这个 javascript 前端、NodeJS 后端方案是否可行？

Question

I have a Domain-A which is static site built on netlify to provide shopping cart facilities.

I have a Domain-B server backend running a payment on Node.JS, and processing Auth Services via passport.js.

As a static site on Netlify this Domain-A cannot provide any backend services. The user sees this domain's web pages, selects products, and eventually presses a buy button. This button invokes JS code running in the browser, sending an AJAX /login to Domain-B. It successfully logs in. It returns a connect.sid cookie to Domain-A with SameSite:none, Secure:true. I can see the cookie with Chrome Debugger.

After a successful login return from Domain-B, Domain-A now sends an AJAX GET to Domain-B requesting seller and payment information. But the GET always fails with a 403 "User Not Logged In".

The AJAX GET includes

crossDomain: true,
headers: { 
    "Content-Type": "text/plain",
    "withCredentials": true
},

The Content-Type is to make it a CORS Simple Get and avoid Preflight issues, the withCredentials to make sure the cookie is included with the GET. I tried using a POST but it seems to always trigger Preflight processing which creates a lot of other complexities.

My basic question is, should I be able to do this, login and perform a GET from browser code of the Domain-A static site, to a NodeJS server on Domain-B? OR, must I get off Netlify and put it onto something like DigitalOcean where Domain-A has a backend which can login and get or post to Domain-B?

Is there sample code somewhere where I can copy the structure to my scenario? Thx.

Answer 1

try moving withCredentials outside of headers

crossDomain: true,
headers: { 
    "Content-Type": "text/plain",
},
withCredentials: true

Also, on your backend server, do you have cors configured to allow what your frontend is trying to do?

 cors({
    origin: 'netlifysite_uri',
    credentials: true,
    allowedHeaders: ['Content-Type'],
  })