I do have a similiar problem as stated in this thread: Browser isnot receiving cookies after deployment
My setup is:
- A basic strapi-based backend hosted on railway with this plugin to work with httpOnly server-side cookies: GitHub - bwyx/strapi-jwt-cookies: Securely use users-permissions's JWT on cookies šŖ
- A basic vite & vue3 based frontend hosted on netlify.
This vue3 app contains a global navigation guard, which looks like this:
function getCookieValue(name) {
return document.cookie.match('(^|;)\\s*' + name + '\\s*=\\s*([^;]+)')?.pop() || ''
}
router.beforeEach((to, from, next) => {
if (to.matched.some((record) => record.meta.requiresAuth)) {
const hasCookie = getCookieValue('user')
if (hasCookie) {
next()
} else {
next('/auth')
}
} else {
next()
}
})
This means:
- If a route contains the meta ārequiresAuthā with value ātrueā, we will try to read the value from a cookie called āuserā.
- If we do get a value, this means the user is authenticated and therefore can continue to the page he wants to visit.
- If we do get an empty-string, this means the user isnāt authenticated and is redirect to auth-page.
- Please note: Iām aware that this isnāt fully secure at all and needs some improvements but that isnāt the point here.
While in dev everything works, I always get an empty-string when running the same hosted on netlify. What Iāve found out so far:
- The cookie is generated and sent back to the frontend hosted on netlify, I can see the headers and cookie when opening the network tab of dev-tools (screenshot from live-version on netlify):
- However: In local dev Iām also able to see these cookies within the āstorage/cookiesā tab of browsers dev-tools, while they donāt show up in the same places for the same code hosted on netlify ( this isnāt a real problem for me but it seems to be relevant and related to my problem described below).
- I can use the cookie shown above afterwards to do another succesfully call to an api endpoint which needs auth and can see it being used & sent in the requests-header of that request. So it must be present in frontend and I can use it as stated before for example with axios. But whenever I try to read it (as shown above within the navigation guard) I only get an empty-string (only on netlify, in local-dev this works). This of course leads to breaking the navigation guard in that matter that a user is always redirect to the auth-page.
- Please also note: Only the token cookie has the āhttpOnlyā flag set and is therefore not readable from javascript. The user cookie hasnāt this flag as you can see above.
What am I doing wrong? Iām quite sure that Iām getting some basic wrong/not right for using netlify (as itās my first time using a cdn like netlify) and would be glad about anyone that can point me into the right direction. What I try to achive is to āreadā if a user is already logged-in when opening the page and my idea was to simply check if this cookie is present or not (and as said before this works locally while it doesnāt work on netlify). Storing the jwt in localStorage and read it from there isnāt an option due to security concerns.
