Cookie Secure - API rest

default discord avatar
LuisLopezlg
last month
19

I have payloadCMS running on localhost:3000, I have nextJs running on localhost:8000



I try to fetch data.


I already set cors and csrf the value *



Actually I can Login and data is returned normally.


The problem is that the cookie secure is not set automatically 😦


So, when I try to logout, "user: null".



I really don't know why the cookie isn't set, I already check the developer tools (no cookies there).


I tried different browsers, I tried different clients (vanilla JS)



Only works on Postman/Imsomnia



Could anyone help me please? TwT

  • default discord avatar
    Marťafiixek
    last month

    So, what doesn't work?

  • default discord avatar
    LuisLopezlg
    last month

    Cookie secure is supposed to be set automatically when I fetch to login Endpoint, but it's not set :/

  • default discord avatar
    Marťafiixek
    last month

    You are making a fetch request to the auth endpoint from Next to Payload?

  • default discord avatar
    LuisLopezlg
    last month

    Yes

  • discord user avatar
    Jarrod
    Payload Team
    last month

    are you using

    credentials: include
  • default discord avatar
    Marťafiixek
    last month

    I replicated your issue to be honest



    What I tried was same as @LuisLopezlg did.



    I had problems even with just setting the cookie after successful login. Localhost acts as a same origin scenario, even with different ports, so there shouldn't be a problem.



    That is certain because when you login directly from the CMS, and then you will switch to your Next.js application, cookie will be shared. However when you want to login directly from the Next.js app, you will get a token back inside the response data, but the cookie itself will not be set



    Bear in mind please, that I tried this at 1:30 AM and I was tired already



    But I will try to take a look at it over the weekend



    Logout is similar scenario, cookie doesn't get deleted, setting

    credentials: include

    caused CORS error



    BUT

    I think the default behaviour is that accepting all origins with * asterisk and accepting credentials is forbidden



    https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials


    Therefore try to set allowed origins to be

    localhost:5000

    or smth like that

  • discord user avatar
    Jarrod
    Payload Team
    last month

    Specifying the domains the cookie can be shared on is way more secure. I would always do that when you can

  • default discord avatar
    LuisLopezlg
    last month

    I specified the domain and port and it worked ❤️


    Now the cookie is set correctly



    Thanks @Marťafiixek and @Jarrod

  • default discord avatar
    Marťafiixek
    last month

    Does the logout work for you though?

  • default discord avatar
    LuisLopezlg
    last month

    Yes, It works



    image.png
  • default discord avatar
    smalltalkman
    last month

    the docs address cookie setting

    https://github.com/payloadcms/website
Open the post
Continue the discussion in Discord
Like what we're doing?
Star us on GitHub!

Star

Connect with the Payload Community on Discord

Discord

online

Can't find what you're looking for?

Get help straight from the Payload team with an Enterprise License.