Use Login response Cookies (for refresh token, etc)

[Ojisama]

There is an issue with how the frontend handles cookies from the login.

bifrost/examples/bifrost-starter/apps/frontend/services/api/auth/login.ts

Line 12 in 7e5b78e

getAccessFromResponse(await apiClient.post<unknown>(ApiRoutes.login, data)),

should instead read

getAccessFromResponse(await apiClient.post<unknown>(ApiRoutes.login, data, { withCredentials: true })),

Currently, according to XMLHttpRequest specs (which Axios uses behind the scenes), if the request doesn't have withCredentials: true, the Cookies in the response headers (set by Set-Cookie) are simply ignored.

Spent hours debugging why my browser wouldn't use the cookies from the headers, when they were clearly there...
By the way, I guess you should also add the AccessToken in the response cookies, since you'd want to send it via getStaticProps to have authentication for SSR.

[Ojisama]

@LeoAnesi ?

[LeoAnesi]

@Jeremie-Chauvel FYI
You're right we should add the withCredentials to this call. I'll do a PR this afternoon.

But adding the access token to the cookies would be a security flaw in my opinion, it exposes you to CSRF attack. We can not simply add it.