Open rishabhpoddar opened 3 years ago
Hi there, not sure if this is the right place to inquire but I'm wondering what to do in this case:
API and website domain do not share the same TLD, and Safari will not send cookies even if sameSite is
none
.
i.e my web app is served on app.example.com and my API is available on api.example.com
@snipebin app.example.com
and api.example.com
do share the same top level domain. Therefore, it should work fine.
/api/auth
is on the frontend, and /api
is on the backend. This way, the auth
part of the path is considered the tenantid, which probably wont exist.
When using cookie based auth
Access-Control-Expose-Headers
not set properly - which prevents frontend from reading the id-refresh-token, which prevents setting that state on the frontend.Access-Control-Expose-Headers
set to*
- which prevents frontend from reading the front-token, which prevents setting that state on the frontend. Even though it's star, it won't work cause of using credentials.api.example.com
and website is not on*.example.com
and not onexample.com
), so Safari will not send cookies even if sameSite isnone
. Switch to using header based auth.node-fetch
instead of browser fetch even on client side. People might be using node-fetch for server side rendering and then not realising that they are using that for client as well. Our interceptors are added to window.fetch so their node-fetch wouldn't get the interceptors added, preventing a call to the refresh API.credentials: "same-origin",
to the headers for that lib, the cookies won't be sent.CookieManager.clearAllCookies
or they might be manually adding cookies while replacing existing ones.verifySession
returns 403, and the response containsclaimValidationErrors: id: st-ev
, this means that the user needs to go through the email verification flowFailed to retrieve local session state from cookies after a successful session refresh. This indicates a configuration error or that the browser is preventing cookie writes.
res.setHeader('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate');
to your apis.rid,fdi-version,anti-csrf,st-auth-mode
to the existingAccess-Control-Allow-Headers
in the API gateway settingsThe "listener" argument must be of type function. Received an instance of Object
, then see this thread: https://discord.com/channels/603466164219281420/1278371807925108791/1278371807925108791on the frontend, then it is most likely due to a misconfig of the
sessionTokenFrontendDomain` (if you have set it). Either remove that config, or set it to a value that has the same top level domain as the current browser url.Access-Control-Expose-Headers
does not containfront-token