auth_token header in spa/pwa app

[mitjarobic]

Hi,

I am using your auth.htm template. If I login from the integrated GraphiQL client the token/cookie is sent back from in the response headers. But, if I login from a vue spa/pwa app the respone headers do not have the auth_token.

Any ideas how to solve the problem?

[frthjf]

Hi @mitjarobic, thanks for using my plugin. There are three reasons that I can think of that all have to do with the security of cookie tokens:

1. The cookie is only send via SSL, not via unencrypted connections. If your development server does not use an SSL connection, you can set this parameter to false during development.
2. The cookie is httpOnly, meaning it's only accessible for the server and not through Javascript to prevent certain XSS attacks. This can be changed here, but shouldn't be changed.
3. Your SPA might live under a different domain, so the cookie is not set because of the CORS policy. In that case, you can install one of these plugins.

Hope that helps! Let me know if it does not solve your problem.

[frthjf]

Marking this as fixed. Please re-open if you encounter any further issues.