Send authentication cookies along Axios Request

Ctaque · May 24, 2023, 5:09pm

We plan to migrate our authentication method from jwt in localstorage to session cookies authentication, in the purpose of api subdomain authentication, instead of front end subdomain authentication.
(one api subdomain can have multiple front end subdomains) .

Ex:
Api subdomain (owner) :
https://myclientApiSubdomain1.apidomain.com/
can have multiple front end subdomains (entity) :
https://myClientFrontEndSubdomain1.clientdomain.com/
https://myClientFrontEndSubdomain2.clientdomain.com/

Today, myClientFrontEndSubdomain1 does not share authentication with myClientFrontEndSubdomain2.

It’s what we want to do and I know we can do it with session cookies.

Our javascript code is hosted on https://myclientApiSubdomain1.apidomain.com/client/build/js/app.js

There are one capacitor app per “myClientFrontEndSubdomain” which reference the javascript assets hosted remotely on the api server.

I have read lots of quirks about cookies not sent along http requests from capacitor.

My knownledge of capacitor is small, and my questions are :

Is there a way to send cookies along requests, working with our current codebase (axios requests)
Does it require a specific plugin
If a plugin is required, does it require specific ios capability(ies), like cookies consent (I believe no as authentication cookies does not require cookies consent in the scope of GDPR) ?
If not possible, what other options do we have ?

twestrick · May 25, 2023, 12:19pm

I would take a look at the Cookie and HTTP plugins. The HTTP plugin hijacks/patches your standard requests so you should be able to continue using Axios.

I personally have stayed away from using cookies due to hearing about all the issues in the past but the new Cookie plugin should resolve a lot of those issues from my understanding.

Hopefully someone else can chime in who has successfully used the new plugin.

Ctaque · May 25, 2023, 8:57pm

Yes ! It works.

Here is a test case

I had to add :

plugins: {
   "CapacitorCookies": {
      "enabled": true
    },
    "CapacitorHttp": {
      "enabled": true
    }
}

to capacitor.config.json

twestrick · May 25, 2023, 9:13pm

Nice! I would just make sure the cookie is actually being stored on the native side and sent vs. it just being picked up from the normal webview/browser cookies. From my understanding, the webview will store them but they aren’t guaranteed to stick around (hence all the problems people have without the native plugins).

I don’t see your test case doing a document.cookie so not sure the native Cookie plugin is actually storing your cookie being sent. Maybe the native HTTP plugin intercepts the Set-Cookie header in the response?

I have no idea how the plugins work as I haven’t used them. I just want to make sure it’s actually working for you vs. it just looking like it is