CODEWITHSUNDEEP
javascriptnode.jsexpresscookies
Chris Dziewa
Chris Dziewa

Reputation: 190

Can't access cookie on http in Heroku only https

I am having a strange issue with cookies in my node app. It is hosted on Heroku and I use JSON Web Tokens stored in a cookie that is authenticated by my express middleware. When I login on my Macbook pro, the cookie is successfully stored. However, when I use Linux Mint desktop, or an Android tablet, the site logs in but then redirects on protected routes and the cookie is never set.

This is where the cookie is set on login:

let token = jwt.sign({
    username: user.username,
    email: user.email
}, config.privateKey, {
   expiresIn: '7d'
});
let userResponse = {
    success: true,
    message: 'Successfully logged in!',
    id: user._id,
    email: user.email,
    username: user.username
}
    // set cookie for 7 days
res.cookie('auth_token', 
            token, 
           {maxAge: 604800000, path: "/"}).json(userResponse);

Here is my server.js file: 

'use strict';

const express = require('express');
const app = express();
const bodyParser = require('body-parser');
const env = process.env.NODE_ENV || "development";
const mongoose = require('mongoose');
const cookieParser = require('cookie-parser');
const config = require('./app/config/config.js');
process.env.PWD = process.cwd();

// Establish connection with MongoDB
mongoose.connect(config.db.connectString);

app.use(cookieParser());

// Allowing X-domain request
var allowCrossDomain = function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Cache-Control");

    // intercept OPTIONS method
    if ('OPTIONS' == req.method) {
      res.send(200);
    }
    else {
      next();
    }
};
app.use(allowCrossDomain);

app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());

app.use(express.static('public'));

const db = mongoose.connection;
db.on('error', console.error.bind(console, 'connection error: '));
db.once('open', () => {
  console.log('Connected to sondage database');
});

// ===== Import Routers ======
const userRouter = require('./app/routes/user.routes')(express, app);
const pollRouter = require('./app/routes/poll.routes')(express, app);
const authRouter = require('./app/routes/auth.routes')(express, app);
app.use('/api/users', userRouter);
app.use('/api/polls', pollRouter);
app.use('/api/', authRouter);

// For all other requests, use React Router
app.get('*', function (request, response){
  response.sendFile(process.env.PWD + '/public/index.html');
});

app.listen(process.env.PORT || 3000, () => {
  console.log('Server running');
});

EDIT I have traced this down to a http vs https issue. If I use https in the request, the cookies work. Otherwise cookies aren't set. So I need a way to force the user to do HTTPS.

Upvotes: 0

Views: 561

Answers (1)

Chris Dziewa
Chris Dziewa

Reputation: 190

I was able to fix this using the heroku-ssl-redirect node package. This takes requests and forces the browser to use https for each request.

Upvotes: 1

Related Questions