Why is the Set-Cookie header not being sent? — using Restify

Question

I'm working on the authentication system for a Node app. The login page sends an AJAX request to the authentication endpoint, and the endpoint then queries our user database to determine the validity of the credentials. If the endpoint determines that the credentials are valid, I use Express's res.cookie() method to create a cookie on the client side which contains the authentication info for later requests.

The authentication is working fine, and the response is being sent back to the user, but when I look in the developer tools, I see no authorization cookie, and no mention of a Set-Cookie header. What gives?

Further information:

Headers on the response

restify.CORS.ALLOW_HEADERS.push('Accept-Encoding');
restify.CORS.ALLOW_HEADERS.push('Accept-Language');
restify.CORS.ALLOW_HEADERS.push('authorization');
restify.CORS.ALLOW_HEADERS.push('token');
server.use(restify.CORS({
  origins: ['*'],
  credentials: true,
  headers: ['token']
}));

/* break */

server.opts(/\.*/, function (req, res, next) {
  res.header('Access-Control-Allow-Credentials', true);
  res.header('Access-Control-Allow-Headers', restify.CORS.ALLOW_HEADERS.join(', '));
  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
  res.header('Access-Control-Allow-Origin', res.headers.origin);
  res.header('Access-Control-Max-Age', 0);
  res.header('Content-type', 'text/plain charset=UTF-8');
  res.header('Content-length', 0);
  res.send(200);
  next();
});

Relevant portion of the authentication api

function authHandler(req, res, next) {

  authMan.authenticate(req.params.username,req.params.password).then(function(userdata){
    /*d*/console.log('userData:'+userdata);
    // jwt library for JSON web tokens
    const authorization = jwt.sign(
      {'sub': userdata.username, 'roles': authMan.getGroups(userdata)},
      // global
      authSecret,
      {issuer:'myCompany.com'}
    );

    // Only send the client the user's username and display name
    var strippedData = {};
    strippedData.username = userdata['username'];
    strippedData.displayName = userdata['displayName'];
    // Disable https when not in prod
    var useHttps = true;
    if (process.env[NODE_ENV] === 'dev') {
      useHttps = false;
    }
    res.cookie('authorization', authorization, {
      httpOnly: true, 
      secure: useHttps
    });
    /*d*/console.log('Sent the request back!');
    res.send({
      status: 'OK',
      userdata: strippedData
    });
    next();
  },function(err){
    /*d*/console.log('authHandler error: '+err);
    res.status(401).send({
      status: 'ERROR',
      error: err
    });
    next();
  });
  metrics.log(etc);
  next();
}

You'll note that in the above code, there's a debug printf saying "Sent the request back!" While the response is being sent back to the server, and it contains the correct content, this statement never appears in my console, even though it appears prior to res.send() .

Answer 1

After examination and help from my colleagues, the issue was that res.cookie() was undefined. I somehow got it into my head that restify.js , the server we're using, was a superset of express.js . It is not! The function I should've used is res.setCookie() .