#Cookies not getting sent back.

Hey, I am using nestjs with graphql and cookieParser. I am setting the refresh token in a cookie on login. The token is succussfully sent (Set-Cookie header is present on the request header), but on the chrome devtools cookie is not visible and cookie is not sent back on subsequent requests.

  const app = await NestFactory.create(AppModule);
  const configService = app.get(ConfigService);
  const PORT = configService.get('PORT');
  const corsOptions = {
    origin: configService.get('FRONTEND_URL'),
    credentials: true,
  };

  app.use(cookieParser(configService.get('JWT_ACCESS_TOKEN_SECRET')));
  app.use(cors(corsOptions));

  await app.listen(PORT);

  Logger.log(`Listening on PORT ${PORT} 🚀🚀🚀`);
}```

  async login(@Args('userDetails') input: LoginUserInput, @Context() context) {
    const result = await this.authService.login(input);

    // Extract the refreshToken from the signup result.
    const { refreshToken, ...rest } = result;

    // set the refreshToken in the HTTP-only cookie
    context.res.cookie('refreshToken', refreshToken, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'lax',
      maxAge: 1000 * 60 * 60 * 24 * 31, // 1 month
      domain: process.env.NODE_ENV === 'production' ? this.configService.get('FRONTEND_URL') : undefined
    });
    return rest;
  }```

has anyone had similar problem

How are you making requests? Is this with the graphql playground?

i have tried with postman and react frontend. In both cases it is not working.

Are there any warnings in the request/response when seeing the Set-Cookie header? Chrome usually shows things like "Not set for Y reason"

no, i dont think so

These are the response headers

Hmm, that all looks fine from what I can tell

Yes here it shows that it received the cookie but in the application tab the cookie is not present

And you are on localhost:3001? What are you using to make the request?

Frontend is on 3001 backend on 8007

I am using apollo client

Apollo client configuration

  uri: process.env.REACT_APP_GRAPHQL,
  cache: new InMemoryCache(),
  credentials: "include",
  defaultOptions: {
    watchQuery: {
      fetchPolicy: "network-only",
    },
    query: {
      fetchPolicy: "network-only",
      errorPolicy: "all",
    },
    mutate: {
      errorPolicy: "all",
    },
  },
});```

Credentials include. Yeah that looks correct

Can you try Firefox?

I will have to download it.

Okay will try

yup same issue with firefox dev version

cokkie is received on set cookie header and no errors was their on the console and no warning signs.

One weird thing I noticed.

For the first time when i opened localhost:3001 on firefox and did login. The cookie was shown on the storage tab. When i refreshed the page (still logged in) it worked!,
The page refresh without making the user log out. (on refresh server is providing new access token by checking the refresh token).

But then i did logout and login again, then the cookie did not get updated and the same prblm started.
Then i deleted the cookie manually and did login again. This time the cookie was sent but not shown on the storage tab.

😭

@fleet ridge This is the thread i was talking about in #hangout . Sorry for asking their but i did'nt get any answers here, that's why i asked

What is now your problem. Can you explain? It's not really clear to me.

I am trying to do auth with access token and refresh token. Refresh token is saved in a http only cookie.
On login i am saving the refresh token in the cookies and is successfully saved becoz i can see the Set-Cookie header on the response header. But the cookie is not sent back on subsequent requests

This is my login resolver

  async login(@Args('userDetails') input: LoginUserInput, @Context('res') res: Response) {
    const result = await this.authService.login(input);

    // Extract the refreshToken from the signup result.
    const { refreshToken, ...rest } = result;

    const expires = new Date(Date.now() + 150 * 24 * 60 * 60 * 1000);
    res.cookie('refreshToken', refreshToken, { httpOnly: true, sameSite: 'none', path: '/', secure: true, domain: 'localhost', expires });
    return rest;
  }```

and cors is also active using

    credentials: true,
    origin: configService.get('FRONTEND_URL'),
  });

This is not working on any platform including Postman and apollo playground

@acoustic hedge you can just read the recent today msg to get the idea

Hm, I am sorry, but I have no experience with cookie auth using graphql, so I would be only guessing here 🤷‍♂️
I see that you already set credentials: "include", in the apollo client, which is what I was going to suggest you check, so I'm really out of ideas.
If your FE is served from a different domain that your BE, then you're probably missing some other cookie options. Are you sure that path: "/" is correct?

"/graphql" path is also not working, so i was testing if this will work

Yeah, you'll need to make your refresh endpoint a REST endpoint.

That way, you can set the path to /refresh and the token/ cookie is only sent during that request.

hmm okay, I will try this out

hey @fleet ridge i tried with a rest refresh route and path, but still not working.

But it works if i have REST login.

This seems to be prblm with graphql or nest. Because i have seen videos of this working on youtube on previos versions of @nestjs/apollo package.

Your server is sending back the Set-Cookie header, so it can't be a problem with nest. This is a client implementation problem or a configuration issue, but not a bug with the framework itself

maybe, but I am on this for days now. And everything seems to work in REST without any configuration changes

on previos version on apollo package, we used to set cors on the graphql module itself

but now its changed

It's changed because Apollo changed