0

I am unable to retrieve a cookie that I sent earlier.

As part of login, I sent back a refresh token as an httpOnly cookie.

const payload = {name, email};
console.log("payload: ", payload);
const accessToken = jsonwebtoken.sign(payload, process.env.ACCESS_TOKEN_KEY, { expiresIn: '15m' });
const refreshToken = jsonwebtoken.sign(payload, process.env.REFRESH_TOKEN_KEY, { expiresIn: '1d' });
console.log("Access  Token:", accessToken);   // access token is generated
console.log("Refresh Token:", refreshToken);  // refresh token is generated
res.cookie('refreshToken', refreshToken, { httpOnly: true, secure: false, sameSite: 'Lax', maxAge: 24*60*60*1000 }); // call succeeded. what is the name of cookie?
res.json({ accessToken });

Later on a refresh endpoint I look for a cookie and can't find it:

export const handleRefreshToken = async (req, res) => {
console.log("Request Cookies", req.cookies);
const cookies = req.cookies;
if (!cookies?.refreshToken) return res.sendStatus(401);

I see the following cookies:

  • _ga: 'xxxxxxxxxxxxxxxxx',
  • _gid: 'xxxxxxxxxxxxxxxx',
  • _gat_gtag_UA_xxxxxx: 'x',
  • _ga_QPY49S2WC4: 'xxxxxxxxxxxxxxxxxxx'

This is on my dev environment with nodejs running on localhost:5000.

Update: Using devtools (Network) I see the cookie in the response on the client side. The name of the cookie is 'refreshToken'. However, the cookie doesn't show up on the browser when I look at the cookies on the browser. Perhaps, the cookie isn't being retained on the browser. Any suggestions on why that could be?

Update2: The link provided by @Konrad Linkowski worked. When the axios request is made from the client, I needed the option "{ withCredentials: true }".

NRS2000
  • 105
  • 2
  • 8
  • `httpOnly` cookie cannot be accessed through javascript – Konrad Nov 15 '22 at 18:35
  • 1
    Understood. I am not accessing the cookie in the browser. This is all on the backend. – NRS2000 Nov 15 '22 at 18:38
  • My bad sorry. How do you make a request? Do you have `credentials: 'include'` option? – Konrad Nov 15 '22 at 18:43
  • I don't have credentials: 'include'. Where do I specify it? Is it in the options for res.cookie()? My login request from the client looks like this: const res = await axios.post('/login', { ident: email, password }); – NRS2000 Nov 15 '22 at 18:46
  • express config code: const corsConfig = { credentials: true, origin: true, }; app.use(cors(corsConfig)); – NRS2000 Nov 15 '22 at 18:51
  • 1
    https://stackoverflow.com/questions/52549079/does-axios-support-set-cookie-is-it-possible-to-authenticate-through-axios-http – Konrad Nov 15 '22 at 18:56

1 Answers1

0

The error was on the client end. The express code functioned correctly. This link explains it: Does Axios support Set-Cookie? Is it possible to authenticate through Axios HTTP request?

My original call on the client side (using axios) was:

const res = await axios.post('/login', { ident: email, password });

Instead it should have been:

const res = await axios.post('/login', { ident: email, password }, { withCredentials: true });
NRS2000
  • 105
  • 2
  • 8