I have an Angular 12 front-end application communicating with a Spring Boot back-end one. APIs shall be called passing a CSRF token using a cookie, but it seems like my logic is only working for localhost.
Please find the following snippets of code:
- Angular cookie set through ngx-cookie-service:
this.cookieService.set(key, value, {
secure: environment.apiHost.startsWith('https'),
sameSite: environment.apiHost.startsWith('https') ? 'None' : undefined
});
- Angular interceptor called before each request:
intercept(request: HttpRequest<unknown>, next: HttpHandler): Observable<HttpEvent<unknown>> {
// Handle cookies
request = request.clone({
withCredentials: true
});
return next.handle(request).pipe(
...
);
}
- Spring Boot CORS general configuration:
List<String> allowedOrigins = new ArrayList<>();
allowedOrigins.add("http://localhost:4200");
allowedOrigins.add("https://<host_name_not_localhost>");
config.setAllowCredentials(true);
config.setAllowedOrigins(allowedOrigins);
config.setAllowedHeaders(Arrays.asList("Origin", "Content-Type", "Accept"));
config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH"));
source.registerCorsConfiguration("/api/**", config);
return new CorsFilter(source);
I honestly don't understand if the issue lays in the front-end or in the back-end part... Again, sending cookies over HTTP (localhost) works fine, while the Cookie attribute doesn't appear when debugging the call over HTTPS.
Do you have any advice on this?
Thank you in advance.
I decided to get rid of the cookies and pass the information in the request header, which seems to be a much more secure approach. Plus, I can control the allowed headers from the back-end itself.