ExpressJS不同域名-CORS

Question

I am having a challange currently setting the domain for a cookie I am sending with the response from my expressjs implementation but currently it is only setting the IP address of where my expressjs server is at(the end point).

Here is my initial CORS configuration;

router.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "http://localhost:3000");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, 
Content-Type, Accept, pwd, email");
next();
});

Here is my res.cookie line inside my authentication part;

 res.cookie('token', token, {domain: "localhost", expires: new 
 Date(Date.now() + 600000*100000), httpOnly: true});

When I log in using chrome, very oddly I get the cookie but under the IP address of my expressjs endpoint, lets say " http://88.13.91.0 " so when I refresh I lose it. I also dont see in the response for the expressjs api the "set-cookie" header in the response, but I do get the cookie. I have cleared the cookie to make sure its coming after attempting to log in so I know its not stale. I also have in my fetch call "credentials" set to "include" as documented but no luck.

My question is, am I not able to set the domain if its not the same as the endpoint? My thought is that maybe this is a security issue and as a result blocked because no one should be able to set a cookie for a domain that isn't theres, or maybe I am wrong.

Answer 1

Try CORS like this and

import * as cors from "cors"; 

// or

const cors = require ('cors');
    app.get("/", function (req, res) {
      res.setHeader("Content-Type", "application/x-www-form-urlencoded");
      res.setHeader("Access-Control-Allow-Origin", "*");
      res.setHeader(
        "Access-Control-Allow-Headers",
        "Origin, X-Requested-With, Content-Type, Accept"
      );

      res.setHeader("Access-Control-Allow-Credentials", true);

add this above all your middleware

app.use(cors());