Hi All, I am having some issues with CORS using Heroku apps and wonder if anyone could help out. I have a client app that integrates with Ory Identities. I have a domain name set in ory identities (auth.example.com). I also have an api server that the client app sends graphql requests to. The client and api server both run on heroku. I have each one setup with a domain name (client.example.com and api.example.com) and the correct CNAMES configured in cloudflare. I also have deployed the cloudflare origin server certificates in the heroku apps to get SSL working. I have added the appropriate CORS info for the above domains in the ory domain section for auth.example.com. I have also added the client url to the browser redirects allowed urls in ory. The flow is the user logs in on the client, which uses the @ory/client package to handle the login flow. If

FrontendApi.getSession()

fails I redirect to

/ui/login?return_to=${window.location.href}

. This allows me to dynamically redirect to the app that is running (to allow for pr builds), rather than adding the redirect to ory directly. The above works fine and the user can login and a secure cookie is returned. I then add the cookie to the graphql request headers to pass it to my server. The server then needs to validate the cookie, and this is where I have run into an issue. In the server I use

FrontendApi.toSession({cookie})

to validate the received cookie, however this verification fails. I am assuming it is failing because the cookie has been set with

sameSite=Strict

and the server is running on api.heroku.com (even though we have a CNAME for incoming requests to api.example.com). So the cookie url and server url don't match. Do you think this is the issue and if so, what is the best way to verify a secure cookie that is passed from a client to a server? Would modifying the headers in my toSession request fix the issue:

const modifiedOrigin = '<<https://api.example.com>>';
  const toSessionRes = await ory.toSession(
    { cookie },
    {
      headers: {
        Origin: modifiedOrigin,
        Referer: modifiedOrigin,
      },
    },
  );

Thanks in advance for any help! P.S. This all works fine locally using the Ory tunnel.

Could it be an issue with Heroku CORS? When you make a credentialed request, the

Access-Control-Allow-Origin

response header can’t be

*

. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#requests_with_credentials The

sameSite=Strict

shouldn’t matter as long as the domains are the same. You can easily check the network tab to see if the cookie is being sent in the request or not. For the request sent by the server, it doesn’t actually matter which Ory domain you use. It doesn’t have the same limitations as the browser.

Hey Brandon, Many thanks for the response! You made some good points and helped me focus my investigation. As you say there should be no limitations with CORS for the server request. I went back through the server logs again with more focus and noticed that actually the error from the whoami request was ECONNREFUSED! So checking the url it was missing the

https://

😳 So that was the fix. No need to send any extra headers in the

toSession

request from the server. Thanks again for the assist!