I use stormpath to login using an angular webapp with an node/express server. This all work well on most modern browser, except Safari. It seems to be something with access token cookies. Not sure if this is a bug however.
When I login (with username and pass) my POST request goes well and looks like this:
POST /login HTTP/1.1
Host: ****api.herokuapp.com
Content-Type: application/x-www-form-urlencoded
Origin: http://app.****.com
Content-Length: 30
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Referer: http://app.****.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
username=***&password=********
This all goes well and return this response:
HTTP/1.1 200 OK
Server: Cowboy
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: http://app.****.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type
Access-Control-Allow-Credentials: true
Set-Cookie: access_token=eyJraWQiOiIySUxB****unsEg; path=/; expires=Wed, 06 Jan 2016 16:01:38 GMT; httponly
Set-Cookie: refresh_token=eyJraWQiOiIySUxBNV&****LlwrlEtNhzI; path=/; expires=Sun, 06 Mar 2016 15:01:38 GMT; httponly
Date: Wed, 06 Jan 2016 15:01:38 GMT
Transfer-Encoding: chunked
Via: 1.1 vegur
After the login request I do a /me request for the userprofile data before I load a route. This request however returns a HTTP 401:
GET /me HTTP/1.1
Host: ****api.herokuapp.com
Origin: http://app.****.com
Connection: keep-alive
If-None-Match: W/"8c4-kH0dxMVw01EmGs/YFtZjXg"
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Accept-Language: en-us
Referer: http://app.****.com/
Accept-Encoding: gzip, deflate
In another browser (firefox) the access_token cookie is send with the /me request. I have no idea why safari doesn't send the cookie along with the request. As a result the request is unauthorized (401). Does someone know how to fix this, or is it a bug in Stormpath
This is likely caused by a cross-domain issues. You will encounter this problem if your Angular application is being served from a different domain than your API service. Safari does not allow cookies to be set on cross-domain requests.