Passing API's Set-cookie through to the browser

[dshiells]

Hi all,

I'm trying to pass through a Set-cookie header from my API to the browser, and want to run my potential solution by you to get feedback/ask if it's safe. Being authentication I wanted second opinions first before going live with it.

Basically in ApiClient.js I save the set-cookies returned from the API to a global variable (global.setCookies):

        request.end((err, { body, header } = {}) => {
          if (typeof header['set-cookie'] !== 'undefined') {
            const setCookies = header['set-cookie'];

            if (typeof global.setCookies === 'undefined') {
              global.setCookies = [];
            }

            global.setCookies = global.setCookies.concat(setCookies);
          }

          return err ? reject(body || err) : resolve(body);
        });

Then in src/server.js I set them before returning the result (and clear them before the next request):

        for (let idx = 0; idx < global.setCookies.length; idx++) {
          res.append('Set-Cookie', global.setCookies[idx]);
        }

        global.setCookies = [];

I guess my biggest concern is if they are stored globally, could then end up in someone elses request?

Hope that all makes sense :)

[isaachinman]

Hi @dshiells I know it's been awhile but I am trying to set up the exact same thing. Can you tell me where in server.js you added those lines?

[janziemba]

+1

[isaachinman]

@janziemba This is a pretty old thread, I doubt you'll see any resolution or help. The best way forward is to probably write your own client middleware - I believe that's how I got around this.