fix(auth): add withCredentials and fix CORS to persist session cookies

anshul23102 · anshul23102 · commit fbf9cd877d37 · 2026-05-23T23:10:03.000+05:30
Login.tsx and Signup.tsx were sending axios POST requests without { withCredentials: true }, so the browser silently discarded the Set-Cookie header on every cross-origin login/signup response. No session cookie was ever stored, making every subsequent request appear unauthenticated. Changes: - src/pages/Login/Login.tsx: pass { withCredentials: true } as the third argument to axios.post for /api/auth/login - src/pages/Signup/Signup.tsx: same fix for /api/auth/signup; also remove the stale "Include cookies for session" comment that noted the intent but was never fulfilled - backend/server.js: replace cors('*') with a credentials-aware config (origin: FRONTEND_URL, credentials: true); a wildcard origin is rejected by browsers when credentials are present, so a specific origin is required for Set-Cookie to be honoured Fixes #414
diff --git a/backend/server.js b/backend/server.js
@@ -14,7 +14,12 @@ const logger = require('./logger');
 const app = express();
 
 // CORS configuration
-app.use(cors('*'));
+// withCredentials requires a specific origin — wildcard ('*') is rejected by browsers
+// when credentials are involved. FRONTEND_URL must be set in the backend .env file.
+app.use(cors({
+  origin: process.env.FRONTEND_URL || 'http://localhost:5173',
+  credentials: true,
+}));
 
 // Middleware
 app.use(bodyParser.json());
diff --git a/src/pages/Login/Login.tsx b/src/pages/Login/Login.tsx
@@ -30,7 +30,11 @@ const Login: React.FC = () => {
     setIsLoading(true);
 
     try {
-      const response = await axios.post(`${backendUrl}/api/auth/login`, formData);
+      const response = await axios.post(
+        `${backendUrl}/api/auth/login`,
+        formData,
+        { withCredentials: true }
+      );
       setMessage(response.data.message);
 
       if (response.data.message === 'Login successful') {
diff --git a/src/pages/Signup/Signup.tsx b/src/pages/Signup/Signup.tsx
@@ -83,10 +83,12 @@ const SignUp: React.FC = () => {
     }
     setIsLoading(true);
     try {
-      const response = await axios.post(`${backendUrl}/api/auth/signup`,
-        formData // Include cookies for session
+      const response = await axios.post(
+        `${backendUrl}/api/auth/signup`,
+        formData,
+        { withCredentials: true }
       );
-      setMessage(response.data.message); // Show success message from backend
+      setMessage(response.data.message);
 
       // Navigate to login page after successful signup
       if (response.data.message === 'User created successfully') {
