Shouldn't the Server Action fetch have an option to include credentials?

[therealgilles]

Shouldn't the Server Action fetch (below) have an option to include credentials?

From:

next.js/packages/next/src/client/components/router-reducer/reducers/server-action-reducer.ts

Line 88 in c50109b

const res = await fetch('', {

  const res = await fetch('', {
    method: 'POST',
    headers: {
      Accept: RSC_CONTENT_TYPE_HEADER,
      [ACTION_HEADER]: actionId,
      [NEXT_ROUTER_STATE_TREE_HEADER]: encodeURIComponent(
        JSON.stringify(state.tree)
      ),
      ...(process.env.NEXT_DEPLOYMENT_ID
        ? {
            'x-deployment-id': process.env.NEXT_DEPLOYMENT_ID,
          }
        : {}),
      ...(nextUrl
        ? {
            [NEXT_URL]: nextUrl,
          }
        : {}),
    },
    body,
  })

[icyJoseph]

same-origin (the default): only send and include credentials for same-origin requests.

• https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials

Since server actions POST to the same origin, they are included by default.

[therealgilles]

I see, thank you for the reply.

I think my problem is that I am using a real backend server during development and the cookies are associated with its subdomain. When using a server action, these cookies are not included due to the domain mismatch. I think it ought to work once deployed, but if I cannot test it out during development, it feels a bit like a gamble.

[therealgilles]

Follow-up question: If the server action response (from the backend server) contains cookies and a set-cookie header, will they be forwarded back to the client?

If not , is the only way to use an API endpoint instead?

PS: I am using an Apollo Client to make the requests to the backend. I see a set-cookie header on the graphql response, but it does not make it back to the browser.

[icyJoseph]

Nah, I meant cookieStore set

The API is:

// Set cookie
  cookieStore.set('cookie-name', 'cookie-value')

Sorry for the confusion there, I edited my previous comment for clarity sake.

Always refer to the docs, https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#cookies

[therealgilles]

If I need the cookies to be set in the browser, doesn't the client response need to contain a set-cookie header? Or are you saying that if I set them on the server response (as cookies), the client will get them anyway?

[icyJoseph]

Yeh, that's the promise of the cookies API.

cookies is an async function that allows you to read the HTTP incoming request cookies in Server Component, and read/write outgoing request cookies in Server Actions or Route Handlers

• https://nextjs.org/docs/app/api-reference/functions/cookies

[therealgilles]

Ah, does cookieStore.set() ends up adding the set-cookie header to the server action response?

[icyJoseph]

You got it.