "follow",
},
});
axios.defaults.headers.common["X-CSRF-Token"] = response.data.csrf;
server.js
app.set("trust proxy", true);
app.use(limiter);
app.use(cookieParser());
app.use(helmet());
app.use(helmet.frameguard({ action: "deny" }));
app.use(express.static(__dirname + "/backend/build"));
app.use(
cors({
origin: "https://atalay.netlify.app",
credentials: true,
methods: "GET,POST,PUT,DELETE",
optionsSuccessStatus: 200,
allowedHeaders: [
"Origin",
"X-Requested-With",
"Content-Type",
"Accept",
"Authorization",
],
preflightContinue: true,
})
);
app.use(express.urlencoded({ extended: true }));
app.use(express.json());
app.use((req, res, next) => {
res.header("Access-Control-Allow-Origin", req.headers.origin);
res.header(
"Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept"
);
res.header("Access-Control-Allow-Credentials", "true");
next();
});
app.use((req, res, next) => {
res.header("Set-Cookie", "HttpOnly;Secure;SameSite=None");
next();
});
app.use(
session({
secret: config.sessionSecret,
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 7,
httpOnly: false,
},
resave: true,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
sameSite: true,
},
store: MongoDBStore({
uri: "procsess.env.DB",
collection: "sessions",
}),
})
);
app.use(passport.initialize());
app.use(passport.session());
app.use(csrf({ cookie: false }));
app.use("/api", router);
