Cookie Secure - API rest

default discord avatar
LuisLopezlg
8 months ago
19

I have payloadCMS running on localhost:3000, I have nextJs running on localhost:8000



I try to fetch data.


I already set cors and csrf the value *



Actually I can Login and data is returned normally.


The problem is that the cookie secure is not set automatically 😦


So, when I try to logout, "user: null".



I really don't know why the cookie isn't set, I already check the developer tools (no cookies there).


I tried different browsers, I tried different clients (vanilla JS)



Only works on Postman/Imsomnia



Could anyone help me please? TwT

  • default discord avatar
    Marťafiixek
    8 months ago

    So, what doesn't work?

  • default discord avatar
    LuisLopezlg
    8 months ago

    Cookie secure is supposed to be set automatically when I fetch to login Endpoint, but it's not set :/

  • default discord avatar
    Marťafiixek
    8 months ago

    You are making a fetch request to the auth endpoint from Next to Payload?

  • default discord avatar
    LuisLopezlg
    8 months ago

    Yes

  • default discord avatar
    Jarrod
    8 months ago

    are you using

    credentials: include
  • default discord avatar
    Marťafiixek
    8 months ago

    I replicated your issue to be honest



    What I tried was same as @LuisLopezlg did.



    I had problems even with just setting the cookie after successful login. Localhost acts as a same origin scenario, even with different ports, so there shouldn't be a problem.



    That is certain because when you login directly from the CMS, and then you will switch to your Next.js application, cookie will be shared. However when you want to login directly from the Next.js app, you will get a token back inside the response data, but the cookie itself will not be set



    Bear in mind please, that I tried this at 1:30 AM and I was tired already



    But I will try to take a look at it over the weekend



    Logout is similar scenario, cookie doesn't get deleted, setting

    credentials: include

    caused CORS error



    BUT

    I think the default behaviour is that accepting all origins with * asterisk and accepting credentials is forbidden



    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials


    Therefore try to set allowed origins to be

    localhost:5000

    or smth like that

  • default discord avatar
    Jarrod
    8 months ago

    Specifying the domains the cookie can be shared on is way more secure. I would always do that when you can

  • default discord avatar
    LuisLopezlg
    8 months ago

    I specified the domain and port and it worked ❤️


    Now the cookie is set correctly



    Thanks @Marťafiixek and @Jarrod

  • default discord avatar
    Marťafiixek
    8 months ago

    Does the logout work for you though?

  • default discord avatar
    LuisLopezlg
    8 months ago

    Yes, It works



    image.png
  • default discord avatar
    smalltalkman
    8 months ago

    the docs address cookie setting

    https://github.com/payloadcms/website
Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.