How to set HTTP headers for client (browser) while sending a response containing the headers to be set and the redirect url from backend (Node.js)?

Question

I am really sorry about if I am missing something very basic here, but here goes...

BRIEF: My question is the same as the one found here: How to set headers while requesting a page in nodejs?, and Mr Khan's answer there is just falling short of explaining how to set the headers from backend (Node.js). I would have commented there, but I don't have enough Karma for that :(

This is what I've done so far:

const newTokens = await jwt.generateJWT(user); // generateJWT is a custom function that returns two tokens
res.setHeader("Authorization", `Bearer ${newTokens.accessToken}`);
res.setHeader("refresh-token", newTokens.refreshToken);

return res.redirect("/member/dashboard");

The above code is able to send the HTTP headers to the browser, but is not able to set them on the browser for the domain.

The response headers as in Firefox are:

HTTP/1.1 302 Found
X-Powered-By: Express
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiNjA3MDgyNDlmNjBjNjE1YWU4NTdjMmU4IiwidXNlcl9yb2xlIjoibWVtYmVyIiwidXNlcl9uYW1lIjoiQWxleCIsImlhdCI6MTYxNzk5OTM5NywiZXhwIjoxNjE3OTk5OTk3fQ.Odb6TrWBnf9dq00T_ddxD9hqVjhFQYdqA5pP2u6y-2k
refresh-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiNjA3MDgyNDlmNjBjNjE1YWU4NTdjMmU4IiwiaWF0IjoxNjE3OTk5Mzk3LCJleHAiOjE2MTc5OTk5OTd9.kY9DZWprHxZFMI3btX-yzZxiUrqZY3kdmxzyc3apAyw
Location: /member/dashboard
Vary: Accept
Content-Type: text/html; charset=utf-8
Content-Length: 78
Date: Fri, 09 Apr 2021 20:16:37 GMT
Connection: keep-alive

Note: The "Authorization" and "refresh-token" headers have been sent, and the redirect "location" has also been set causing the 302 status code.

Unfortunately, the headers don't seem to be returning on all subsequent requests from the client as the headers are not being set.

Please let me know if I am doing something obviously wrong.

EDIT: The reason I am trying to do this from the backend directly is that I don't want to depend on the frontend to handle this job, as I do not intend on implementing a framework-specific frontend, i.e., it should work across all frameworks.

PS: Forgive me if my English is bad, it isn't my native language.

Answer 1

When you do res.redirect(), the browser will NOT apply the headers you set on that response to the redirected request. Those headers are part of the response back to the requesting client and that's all. They will NOT be sent with the redirected request.

Headers on the redirected request cannot be controlled by the server. Browsers just don't work that way so you can't design things that way if you're relying on a standard browser to be the client.

If you're using redirection and you want something sent back with the redirection, then your best option is typically to put stuff into a cookie or into the query string of the redirect URL. That cookie or query string will be sent with the redirected request and the server can get it from there.

You could also establish a server-side session and put data into that session. This will set a session cookie which will be present on future client requests and the server can then access data from the server-side session object on future requests from that client.