For those implementing a variation of this using AWS and having issues with HttpOnly Cookies, and CORS here are some tips:
- Server-side: Make sure to set your cookie with
HttpOnly; SameSite=None; Secure
- Server-side: Make sure you return a header
Access-Control-Allow-Origin with a specific value, NOT "*"
- Server-side: With your Serverless config, make sure your
/login and /refresh-token functions' cors value includes a specific origin (same as above) as well as headers array including "Access-Control-Allow-Credentials" not just the API Gateway defaults. This is so you can set withCredentials on the client side
- Client-side: set axios to have
withCredentials: true
For those implementing a variation of this using AWS and having issues with HttpOnly Cookies, and CORS here are some tips:
HttpOnly; SameSite=None; SecureAccess-Control-Allow-Originwith a specific value, NOT"*"/loginand/refresh-tokenfunctions'corsvalue includes a specificorigin(same as above) as well asheadersarray including"Access-Control-Allow-Credentials"not just the API Gateway defaults. This is so you can setwithCredentialson the client sidewithCredentials: true