User in request object gets set to undefined in production

I've been following the access tutorial here:

, and assessing a user's roles in exactly the same way as outlined in the tutorial.

I'm struggling to implement auth for my collections.

Specifically, checking the users roles as here:

export const isAdmin: Access<any, User> = ({ req: { user } }) => {
  // Return true or false based on if the user has an admin role
  return Boolean(user?.roles?.includes('admin'));
};

In local development, the user is loaded onto the request. However on my live server, running a production build or just a dev server, the user object on the request is

, which causes auth problems in the admin UI and returns a 403 with

My cors is set correctly and is not conflicting with my nginx config.

Here's my simplified config:

export default buildConfig({
  serverURL: process.env.SERVER_URL,
  cors: ['http://localhost:4000', 'https://my-frontend.com'],
  admin: {
    user: Users.slug,
  },
  collections: [
    Users,
  ],
  routes: {
    api: '/api',
    admin: '/admin',
  }
});

Has anyone experienced this before? I can't think what else would be causing the user on the request to be empty...

Also worth noting, as a user I cannot logout as it returns a 400, and when I do this the logs show:

,

If I try to GET a protected resource it works fine, but any POST seems to remove the user object in the request!

This happens on different browsers, and I've tried completely nuking the database in case of any lingering sessions, but no luck!

User in request object gets set to undefined in production

FWIW I've parsed the headers in the express app and verified that the cookie header makes its way through even though it's still not attached to the request!

solved. my serverURL in the config wasn't set to https 😅😅😅