Qu-nii-sama Posts - Answer Overflow

Qu-nii-sama

•Created by Qu-nii-sama on 8/12/2023 in #help

❔ RefreshToken and Cookies

Hi I have a bug i can't quite figure out. I am trying to persist a refresh token as a cookie on the client. When developing locally I see the refresh token in the application tab ---> cookies but when I inspect the same tab in production I can't see the key-value pair for the refresh token. backend and frontend is both on https cookieoptions httpflag and secure are set to true. samesite to none The http call for login where the refresh token is issued have the withCrendentials set to true. The Cors is also set to AllowCredentials() When i login in production environment i see the refreshToken cookie in the response header. but not in the application tab -> cookies. but the follow sub request i see the refreshtoken in the request header. How do i get the refresh token to appear in the application tab -> cookies

    public static void AddCorsExtension(this IServiceCollection services )
    {
        var myAllowSpecificOrigins = "_myAllowSpecificOrigins";
        
        services.AddCors(options =>
        {
            options.AddPolicy(name: myAllowSpecificOrigins,
                              policy  =>
                              {
                                  policy.WithOrigins(MyAppData.Configuration["AllowedOrigins:Production"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Https"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Staging"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Dev"] ?? throw new InvalidOperationException())
                                        .AllowAnyHeader()
                                        .AllowAnyMethod()
                                        .AllowCredentials();
                              });
        });
    }

    public static void AddCorsExtension(this IServiceCollection services )
    {
        var myAllowSpecificOrigins = "_myAllowSpecificOrigins";
        
        services.AddCors(options =>
        {
            options.AddPolicy(name: myAllowSpecificOrigins,
                              policy  =>
                              {
                                  policy.WithOrigins(MyAppData.Configuration["AllowedOrigins:Production"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Https"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Staging"] ?? throw new InvalidOperationException(),
                                                     MyAppData.Configuration["AllowedOrigins:Dev"] ?? throw new InvalidOperationException())
                                        .AllowAnyHeader()
                                        .AllowAnyMethod()
                                        .AllowCredentials();
                              });
        });
    }

The next method is part of login endpoint

    private void SetRefreshTokenCookie(string newRefreshToken)
    {
        var refreshTokenCookieOptions = new CookieOptions
        {
            HttpOnly = true,              // Prevent XSS
            Secure   = true,              // Set to true to ensure cookies only sent over https
            SameSite = SameSiteMode.None, // Use none because of 3-Tier architecture - different domains 
            Expires  = DateTime.UtcNow.AddDays(int.Parse(_configuration["JWT:RefreshTokenValidityInDays"])),
            Path     = "/",
        };
        
        _httpContextAccessor.HttpContext?.Response.Cookies.Append("RefreshToken", newRefreshToken, refreshTokenCookieOptions);
    }

    private void SetRefreshTokenCookie(string newRefreshToken)
    {
        var refreshTokenCookieOptions = new CookieOptions
        {
            HttpOnly = true,              // Prevent XSS
            Secure   = true,              // Set to true to ensure cookies only sent over https
            SameSite = SameSiteMode.None, // Use none because of 3-Tier architecture - different domains 
            Expires  = DateTime.UtcNow.AddDays(int.Parse(_configuration["JWT:RefreshTokenValidityInDays"])),
            Path     = "/",
        };
        
        _httpContextAccessor.HttpContext?.Response.Cookies.Append("RefreshToken", newRefreshToken, refreshTokenCookieOptions);
    }

And lastly clientside code

  login(payload: any) {
    console.log('login');
    return this.httpClient
      .post(`${this.url}${this.endpoint}/login`, payload, {
        observe: 'response',
        responseType: 'json',
        withCredentials: true,
      })
      .pipe(
        tap((response: HttpResponse<object>) => {
          this.handleAuthentication(response);
        })
      );
  }

  login(payload: any) {
    console.log('login');
    return this.httpClient
      .post(`${this.url}${this.endpoint}/login`, payload, {
        observe: 'response',
        responseType: 'json',
        withCredentials: true,
      })
      .pipe(
        tap((response: HttpResponse<object>) => {
          this.handleAuthentication(response);
        })
      );
  }

I need that refreshToken to appear in the cookies in production

3 replies

Gaming

Programming