I have two applications that I am running locally. A React frontend and a Flask backend. The backend handles all of the OAuth authentication and provides a bunch of end-points for the front-end.
React: http://www.local-app.com:3000/
Flask: http://www.local-app.com/
If I post to the URL http://www.local-app.com/v1/auth/login I get this response data:
Access-Control-Allow-Origin: http://www.local-app.com:3000
Connection: keep-alive
Content-Length: 2
Content-Type: text/html; charset=utf-8
Date: Fri, 08 Nov 2019 03:13:04 GMT
Server: nginx
Set-Cookie: remember_token=username|long_remember_token_here; Expires=Sat, 07-Nov-2020 03:13:04 GMT; Path=/
Set-Cookie: session=long_session_token_here; Domain=.local-app.com; Expires=Mon, 09-Dec-2019 03:13:04 GMT; HttpOnly; Path=/
Vary: Origin
This seems correct to me but the Cookie is never stored on the client no matter what I have tried.
Posting to http://www.local-app.com/v1/auth/login in postman works. The cookie is set and persisted across other end-points.
I think the problem lies with the cookie domain. I have tried setting a proxy and all sorts but nothing has worked.
Any suggestions?
The problem was due to the Flask Cors module overwriting my Nginx CORS configuration. Adding the following code to the Flask app solved the problem for me.
CORS(app, supports_credentials=True)
Thanks Selcuk for pointing me in the right direction.