0

The issue I have is Cookie is not added to the request header therefore I receive a 403 status. To explain further I am implementing a system link where when a user opens a page, a request token is is fetched and added to the META of the html and also saved in the document.cookie. When the user decides to login, the fetch request below fetchSignIn should automatically add a cookie because I am setting credentials: "include" but it doesn't. I have looked at other examples but I don't understand where my implementation is wrong.

Login implementation using OOP

class Login {
// Private methods...

    fetchSignIn (obj, url) {
        console.log("Cookie ", document.cookie);
        fetch(url, {
            method: "POST",
            mode: "cors",
            credentials: "include",
            body: JSON.stringify(obj),
            headers: {
                "Content-Type": "application/json",
                "Authorization": "",
                "X-XSRF-TOKEN": getQSelector('meta[name="_csrf"]').content
            }
        })
        .then((response) => response.text())
        .then((data) => {
            console.log(data);
        })
        .catch((error) => {
            console.error('Error: ', error.message);
        });
    }
}

Fetch token on opening of the page

window.addEventListener("DOMContentLoaded", (e) => {
    _loadCSRF(CSRFDOMLOAD);
})

const _loadCSRF = (path) => {
    fetch(path) // GET Request
    .then((response) => response.json())
    .then((data) => {
        console.log(data);
        document.cookie = data.headerName + "=" + data.token;
        getQSelector('meta[name="_csrf_header"]').setAttribute("content", data.headerName);
        getQSelector('meta[name="_csrf"]').setAttribute("content", data.token);
    })
    .catch((err) => console.error("Failed csrf fetch ", err));
}
seju
  • 119
  • 1
  • 8
  • is `url` the same origin as the page making the request? – Jaromanda X Oct 31 '22 at 22:28
  • It is the same domain but using different path. To better explain ‘fetchSignIn’ url for example is localhosthost:8080/login and ‘_loadCSRF’ url is localhosthost:8080/csrf @JaromandaX – seju Oct 31 '22 at 22:45
  • all good, just wondered why you specifically added `mode: "cors"` to the request if it's NOT a cross origin request - but, is the PAGE served by "localhosthost:8080" or is "localhosthost:8080" just an API? – Jaromanda X Oct 31 '22 at 22:46
  • @JaromandaX How much you want to bet it's "I was just trying that to see if it would help"? – Barmar Oct 31 '22 at 22:47
  • Oh it is cross domain. The server side is running on port: 8080 and client side 127.0.0.1 @JaromandaX – seju Oct 31 '22 at 22:47
  • 1
    well, that's why the cookie isn't being sent ... you set it on 127.0.0.1 so it won't be sent to "localhosthost:8080" ... cookies don't work like that – Jaromanda X Oct 31 '22 at 22:48
  • Just so I am clear, if an application is cross domain meaning client and server running on two different ports, one cannot send a cookie in the request header? @JaromandaX – seju Oct 31 '22 at 22:52
  • 2
    "client and server running on two different ports" ... makes no sense and does not describe your situation... you have two servers ... one at `127.0.0.1` (presumably port 80, which seems to be where your HTML, Javascript is coming from) and one at `localhosthost:8080` - which is some sort of API, where your requests are being sent - they are not the same origin, so cookies you set in the javascript are set for the former, and are not sent to the latter – Jaromanda X Oct 31 '22 at 22:54

0 Answers0