Serverless express app does not set cookies

Hello everyone,

I’m having a peculiar issue with an express app that does not send http-only cookies.
Some quick resources:

• full source code in this repo
• deployed at jovial-fermi-0a9389.netlify.app
• the express app uses cookie-parser and cors

When I make a successful login attempt, before returning the JWT, I also return a cookie that contains the refresh token. But somehow the cookie is not set on the frontend (which is a basic Next app). This cookie is correctly set on localhost, but not when I deploy it to Netlify.

Do you have any idea what’s going on?

Best wishes,
Victor

Hmm… setting cookies from functions is definitely possible. Are you seeing any error in the console? If so, it’d be great to see a screenshot. And either way, a request id would let us check our logs in case we see any clues there.

In the meantime, here’s an example of a function that sets a jwt cookie: netlify-auth-example/auth.js at master · futuregerald/netlify-auth-example · GitHub

Hello Jen,

Thanks for your response and the example from futuregerald’s repo. I have made some updates to my GET profile route to be more similar with it. But I still do not receive the cookie in the frontend.

I do not see any errors in the console (in the functions tab of my app). I can share the response headers, which includes the request id:

HTTP/2 200 OK
access-control-allow-credentials: true
access-control-allow-origin: https://app-starter.chesscoders.com
cache-control: no-cache
content-length: 198
content-type: application/json; charset=utf-8
etag: W/"c6-FjbP20F3CpJj+OGTG98nz16lbhg"
set-cookie: current_timestamp=1608547800547; Path=/
strict-transport-security: max-age=15552000; includeSubDomains
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
date: Mon, 21 Dec 2020 10:50:00 GMT
age: 0
server: Netlify
vary: Origin
x-nf-request-id: 8e1adbfd-da2f-49e2-b040-10e09957c490-17199041
X-Firefox-Spdy: h2

Best wishes,
Victor

Thanks so much, that’s helpful- checking our logs for that ID, I am seeing this error:
"Failed to parse token" error="signature is invalid" in response to a GET request to jovial-fermi-0a9389.netlify.app/.netlify/functions/app/profile. Can you try logging the signed payload when deployed vs. locally and see if they differ?

Hello Jen,

Please excuse my negligence, that URL was under an authentication middleware and I believe the error message is a valid one. To correct this, I have created this public page https://app-starter.chesscoders.com/cookies.

On clicking the button, it triggers a GET request on the public URL https://jovial-fermi-0a9389.netlify.app/.netlify/functions/app/give-me-cookies, which should send some cookies to the frontend, as you can explore in the request headers from that request.

The request id is now b619cded-aaef-415d-a297-3cc611ed8a91-17070907.

Best wishes,
Victor

Thanks for that! I didn’t see anything surprising in our logs, but I did confirm that the cookie wasn’t set I’ll put this in front of my colleagues in case they have any ideas about what the problem could be.

One alternative to try would be setting the cookie in the function response, like this:

exports.handler = async function(event, context) {
    return {
      statusCode: 200,
      headers: {"set-cookie": "cookieName=cookieValue; HttpOnly"}
    };
};