0

[web app Client Code]

async function verify(idToken) {
  const url = "<cloud func>";
  const option = {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    credentials: 'include',
    body: JSON.stringify({
      idToken: idToken,
    }),
  };
  const response = await fetch(url, option);
  const data = await response.json();
  
}

[Cloud func Code]

exports.verifyIdToken = onRequest(
  {
    cors: "<client domain>",
  },
  async (req, res) => {
    try {
      const idToken = req.body.idToken;
      const tokenPayload = await verifyJWT(idToken);

      res.set({
        "Access-Control-Allow-Credentials": true,
        "Access-Control-Allow-Origin": "<client domain>",
      });

      res.cookie("Cookie_Name", "values", {
        maxAge: 3600,
        httpOnly: true,
        secure: true,
        sameSite: "none",
        path: "<client domain>",
      });

      res.json({ result: "success" });
    } catch (error) {
      logger.error("JWT failed:", error.message);

      if (error.message == "jwt expired") {
        res.json({ result: "expired" });
      } else {
        res.json({ result: error.message });
      }
    }
  }
);

I set it as above, but I get an error.

"The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'."

I'd like to know what could be the reason.

The point of my question is, "Access-Control-Allow-Credentials": true Doing this will result in the same error as above.

I get a 204 response from preflight and this request throws an error.

When using "express" it works fine.

ido han
  • 13
  • 3
  • You're going to have to show us how you set this up, including your code on both the frontend and backend. I suggest reading about how to create a [minimal complete reproducible example](https://overflow.tips/write-good-question/minimal-complete-reproducible-example) that anyone can copy use for themselves to observe the same behavior. – Doug Stevenson Aug 10 '23 at 17:17
  • Please do not post profanity within the problem details. Sanitize those types of words and/or recreate the problem without requiring profane data items. – John Hanley Aug 10 '23 at 21:17
  • @DougStevenson Edited. please help me.. – ido han Aug 11 '23 at 07:15
  • `fetch()` on the client doesn't put any cookies from the remote API into the browser. Cookies are only used in same-origin navigation. If you want the cookie value, you'll have to get it manually from the fetch result. https://stackoverflow.com/questions/34558264/fetch-api-with-cookie – Doug Stevenson Aug 11 '23 at 12:02

0 Answers0