Cookie not attached when request to server is redirected

[AdrianCiz]

What is your Scenario?

When page is using, in my case oauth (or in other cases any redirection targeting tested service), request for authentication in identity manager is redirected from service asking for authentication.
User is logged in in identity manager and such redirected reques should respond with ok, when user has valid session.
Session cookie is httpOnly: true, secure: true.

Everything works as expected when test is executed on https domain (e.g. prod env).
However when I try to run it against http localhost on dev server it fails because cookie is not attached.

Page is written in angular 11 and dev server is started using angular's option to proxy traffic to the backend service,
with termination of ssl and translation of host name.

When using dev server manually, everything works fine as localhost is treated by the browser as safe location
and secure cookies are working correctly.

What is the Current behavior?

fill data & click login ---------- /login ---------> Identity Manager
                        <---- OK, session cookie----

auth in backend service ---------- /auth  ---------> Backend service
using Identity Manager
                        <---- 302, /verify ---------

                        ---------- /verify --------> Identity Manager
                                without cookie!
                        <--------- 401 -------------

What is the Expected behavior?

fill data & click login ---------- /login ---------> Identity Manager
                        <---- OK, session cookie----

auth in backend service ---------- /auth  ---------> Backend service
using Identity Manager
                        <---- 302, /verify ---------

                        - /verify, session cookie -> Identity Manager
                        <--------- 200 -------------

What is your public website URL? (or attach your complete example)

var express = require('express');
var cookieParser = require('cookie-parser')

var app = express();

app.use(cookieParser());

app.use(function (req, res, next) {
  next();
  console.log(`<<< ${req.method} ${req.originalUrl}`);
  console.log(`>>> ${res.statusCode}\n`);
});

app.listen(3000);

app.post('/login', (req, res) => {
  res.cookie('session', 'abcd', {
    maxAge: 86400 * 1000,
    httpOnly: true,
    secure: true
  });
  res.status(200);
  res.send();
});

app.post('/logout', (req, res) => {
  res.clearCookie("session");
  res.status(200);
  res.send();
});

app.get('/authorize', (req, res) => {
  res.redirect(302, '/check-auth');
});

app.get('/check-auth', (req, res) => {
  const s = req.cookies && req.cookies.session ? req.cookies.session : '';
  if (s === 'abcd') {
    res.status(200);
  } else {
    res.status(401);
  }
  res.send();
});

app.get('/', (req, res) => {
  res.send(`
  <html>
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
  <script>
    let domain = "http://localhost:3000";
    function login() {
      $.ajax({
          url: domain + "/login",
          method: "post",
          complete(res) { console.log("Login: ", res.status); showResult(res.status); }
      })
    }
    function logout() {
      $.ajax({
          url: domain + "/logout",
          method: "post",
          complete(res) { console.log("Logout: ", res.status); showResult(res.status); }
      })
    }
    function auth() {
      $.ajax({
          url: domain + "/authorize",
          complete(res) { console.log("Auth: ", res.status); showResult(res.status); }
      })
    }
    function showResult(res) {
      if (res === 200) {
        $('#ok').show();
        $('#fail').hide();
      } else {
        $('#ok').hide();
        $('#fail').show();
      }
    }
  </script>
  <body>
  <button id="login" onclick="login()">login</button>
  <button id="auth" onclick="auth()">auth</button>
  <button id="logout" onclick="logout()">logout</button>
  </br>
  <h1 id="ok" style="color:#0f0; display: none">OK</h1>
  <h1 id="fail" style="color:#f00; display: none">FAIL</h1>
  </body>
  </html>
  `)
});

What is your TestCafe test code?

import { Selector } from 'testcafe';

fixture('Login Page')
  .page('http://localhost:3000');

test('can login with valid account', async t => {

  await t
    .click('button#login')

    .expect(Selector('#ok').visible).ok()

    .click('button#auth')

    .expect(Selector('#ok').visible).ok();
});

Your complete configuration file

default configuration without any changes

Your complete test report

Running tests in:

• Firefox 94.0 / Linux 0.0

Login Page
✖ can login with valid account

1. AssertionError: expected false to be truthy

   Browser: Firefox 94.0 / Linux 0.0

   10 |
   11 | .expect(Selector('#ok').visible).ok()
   12 |
   13 | .click('button#auth')
   14 |
   > 15 | .expect(Selector('#ok').visible).ok();
   16 |});
   17 |

   at (/home/ac/web/e2e/test.e2e.ts:15:38)
   at (/home/ac/web/e2e/test.e2e.ts:8:71)
   at __awaiter (/home/ac/web/e2e/test.e2e.ts:4:12)
   at (/home/ac/web/e2e/test.e2e.ts:6:48)

1/1 failed (6s)

Screenshots

N/A

Steps to Reproduce

1.Run example server
2.Test manually - press login, press auth, both gave ok result
3.Run test, test fails

TestCafe version

1.17.1

Node.js version

v14.17.5

Command-line arguments

npx testcafe firefox e2e/test.e2e.ts

Browser name(s) and version(s)

Firefox 94.0, Chrome 95.0.4638.69

Platform(s) and version(s)

Linux Manjaro 21.1.6

Other

No response

[pavsenin]

Hello,

Thank you for the detailed steps. I reproduced the issue with them. We will research this issue and update this thread when make any progress.

[qualityshepherd]

I'm seeing a similar issue...

[Aleksey28]

@qualityshepherd Thank you for your feedback. Please make sure that the problem you encountered is the same as the one we are discussing in this thread. Otherwise, please create a separate issue for it.