0

2 Docker containers:

  1. Server: Express.JS REST API with JWT authentication.
  2. Client: Next.JS app that uses Axios to talk with the server.

I tested it on localhost with Docker Compose: Everything working fine (both Postman and the browser successfully store the token as a cookie to use on subsequent requests.).

I deployed it to Google Cloud Run (one service for each container). Everything working fine except that now only requests made through Postman are storing the token as a cookie.

The browser (the Next.JS app) no longer does the same, even though the request returns a successful response there is no token in the browser cookies.

I did some research, found a few similar problems, and the solutions usually involve setting up some CORS configurations, so I updated my code by adding these configurations, but the issue remains.

I am currently trying it like this:

Server-side:

export const login = async (req: Request, res: Response) => {

...

  const accessToken = jwt.sign({ username, id, isAdmin }, jwtSecret, {
    expiresIn: "12h",
  });

  res
    .status(200)
    .cookie("accessToken-Nextflix", accessToken, {
      secure: true,
      sameSite: "none",
    })
    .end();
};

const app = express();

app.use(helmet());
app.use(
  rateLimit({
    max: 300,
    windowMs: 60 * 60 * 1000,
    message: "Please try again later!",
  })
);

const corsConfig = {
  origin: true,
  credentials: true,
  allowedHeaders: ["Content-Type", "Authorization"],
};

app.use(cors(corsConfig));
app.options("*", cors(corsConfig));

app.use(express.json());
app.use(cookieParser());
app.use("/images", express.static("images"));

app.get("/health", (_, res: Response) => res.sendStatus(200));
app.use("/api/v1/auth", authRouter);

Client-side:

import axios from "axios";

export default axios.create({
  baseURL: `https://my-cloud-run-server-container-address/api/v1/`,
  withCredentials: true,
});

I checked the headers from the response in the browser developer tools network tab, and the token is there.

However I noticed something that might be strange: There are 2 requests to the "auth" path. One which contains the "set-cookie" field with the token, and the other does not

Example 1

enter image description here

Henrique
  • 43
  • 4
  • **Comments have been [moved to chat](https://chat.stackoverflow.com/rooms/253393/discussion-on-question-by-henrique-cookies-set-on-development-but-not-on-produc); please do not continue the discussion here.** Before posting a comment below this one, please review the [purposes of comments](/help/privileges/comment). Comments that do not request clarification or suggest improvements usually belong as an [answer](/help/how-to-answer), on [meta], or in [chat]. Comments continuing discussion may be removed. – Samuel Liew Apr 30 '23 at 08:41

0 Answers0