Cookie session related middleware interferes

[styliii]

For some reason, when I add cookie related middleware (specifically ActionDispatch::Session::Cookie), the rack-cors gem stops working. I'll get the ActionController::InvalidAuthenticityToken (HTTP Origin header (http://localhost:3000) didn't match request.base_url (http://localhost:3001)): error. Once I remove the cookie related middleware, everything starts working again. Any ideas? I've tried moving ActionDispatch::Cookies and ActionDispatch::Session::CookieStore above Rack::Cors, but that didn't work either.

Here's my bundle exec rake middleware output:

use Rack::Cors
use Rack::MiniProfiler
use ActionDispatch::HostAuthorization
use Rack::Sendfile
use ActionDispatch::Static
use ActionDispatch::Executor
use ActionDispatch::ServerTiming
use ActiveSupport::Cache::Strategy::LocalCache::Middleware
use Rack::Runtime
use ActionDispatch::RequestId
use ActionDispatch::RemoteIp
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use WebConsole::Middleware
use ActionDispatch::DebugExceptions
use ActionDispatch::ActionableExceptions
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
run WildflowerPlatform::Application.routes

My request

curl 'http://localhost:3001/login' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Origin: http://localhost:3000' \
  -H 'Referer: http://localhost:3000/' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-site' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' \
  -H 'sec-ch-ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  --data-raw '{"user":{"email":"test@test.com","password":"password"}}' \
  --compressed

[cyu]

@styliii I don't think this is related to Rack::CORS. Take a look at this:

https://stackoverflow.com/questions/65688157/why-is-my-http-origin-header-not-matching-request-base-url-and-how-to-fix

I'm guessing you're not running behind nginx, but something is not lining up in either how you're testing, or in your app setup.

[styliii]

Thanks for taking a look. I'm able to isolate it to a couple of line changes in my application.rb file. When I uncomment those last 3 lines, it stops working.

module MyPlatform
  class Application < Rails::Application
    config.load_defaults 7.0
    config.autoload_paths += %W(#{config.root}/lib)
    config.api_only = true
    
    # config.session_store :cookie_store, key: '_wf_session'
    # config.middleware.use ActionDispatch::Cookies
    # config.middleware.use config.session_store, config.session_options
  end
end

[cyu]

https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization