Cookie Secure - API rest | Payload | Page 1

tacit crown Apr 5, 2023, 10:41 PM

#

I have payloadCMS running on localhost:3000, I have nextJs running on localhost:8000

I try to fetch data.
I already set cors and csrf the value *

Actually I can Login and data is returned normally.
The problem is that the cookie secure is not set automatically 😦
So, when I try to logout, "user: null".

I really don't know why the cookie isn't set, I already check the developer tools (no cookies there).
I tried different browsers, I tried different clients (vanilla JS)

Only works on Postman/Imsomnia

Could anyone help me please? TwT

pallid wind Apr 5, 2023, 10:51 PM

#

So, what doesn't work?

tacit crown Apr 5, 2023, 10:56 PM

#

Cookie secure is supposed to be set automatically when I fetch to login Endpoint, but it's not set :/

pallid wind Apr 5, 2023, 10:56 PM

#

You are making a fetch request to the auth endpoint from Next to Payload?

tacit crown Apr 5, 2023, 10:57 PM

#

Yes

stoic gust Apr 6, 2023, 12:58 AM

#

are you using credentials: include

pallid wind Apr 6, 2023, 9:27 AM

#

I replicated your issue to be honest

pallid wind Apr 6, 2023, 9:33 AM

#

stoic gust are you using `credentials: include`

What I tried was same as @tacit crown did.

I had problems even with just setting the cookie after successful login. Localhost acts as a same origin scenario, even with different ports, so there shouldn't be a problem.

That is certain because when you login directly from the CMS, and then you will switch to your Next.js application, cookie will be shared. However when you want to login directly from the Next.js app, you will get a token back inside the response data, but the cookie itself will not be set

#

Bear in mind please, that I tried this at 1:30 AM and I was tired already

#

But I will try to take a look at it over the weekend

#

Logout is similar scenario, cookie doesn't get deleted, setting credentials: include caused CORS error

#

BUT I think the default behaviour is that accepting all origins with * asterisk and accepting credentials is forbidden

#

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

Reason: Credential is not supported if the CORS header 'Access-Cont...

The CORS request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of Access-Control-Allow-Origin, which doesn't allow the use of credentials.

#

Therefore try to set allowed origins to be localhost:5000 or smth like that

stoic gust Apr 6, 2023, 10:59 AM

#

Specifying the domains the cookie can be shared on is way more secure. I would always do that when you can

tacit crown Apr 6, 2023, 6:29 PM

#

I specified the domain and port and it worked ❤️
Now the cookie is set correctly

Thanks @pallid wind and @stoic gust

pallid wind Apr 6, 2023, 7:31 PM

#

Does the logout work for you though?

tacit crown Apr 6, 2023, 7:37 PM

#

pallid wind Does the logout work for you though?

Yes, It works

tacit crown Apr 6, 2023, 10:49 PM

#

#Cookie Secure - API rest