I having some trouble with cookies and or CORS and hope you SuperTokens.com #support-questions-legacy

I having some trouble with cookies and/or CORS and...

yarfink

01/10/2023, 11:35 AM

I having some trouble with cookies and/or CORS and hope you guys can help. I have a web domain (test.com) and api domain (api.test.com). I have setup CORS on NestJS has per the docs, and things seem to work correctly (I can send requests from the web client to the api). However there are 2 problems. a) there's an OPTIONS preflight before every request (do I need to set

Access-Control-Max-Age

manually?) and b) my cookies are not being saved in my browser, probably because they are sub domain but I was under the assumption that sub domain cookies are still regarded as samesite?

rp_st

01/10/2023, 11:42 AM

hey!

rp_st

01/10/2023, 11:42 AM

You can't prevent the OPTIONS requests.

yarfink

01/10/2023, 11:43 AM

Hi. I think the problem is that I haven't set

cookieDomain

on my Session init object

rp_st

01/10/2023, 11:43 AM

About the browser not saving the cookies, can i see the response headers for the sign in API call? A screenshot from the chrome's network tab would work

rp_st

01/10/2023, 11:43 AM

You don't need to set the cookieDomain unless you want to share the cookies across multiple API domains - which by the description, it seems you do not.

yarfink

01/10/2023, 11:43 AM

I am receiving cookies back from the api (there are Set-Cookie headers in the response). They aren't getting set in the browser however

rp_st

01/10/2023, 11:44 AM

is there an orange triangle next to the set-cookie response header?

yarfink

01/10/2023, 11:45 AM

No?

rp_st

01/10/2023, 11:45 AM

at the end of the header

yarfink

01/10/2023, 11:45 AM

No it looks normal

rp_st

01/10/2023, 11:45 AM

can i see the full screenshot of the response header

rp_st

01/10/2023, 11:46 AM

can i see the full screenshot of the response header

rp_st

01/10/2023, 11:46 AM

right ok

rp_st

01/10/2023, 11:46 AM

so the browser is saving the cookie

rp_st

01/10/2023, 11:46 AM

what are the request headers for an APi call that you make in whcih you expect the access token to be attached?

yarfink

01/10/2023, 11:48 AM

In the request there are no cookie headers set

rp_st

01/10/2023, 11:48 AM

can i see all the request headers?

rp_st

01/10/2023, 11:48 AM

ok. So the interception from our frontend SDK is not being applied

rp_st

01/10/2023, 11:48 AM

are you using axios?

rp_st

01/10/2023, 11:49 AM

right ok. So the interception is being applied

rp_st

01/10/2023, 11:49 AM

are you setting the credentials setting to false when making an APi call?

yarfink

01/10/2023, 11:50 AM

They are being set to same-origin

rp_st

01/10/2023, 11:50 AM

don't set them

rp_st

01/10/2023, 11:50 AM

remove that credentials setting

rp_st

01/10/2023, 11:50 AM

or set it to credentials: "include"

yarfink

01/10/2023, 11:52 AM

Wouldn't that mean that cookies are sent cross-origin? or does sameSite prevent that?

rp_st

01/10/2023, 11:52 AM

same site prevents that

rp_st

01/10/2023, 11:52 AM

it will only send the cookie to other sub domains

rp_st

01/10/2023, 11:52 AM

not a different domain

yarfink

01/10/2023, 11:52 AM

I see, thanks

9 Views

Previous Next