Description
I'm happy to discuss but let me first explain.
I have an API that sets a cookie on successful login and uses that as the authentication and session variable for the rest of the session.
However our API sets the cookie with the domain and secure attributes where when we are in localhost:3000 in CRA this fails to set the cookie thereby not allowing any authenticated requests.
authKey=<keydetails>; expires=Mon, 14 May 2018 00:18:01 GMT; domain=ml-dev2.caseshare.com; path=/; secure; samesite=lax; httponly
The domain is set for when the application is live that the requests come from the same host as the api. Secure for https.
I would like to strip these from the cookie at the proxy portion of the dev server.
I would eject but this utils is buried deep and I would basically have to re-write all of the webpack config and I really don't want to. I could see if we add additional properties to the proxy section that would allow us to strip/re-write these attributes that would save me a ton of time.
I see it something like this
onProxyReq: proxyReq => {
// Browers may send Origin headers even with same-origin
// requests. To prevent CORS issues, we have to change
// the Origin to match the target URL.
if (proxyReq.getHeader('origin')) {
proxyReq.setHeader('origin', target);
}
if (proxy[context].cleanCookie) {
// do something to clean up the response cookie
if (proxyReq.headers['set-cookie']) {
proxyReq.headers['set-cookie'] = proxyReq.headers['set-cookie'].map(cookie => {
return cookie
// Get rid of the domain so that the browser doesn't reject due to a mismatch.
.replace(/\s+domain=[^\s;]+;?/, '')
// Get rid of the "secure" attribute so that we don't have to run https.
.replace(/\s+secure;?/, '')
})
}
}
I know this is a little special case but I'm sure I can't be the only one who has been hit with an API setting a secure / domain specific cookie before.