Passing cookies through lambda functions

I have a react front end on Netlify and a resource on another domain I want to access. I have several use cases, but one of them is a database on Heroku.

I want to keep secrets, including which remote domains I’m accessing, hidden from the client and I thought I could do it with lambda functions. That is, the app calls lambda, lambda calls remote.

The problem I am having is that the remote domain uses server sessions and needs the application to pass the cookie but I don’t know how to make lambda pass it on. I realise this may be seen as a man-in-the-middle attack and may not be possible but any help is appreciated.

FYI, the process works if I hit the remote domain directly instead of using lambda, but I wanted some extra processing to take place before the data is returned to the application.

Sample code, anonymised, is provided:

App.js (React):

const getStuff = () => {
axios
  .get("./netlify/functions/loadstuff", { withCredentials: true })
  //.then, etc
}

loadstuff.js:

exports.handler = async function (event, context) {
  try {
    const response = await axios.get(
      "http://anotherdomain.com/loadstuff",
      { withCredentials: true }
    );
    return {
      statusCode: response.status,
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify(response.data),
    };
  } catch (err) {
    return {
      statusCode: err.response.status,
      headers: { "Content-Type": "application/json" },
      body: err.toString(),
    };
  }
};

anotherdomain loadstuff:

const loadstuff = (request, response) => {
  let result = {
    //a bunch of stuff
  };
  //logic to configure and customise stuff based on caller
  response.status(200).json(result);
};

Hey @Ormesome,

What happens if you try to get cookies from the request in your lambda and send those as custom sookie headers in your loadstuff.js?

For example:

exports.handler = async function (event, context) {
  try {
    const response = await axios({
      url: "http://anotherdomain.com/loadstuff",
      headers: {
        cookie: event.cookie.cookieName
      }
    })
// rest of the stuff

Thank you. This has done exactly what I needed.

1 Like