0

I am using an authentication API from a 3rd party to help authenticate users on the web app we're building. I'm having an issue with cookies returning without a domain parameter.

I'm following a Postman collection that was provided. The response returns a couple of cookies with the domain parameter correctly listed: enter image description here

However, when I copy the code from Postman for Node.js - Request, I receive cookies, but the domain parameter is empty. This makes the cookies unaccessible to use in the follow-up call, because they are HttpOnly.

Here is the cookie response from chrome inspector - Network:

enter image description here

Here is the code that I added to our MERN app:

  getFlow = (callback) => {
var request = require('request');
var options = {
  'method': 'POST',
  'url': 'https://auth.pingone.com/XXX/as/authorize',
  'headers': {
    'Content-Type': 'application/x-www-form-urlencoded',
    'User-Agent': 'LII-Cello/1.0 libwww/2.5',
    'Cookie': 'ST=XXX',
    'accept-encoding': 'gzip, deflate, br',
    'content-length': '180'
  },
  form: {
    'response_type': 'token',
    'client_id': 'XXX',
    'redirect_uri': 'XXX',
    'scope': 'openid profile p1:read:user'
  }
};
request(options, function (error, response) {
  if (error) throw new Error(error);
  let flowId = response._fetchResponse.url.split('flowId=')[1];
});

Why does the request not return cookies with domain, but does return correctly in Postman?

CorgBoy
  • 11
  • 1

1 Answers1

0

The domain is implicit, it is displayed by Postman because inferred from the hostname you are calling. If the field is empty, that won't prevent your Cookie from working as intended.

Please take a look at this: Set-Cookie header not working across domain which details the steps to make a third-party cookie work in modern browsers.

Guerric P
  • 20,579
  • 2
  • 28
  • 66
  • I tried adding the following as properties to the header: 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Origin': 'http://localhost:3000', 'X-Requested-With': 'XMLHttpRequest' 'cache': 'no-cache', I also tried adding this as a property to the request: 'credentials': 'same-origin', None of these resulted in the cookies being sent in the second request. Is there something else I'm missing from the article you linked? – CorgBoy Mar 24 '20 at 15:54
  • The headers should be set in the server's response, not in your request. If you have no control over the server, what you try to do is not doable. Also `credentials` should be set to `include` – Guerric P Mar 24 '20 at 16:09
  • I also tried setting credentials to include. This also did not return as expected. I have no control over the server. The SE that I'm working with was able to get a response on their end with cookies with domains. Any other ideas? – CorgBoy Mar 24 '20 at 19:48