Develop Reference

Fetch Request header not sending cookies in chrome (v90.0.44), working in Firefox(v88.0) (JS)

Really struggling on getting a Fetch API call to send cookies along in the request headers in Chrome (also they are not being set from 'Set-Cookie' response headers from returned API responses in Chrome). Both however, work on Firefox.
Feel like I've tried a million solutions here, can someone explain what I'm guessing is the SameSite issues for Chrome?
Our base api URL is https://stage-api-v2.cbb.play
Aliased hosts file for localhost:
127.0.0.1 localhost
127.0.0.1 local.cbb.play
Cookie that is set that we are trying to forward along
import * as cookie from 'cookie';
import { NextApiRequest, NextApiResponse } from 'next';
export default (req: NextApiRequest, res: NextApiResponse) => {
res.setHeader(
'Set-Cookie',
cookie.serialize('refresh_token', req.body.token, {
httpOnly: true,
maxAge: 60 * 60,
secure: process.env.NODE_ENV === 'production',
path: '/',
sameSite: 'lax',
domain: '.cbb.play',
})
);
res.statusCode = 200;
res.json({ success: true });
};
Front end code that calls the API:
async function renewSession(payload) {
return await fetch(process.env.BASE_URL + '/api/user/renew-session', {
method: 'POST',
credentials: 'include',
headers: { 'Content-type': 'application/json' },
body: JSON.stringify(payload)
})
}
Request header in Firefox:
POST /api/user/renew-session HTTP/2
Host: stage-api-v2.cbb.play
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: http://local.cbb.play:3000/
Content-Type: application/json
Origin: http://local.cbb.play:3000
Connection: keep-alive
Cookie: refresh_token=a49d51basasdfg4a569cc43b8603ac916f72c0102ace7b463d9c2;
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
TE: Trailers
Request Header in Chrome (no cookie):
:authority: stage-api-v2.cbb.play
:method: POST
:path: /api/user/renew-session
:scheme: https
accept: application/json
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 0
content-type: application/json
origin: http://local.cbb.play:3000
pragma: no-cache
referer: http://local.cbb.play:3000
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
sec-ch-ua-mobile: ?0
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Response Header: (Note, removed non-important properties)
access-control-allow-credentials: true
access-control-allow-headers: Set-Cookie, Credentials, Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization
access-control-allow-methods: GET, HEAD, OPTIONS, POST, PUT, DELETE
access-control-allow-origin:http://local.cbb.play:3000
access-control-expose-headers: Content-Length,Content-Range,Set-cookie
content-encoding: gzip
content-type: application/json

How do I make a request using dojo.xhrGet() with Basic Authentication?

I'm trying to make a dojo xhrGet request using basic authentication but I keep getting 403 forbidden error. I can make the request with curl from the command line, so I know my credentials are valid. When I check the request headers, the Authorization: Basic header isn't even being set. What am I doing wrong:
var lookupArgs = {
url: "https://myendpoint.com/myapi/endpoint",
user:"myemail#myendpoint.com",
password:"mypassword",
handleAs: "text",
load: function(data) {
content_node.innerHTML = data;
},
error: function(error) {
content_node.innerHTML = error;
}
}
dojo.xhrGet(lookupArgs);
Request Header:
GET /myapi/endpoint HTTP/1.1
Host: myendpoint.com
Connection: keep-alive
Origin: http://my-origin
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3315.3 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://my-origin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

POST request from Chrome extension results in 500 error

I'm making a POST request from a Chrome extension that appears identical to the one that submitting the form manually would do. I've submitted both and compared the body and headers and they seem to be identical.
The POST made via the browser form results in a 302 redirect. The POSTed entry is created and the user ends up on an edit screen for it.
The POST made via the extension results in a 500 error.
I'm filtering many of the headers sent by the extension to match those made by the browser, in case the server is looking for certain things that tip off a request as being non-native.
Hoping to exhaust all options before contacting the devs of the system being POSTed to. Any obvious things that could be happening server-side to block this request?
Here's the POST request made via the browser form:
Request Headers
Host: myhost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 901
Referer: https://myhost.com/referer
Cookie: app2=cookieredacted
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Request Body
record[user_name]=aasldkjflasdjf
record[new_password]=ljl;jl;kjklj
record[first_name]=ethan
record[middle_name]
record[last_name]=lastnm
record[name_suffix]
record[gender]=M
record[dob]=07/28/77
record[ssn]=654656546
record[group_number]
record[misc_number]
record[mothers_maiden_name]
record[active]=N
record[active]=Y
record[has_paper_chart]=0
record[notes]
record[address1]=234+htha+st
record[address2]
record[city]=euge
record[county_of_residence]
record[state]=OR
record[zip]=98754
record[country]
record[tel1]=5155555555
record[tel1_status]=4
record[tel2]
record[tel2_status]
record[cell]
record[cell_status]
record[email]=ethan#foo.com
record[preferred_contact]=home_tel
record[house]
record[room]
record[bed]
record[classroom]
Response Headers
Server: nginx/1.6.2
Date: Sun, 09 Jul 2017 01:06:12 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
Status: 302 Found
Location: /entry/edit
And from the extension:
Request Headers
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.5
Cache-Control:no-cache
Connection:keep-alive
Content-Length:920
Content-Type:application/x-www-form-urlencoded
Cookie:app2=cookieredacted; gsScrollPos-2545=
Host:myhost.com
Pragma:no-cache
Referer:https://myhost.com/referer
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.50 Safari/537.36
Request Body
new_password_stub:"FoECbiRN"
record[active]:"Y"
record[address1]:"123 N 5th St"
record[address2]:""
record[bed]:""
record[cell]:""
record[cell_status]:""
record[city]:"Eugene"
record[classroom]:""
record[country]:""
record[county_of_residence]:""
record[dob]:"9/28/91"
record[email]:"ethan#foo.com"
record[first_name]:"Foo"
record[gender]:"M"
record[group_number]:""
record[has_paper_chart]:0
record[house]:""
record[last_name]:"Bar"
record[middle_name]:""
record[misc_number]:""
record[mothers_maiden_name]:""
record[name_suffix]:""
record[new_password]:"FoECbiRN"
record[notes]:""
record[preferred_contact]:"home_tel"
record[room]:""
record[send_notifications]:0
record[ssn]:"222222222"
record[state]:"OR"
record[tel1]:"5155555555"
record[tel1_status]:2
record[tel2]:""
record[tel2_status]:""
record[user_name]:"BarFoo2017"
record[zip]:"97401"
Response Headers
Cache-Control:no-cache
Connection:keep-alive
Content-Length:5110
Content-Type:text/html; charset=utf-8
Date:Sun, 09 Jul 2017 02:09:33 GMT
Server:nginx/1.6.2
Set-Cookie:mysite_session_id=; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000
Status:500 Internal Server Error

Thanks to wOxxOm for this one -
The extension was posting an extra field record[send_notifications] which was causing the 500 error.

Sending OAuth access token in Jquery Ajax request

Following documentation i put together this simple request. Every time i run this request i still get a 401 Authorization Required. I know the access token is fine because i use the same token using get to populate my models and it works fine it's only when i use post and place my token in the request headers.
Anyone else had this issue before?
jQuery.ajax( {
url: 'http://customer-server-2.dev/api/documents/add/.json',
type: 'POST',
data : {
guid : $('.guid-input').val(),
title : $('.title-input').val(),
payload : $('.payload-input').val()
},
beforeSend : function( xhr ) {
xhr.setRequestHeader( 'Authorization', 'BEARER ' + app.AccessToken );
},
success: function( response ) {
console.log(response);
},
error : function(error) {
console.log(error);
}
} );
response header
HTTP/1.1 401 Authorization Required
Date: Wed, 08 Apr 2015 12:20:28 GMT
Server: Apache/2.2.26 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.6
PHP/5.5.10 mod_ssl/2.2.26 OpenSSL/0.9.8za DAV/2 mod_perl/2.0.8 Perl/v5.18.2
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type, x-xsrf-token, Authorization
X-Powered-By: PHP/5.5.10
WWW-Authenticate: Bearer realm="Service", error="invalid_request", error_description="The access token was not found."
Content-Length: 81
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html
request header
OPTIONS /api/documents/add/.json HTTP/1.1
Host: customer-server-2.dev
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://test-client-app.dev
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2354.0 Safari/537.36
Access-Control-Request-Headers: accept, authorization
Accept: /
Referer: http://test-client-app.dev/index.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

jQuery - ajax - post - json request - doesn't have post body in some URL

I've been stuck at this for a while now. I have ajax request here:
$.ajax({
url: UPDATE_USER_INFO_URL ,
type: "POST",
dataType: "json",
contentType: "application/json",
data: JSON.stringify({user:'user'}),
success: function (data, textStatus) {
if(data["statusCode"] && data["statusCode"] == 1) {
_callback(1,data);
}
else {
_callback(0,data);
}
},
error: function (jqXHR, textStatus){
_callback(0, {});
}
});
If I set UPDATE_USER_INFO_URL to a specific URL, fiddler show nothing in the body. If I set UPDATE_USER_INFO_URL to something else (even invalid URL), it does put {user:'user'} in the body in fiddler.
With original UPDATE_USER_INFO_URL:
POST http://10.35.50.26:8080/SelfServiceWs/user/session/upduserinfo HTTP/1.1
Accept: application/json, text/javascript, ; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: http://10.35.50.26:8080/SelfService/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 10.35.50.26:8080
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0BF9D9CCCE9030E60AB0BCE5F6562CD8
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
Content-Length: 0
Chage url to /SelfServiceWs/abcdef
POST http://10.35.50.26:8080/SelfServiceWs/abcdef HTTP/1.1
Accept: application/json, text/javascript; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: http://10.35.50.26:8080/SelfService/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 10.35.50.26:8080
Content-Length: 15
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=9E79779805579A7964E03AAD76DF043B
{"user":"user"}
I have many other ajax calls, all are working as expected.
It must be little thing that I am missing.

I figured this out.
I have an authentication servlet filter to url /user/ssoauth, unexpectedly (to me), it made eveything call to URL under /user path (including /user/session/upduserinfo) to send out Authorization header. Moved filter to /user/auth/ssoauth stop client to send authorization header when calling user/session/upduserinfo and fix the problem.
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/user/ssoauth</url-pattern>
</filter-mapping>
cause every client call to URL after /user to send Authorization header.
I learned something new today!

try this
data: JSON.stringify({'user':'user'}),