I have a rails 4 backend using DeviseTokenAuth and an AngularJS frontend using ngTokenAuth.
When frontend and backend are deployed on the same domain the authentication works perfectly.
When testing on localhost, with both the backend and the frontend running on localhost on two different ports the sign_in request completes with 200 OK but the response doesn't contain Set-Cookie header and so the client remains unauthenticated for the following requests.
Down here you can see a copy of the headers received in the sign_in response in both scenarios.
The problem is the same also if I try to authenticate from a frontend running locally to the RAILS backend deployed on server.
The CORS headers are configured like this on the server and everything seems fine to me about cross origin:
config.middleware.insert_before 0, "Rack::Cors" do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :options]
end
end
Deployed on server
Accept-Ranges:bytes
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:example.org
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
access-token:XXXXXXXXXXOI9s2x0IuVMA
Age:0
Cache-Control:max-age=0, private, must-revalidate
client:XXXXXXXXXXAP2TsoBZTnjg
Connection:keep-alive
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:28:17 GMT
ETag:W/"XXXXXXXXXXc86bb292d476d2366d3742"
expiry:1495099697
Server:nginx/1.10.0 (Ubuntu)
Set-Cookie:_differenthood_session=ZE1NWndTUUVmMkNDbWRWckNNbkpKdWh6SVdaVTFlaGN6XXXXXXXXXXcrb2EzSGd3SFQvN2h3Z2IxOE9BMVYrTjV6YmsvRXpWNmN4T213R2V3MEJ1WWc9PS0tbU01Ymt6YkdOc0VIUTFCK1NUVFlMZz09--861a3aebd1d79f224d9ad810a88e5d5f23e114c0; path=/; HttpOnly
token-type:Bearer
Transfer-Encoding:chunked
uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:c935b76c-d173-48ce-b21c-5e694845148b
X-Runtime:0.629113
X-XSS-Protection:1; mode=block
Testing on localhost
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:http://localhost:9000
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
Access-Token:XXXXXXXXXXXAiR5CQmwYpQ
Cache-Control:max-age=0, private, must-revalidate
Client:XXXXXXXXXXq2UC7GXE0qbw
Connection:Keep-Alive
Content-Length:418
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:27:20 GMT
Etag:W/"XXXXXXXXXX37381b8c1637b2ea1bba96"
Expiry:1495099640
Server:WEBrick/1.3.1 (Ruby/2.2.6/2016-11-15)
Token-Type:Bearer
Uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:3ef1f652-b29f-4fe7-bbb9-3de47f1acddf
X-Runtime:0.653264
X-Xss-Protection:1; mode=block