Skip to content

Fix session cookies with proper CORS and credentialed auth requests #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChaitanyaChute wants to merge 2 commits into
base: main
Choose a base branch
from
+46 −3
Open

Fix session cookies with proper CORS and credentialed auth requests #254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
97c7321
fix: enable CORS credentials and send auth cookies
ChaitanyaChute May 15, 2026
8e89435
Merge branch 'main' into fix/cors
ChaitanyaChute May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion backend/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,15 @@ require('./config/passportConfig');
const app = express();

// CORS configuration
app.use(cors('*'));
const allowedOrigins = (process.env.FRONTEND_URL || 'http://localhost:5173')
.split(',')
.map((origin) => origin.trim())
.filter(Boolean);

app.use(cors({
origin: allowedOrigins,
credentials: true,
}));

// Middleware
app.use(bodyParser.json());
Expand Down
8 changes: 6 additions & 2 deletions src/pages/Login/Login.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,15 @@ const Login: React.FC = () => {
setIsLoading(true);

try {
const response = await axios.post(`${backendUrl}/api/auth/login`, formData);
const response = await axios.post(
`${backendUrl}/api/auth/login`,
formData,
{ withCredentials: true }
);
setMessage(response.data.message);

if (response.data.message === 'Login successful') {
navigate("/");
navigate("/home");
}
} catch (error: any) {
setMessage(error.response?.data?.message || "Something went wrong");
Expand Down
31 changes: 31 additions & 0 deletions src/pages/Signup/Signup.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,37 @@ const SignUp: React.FC = () => {
setIsLoading(true);

try {
const response = await axios.post(
`${backendUrl}/api/auth/signup`,
formData,
{ withCredentials: true }
);
setMessage(response.data.message); // Show success message from backend

// Navigate to login page after successful signup
if (response.data.message === 'User created successfully') {
navigate("/login");}


// // Simulate API call (replace with your actual backend integration)
// try {
// // Mock successful signup
// setMessage("Account created successfully! Redirecting to login...");

// // In your actual implementation, integrate with your backend here:
// // const response = await fetch(`${backendUrl}/api/auth/signup`, {
// // method: 'POST',
// // headers: { 'Content-Type': 'application/json' },
// // body: JSON.stringify(formData)
// // });

// setTimeout(() => {
// // Navigate to login page in your actual implementation
// console.log("Redirecting to login page...");
// }, 2000);

Comment on lines +53 to +69
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Remove commented-out mock code.

The commented mock API implementation should be deleted entirely. Leaving dead code as comments clutters the codebase and provides no value since the actual implementation is now in place.

🧹 Proposed cleanup 
-    
-    // // Simulate API call (replace with your actual backend integration)
-    // try {
-    //   // Mock successful signup
-    //   setMessage("Account created successfully! Redirecting to login...");
-      
-    //   // In your actual implementation, integrate with your backend here:
-    //   // const response = await fetch(`${backendUrl}/api/auth/signup`, {
-    //   //   method: 'POST',
-    //   //   headers: { 'Content-Type': 'application/json' },
-    //   //   body: JSON.stringify(formData)
-    //   // });
-      
-    //   setTimeout(() => {
-    //     // Navigate to login page in your actual implementation
-    //     console.log("Redirecting to login page...");
-    //   }, 2000);
-      
     } catch (error) {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// // Simulate API call (replace with your actual backend integration)
// try {
// // Mock successful signup
// setMessage("Account created successfully! Redirecting to login...");
// // In your actual implementation, integrate with your backend here:
// // const response = await fetch(`${backendUrl}/api/auth/signup`, {
// // method: 'POST',
// // headers: { 'Content-Type': 'application/json' },
// // body: JSON.stringify(formData)
// // });
// setTimeout(() => {
// // Navigate to login page in your actual implementation
// console.log("Redirecting to login page...");
// }, 2000);
} catch (error) {
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Signup/Signup.tsx` around lines 53 - 69, Remove the dead
commented-out mock API block inside the Signup component (the commented
"Simulate API call" section) so the file no longer contains the old mock
fetch/timeout code; specifically delete the commented lines within the
Signup.tsx handleSubmit/submit flow that start with the "Simulate API call"
comment and the subsequent try/Mock successful signup/setTimeout stubs, leaving
only the real implementation and any real messaging (e.g., setMessage) intact.

} catch (error) {
setMessage("Something went wrong. Please try again.");
Comment on lines +70 to +71
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore backend error message extraction for better UX.

The new error handler uses a generic message, but the backend likely returns specific validation errors (e.g., "Username already exists", "Invalid email format"). Showing these details helps users understand and fix their input.

The previous implementation correctly extracted error.response?.data?.message with a fallback - that pattern should be preserved.

🔧 Proposed fix 
     } catch (error) {
-      setMessage("Something went wrong. Please try again.");
+      setMessage(
+        (error as any).response?.data?.message || "Something went wrong. Please try again."
+      );
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
} catch (error) {
setMessage("Something went wrong. Please try again.");
} catch (error) {
setMessage(
(error as any).response?.data?.message || "Something went wrong. Please try again."
);
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/Signup/Signup.tsx` around lines 70 - 71, Restore extraction of the
backend-provided error message in the Signup component's catch block: when
catching the error in the signup handler, read error.response?.data?.message
(falling back to error.message or a generic string) and pass that to setMessage
instead of the hardcoded "Something went wrong..." so users see
validation/backend errors; update the catch block around the signup submission
(where setMessage is currently called) to use this extraction logic.

const response = await axios.post(`${backendUrl}/api/auth/signup`, formData);
setMessage(response.data.message);

Expand Down