Working with cookies in openAPIHandler #960
-
|
I'm not able to recover the cookie or send it. I used the help functions but they didn't work either. import { createServer } from 'node:http'
import { setCookie } from '@orpc/server/helpers'
import { CORSPlugin } from '@orpc/server/plugins'
import { PORT, VERSION } from '@/constants/config'
import { ZodSmartCoercionPlugin } from '@orpc/zod'
import { OpenAPIHandler } from '@orpc/openapi/node'
import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
import { router } from './router'
const prefix = '/api'
const openAPIHandler = new OpenAPIHandler(router, {
plugins: [
new CORSPlugin(),
new ZodSmartCoercionPlugin(),
new OpenAPIReferencePlugin({
docsProvider: 'scalar', // ou swagger
schemaConverters: [new ZodToJsonSchemaConverter()],
docsPath: '/docs',
specGenerateOptions: {
info: {
title: 'oRCP - Documentation',
version: VERSION,
},
},
}),
],
})
const server = createServer(async (req, res) => {
const headers = new Headers()
headers.forEach((value, key) => res.setHeader(key, value))
const result = await openAPIHandler.handle(req, res, {
prefix: '/api',
context: { headers },
})
setCookie(headers, 'sessionIdss', '123456', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
})
if (!result.matched) {
res.statusCode = 404
res.end('Not found')
}
})
const url = `http://localhost:${PORT}${prefix}`
server.listen(PORT, () => {
console.log(`
───────────────────────────୨ৎ────────────────────────
𖤍 Server: ${url}
𖤍 Documentation: ${url}/docs
───────────────────────────୨ৎ────────────────────────
`)
})export const loginRoute = os
.$context<{ headers: Headers }>()
.route({ method: 'POST', path: '/identity/login' })
.handler(async ({ context }) => {
if (context.headers === undefined) {
return {
message: 'Bad Request',
}
}
const name = 'name'
const cookieString = serialize(name, 'joao', {
path: '/',
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
})
context.headers.append('Set-Cookie', cookieString)
console.log({ 'Set-Cookie': context.headers.get('Set-Cookie') })
const cookieHeader = context.headers.get('cookie')
console.log({ cookieHeader })
console.log({ getCookie: getCookie(context.headers, name) })
if (!cookieHeader) {
return {
message: 'No cookie header present',
}
}
console.log({
pase: parse(cookieHeader)[name],
})
return { message: 'Login successful' }
}){
"Set-Cookie": "name=joao; Path=/; HttpOnly; SameSite=Strict",
}
{
cookieHeader: null,
}
{
getCookie: undefined,
}obs: This was just a test because I wanted to make an auth cookie, but even though I managed to save the cookie in storage, I couldn't read it later with any route. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 14 replies
-
|
Hi @DIEGOHORVATTI! I'm Dosu and I’m helping the orpc team. The main issue is that your context.headers is a new, empty Headers object per request—it does not contain the incoming request's headers, so it can't be used to read cookies sent by the client. The setCookie and getCookie helpers only operate on the Headers abstraction you provide, and oRPC does not automatically parse or propagate cookies between Node.js req/res and your context.headers. This means:
Here's a minimal pattern: const server = createServer(async (req, res) => {
// Initialize headers with incoming request headers
const headers = new Headers(req.headers);
// Pass headers to context
const result = await openAPIHandler.handle(req, res, {
prefix: '/api',
context: { headers },
});
// Set cookies for the response
setCookie(headers, 'sessionIdss', '123456', { /* options */ });
// Write all headers to the response
headers.forEach((value, key) => res.setHeader(key, value));
if (!result.matched) {
res.statusCode = 404;
res.end('Not found');
}
});This way, getCookie will work as expected, and cookies you set will be sent to the client. There is no built-in middleware in oRPC that does this for you—you need to handle it manually in your server code [source] [source]. To reply, just mention @dosu. How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other |
Beta Was this translation helpful? Give feedback.
-
I can only save the cookie on the client when I start the server if I have some setCookie defined in createServer, but if I try to save a cookie on some route on the client that made a request, it doesn't work. Is this the expected behavior? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, this is the expected behavior in oRPC with Node.js. Cookies set in route handlers (using setCookie or context.headers.append('Set-Cookie', ...)) will only be saved on the client if you manually propagate those headers to the HTTP response for each request. oRPC does not automatically sync context.headers with the outgoing response—so if you set a cookie inside a route handler, you must ensure that after the handler runs, your server code loops through context.headers and writes all headers (including 'Set-Cookie') to res before ending the response. If you only set cookies at server startup, those will always be sent, but per-request cookies require this manual step to persist on the client [source]. For example, after your handler runs, do: headers.forEach((value, key) => res.setHeader(key, value));This ensures any cookies set during the request are sent to the client. There’s no built-in middleware or automatic propagation for this in oRPC [source]. To reply, just mention @dosu. How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other |
Beta Was this translation helpful? Give feedback.
-
|
@unnoq I reviewed your entire GitHub repository, but I couldn't find any examples where you're setting a cookie in one route and then reading that cookie in another client route. It seems simple, but I couldn't get it to work. I'm in the middle of a proof of concept (POC) to evaluate oRPC for my company and possible production adoption and sponsorship. |
Beta Was this translation helpful? Give feedback.
-
So, create an example of what the ideal route would be for using openAPIHandler, with just a /login route that will propagate the cookie to the client and another /verify route that will receive the cookie and simply log it in. If possible, create midware for Auth with user context already in place. The data must be modified. |
Beta Was this translation helpful? Give feedback.
-
|
Here's a minimal example using openAPIHandler with manual cookie handling and a simple auth middleware pattern: import { createServer } from 'node:http'
import { setCookie, getCookie } from '@orpc/server/helpers'
import { OpenAPIHandler } from '@orpc/openapi/node'
import { router } from './router'
// --- Auth Middleware Example ---
async function withUserContext(context: { headers: Headers }) {
// Try to read the session cookie from incoming request headers
const sessionId = getCookie(context.headers, 'sessionId')
// Simulate user lookup (replace with your logic)
const user = sessionId === 'abc123' ? { id: 1, name: 'Alice' } : null
return { ...context, user }
}
// --- oRPC Router Example ---
const os = /* your oRPC router factory */
export const loginRoute = os
.$context<{ headers: Headers }>()
.route({ method: 'POST', path: '/login' })
.handler(async ({ context }) => {
// Set a session cookie
setCookie(context.headers, 'sessionId', 'abc123', {
httpOnly: true,
path: '/',
sameSite: 'strict',
secure: process.env.NODE_ENV === 'production',
maxAge: 60 * 60, // 1 hour
})
return { message: 'Logged in, cookie set' }
})
export const verifyRoute = os
.$context<{ headers: Headers; user?: { id: number; name: string } }>()
.route({ method: 'GET', path: '/verify' })
.handler(async ({ context }) => {
// Use the user context injected by middleware
if (!context.user) {
return { message: 'Not authenticated' }
}
return { message: `Authenticated as ${context.user.name}` }
})
// --- Server Setup ---
const openAPIHandler = new OpenAPIHandler([loginRoute, verifyRoute])
const server = createServer(async (req, res) => {
// Initialize headers with incoming request headers (for cookie reading)
const headers = new Headers(req.headers)
// Inject user context via middleware
const context = await withUserContext({ headers })
// Handle the request
const result = await openAPIHandler.handle(req, res, {
prefix: '/api',
context,
})
// Propagate all headers (including Set-Cookie) to the response
headers.forEach((value, key) => res.setHeader(key, value))
if (!result.matched) {
res.statusCode = 404
res.end('Not found')
}
})
server.listen(3000)Key points:
This pattern is fully manual and matches oRPC's design—there's no built-in middleware for cookie propagation or auth context, so you control it all in your server code [source]. To reply, just mention @dosu. How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other |
Beta Was this translation helpful? Give feedback.
-
|
Here are mistakes in your snippets: const server = createServer(async (req, res) => {
const headers = new Headers()
headers.forEach((value, key) => res.setHeader(key, value))
const result = await openAPIHandler.handle(req, res, {
prefix: '/api',
context: { headers },
})
setCookie(headers, 'sessionIdss', '123456', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
})
if (!result.matched) {
res.statusCode = 404
res.end('Not found')
}
})
const cookieString = serialize(name, 'joao', {
path: '/',
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
})
context.headers.append('Set-Cookie', cookieString)
console.log({ 'Set-Cookie': context.headers.get('Set-Cookie') })
const cookieHeader = context.headers.get('cookie')
console.log({ cookieHeader })
console.log({ getCookie: getCookie(context.headers, name) })
The main important here is |
Beta Was this translation helpful? Give feedback.
-
just by placing a bone below my Cookie set it started working correctly context.resHeaders?.set('x-custom-header', 'value')but I'm still not able to pull this cookie with getCookie |
Beta Was this translation helpful? Give feedback.
-
import type { ServerResponse } from 'node:http'
import jwt from 'jsonwebtoken'
import { os } from '@orpc/server'
import { createServer } from 'node:http'
import { OpenAPIHandler } from '@orpc/openapi/node'
import { setCookie, getCookie } from '@orpc/server/helpers'
type User = { id: number; name: string }
type UserRequestContext = {
headers: Headers
res: ServerResponse
user?: User
}
const SECRET = 'segredo-super-secreto'
const loginRoute = os
.$context<UserRequestContext>()
.route({ method: 'POST', path: '/login' })
.handler(async ({ context }) => {
const user: User = { id: 1, name: 'Alice' }
const token = jwt.sign(user, SECRET, { expiresIn: '1h' })
setCookie(context.headers, 'session', token, {
httpOnly: true,
path: '/',
sameSite: 'strict',
secure: false,
})
context.res.setHeader('Set-Cookie', context.headers.get('set-cookie') || '')
return { message: 'Login successful' }
})
// Middleware
async function withUserContext(context: UserRequestContext): Promise<UserRequestContext> {
const token = getCookie(context.headers, 'session')
if (!token) return context
try {
const user = jwt.verify(token, SECRET) as User
return { ...context, user }
} catch {
return context
}
}
// Rota de verificação
const verifyRoute = os
.$context<UserRequestContext>()
.route({ method: 'GET', path: '/verify' })
.handler(async ({ context }) => {
if (!context.user) return { message: 'Not authenticated' }
console.log(context.user)
return { message: `Authenticated as ${context.user.name}` }
})
const openAPIHandler = new OpenAPIHandler({
login: loginRoute,
verify: verifyRoute,
})
const server = createServer(async (req, res) => {
// Inicializa com os headers da requisição real
const headers = new Headers(req.headers)
const userContext = await withUserContext({ headers, res })
await openAPIHandler.handle(req, res, {
prefix: '/',
context: userContext,
})
})
server.listen(3000, () => {
console.log('Server listening on http://localhost:3000')
console.log('POST /login')
console.log('GET /verify')
}) curl -i -X POST http://localhost:3000/login -d '{}' ~
^[[AHTTP/1.1 200 OK
set-cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzU2ODk4OTk2LCJleHAiOjE3NTY5MDI1OTZ9.VdjHFM8b4m5qIsKlb5LyNZZThlPh3Z2iF9uSxGp4tJo; Path=/; HttpOnly; SameSite=Strict
Content-Type: application/json
Date: Wed, 03 Sep 2025 11:29:55 GMT
Content-Length: 30
{"message":"Login successful"}%
curl -i -X GET http://localhost:3000/verify ~
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 03 Sep 2025 11:30:02 GMT
Content-Length: 31
{"message":"Not authenticated"}% |
Beta Was this translation helpful? Give feedback.
-
|
You curl without cookie that why it's return |
Beta Was this translation helpful? Give feedback.
-
|
And use this instead of |
Beta Was this translation helpful? Give feedback.
-
For the next devs of the futureimport { createServer } from 'node:http'
import { PORT, VERSION } from '@/constants/config'
import { ZodSmartCoercionPlugin } from '@orpc/zod'
import { OpenAPIHandler } from '@orpc/openapi/node'
import { ZodToJsonSchemaConverter } from '@orpc/zod/zod4'
import { OpenAPIReferencePlugin } from '@orpc/openapi/plugins'
import { CORSPlugin, RequestHeadersPlugin, ResponseHeadersPlugin } from '@orpc/server/plugins'
import { router } from './router'
const prefix = '/api'
const openAPIHandler = new OpenAPIHandler(router, {
plugins: [
new CORSPlugin(),
new RequestHeadersPlugin(),
new ResponseHeadersPlugin(),
new ZodSmartCoercionPlugin(),
new OpenAPIReferencePlugin({
docsProvider: 'scalar', // ou swagger
schemaConverters: [new ZodToJsonSchemaConverter()],
docsPath: '/docs',
specGenerateOptions: {
info: {
title: 'oRCP - Documentation',
version: VERSION,
},
},
}),
],
})
const server = createServer(async (req, res) => {
const { matched } = await openAPIHandler.handle(req, res, { prefix })
if (!matched) {
res.statusCode = 404
res.end('No procedure matched')
}
})
const url = `http://localhost:${PORT}${prefix}`
server.listen(PORT, () => {
console.log(`
───────────────────────────୨ৎ────────────────────────
𖤍 Server: ${url}
𖤍 Documentation: ${url}/docs
───────────────────────────୨ৎ────────────────────────
`)
})import type { EncodedJWTUser } from '@identity/domain/entities'
import type { JwtService } from '@identity/domain/services/jwt-service'
import { sign, verify } from 'jsonwebtoken'
import { JWT_SECRET, JWT_EXPIRES_IN_DAYS } from '@/constants/config'
export const makeJWTService = (): JwtService => ({
sign(payload: EncodedJWTUser): string {
const token = sign(payload, JWT_SECRET, {
expiresIn: JWT_EXPIRES_IN_DAYS,
})
return token
},
verify(token: string): EncodedJWTUser | null {
try {
const decoded = verify(token, JWT_SECRET) as EncodedJWTUser
return decoded
} catch (_error) {
return null
}
},
})import { os } from '@orpc/server'
import { getCookie } from '@orpc/server/helpers'
import { COOKIE_NAME } from '@/constants/config'
import { unauthorized } from '@/core/infra/http/errors/apiError'
import type { UserRequestContext } from '../types'
import type { JwtService } from '../../domain/services/jwt-service'
export const makeAuthMiddleware = (jwtService: JwtService) =>
os.$context<UserRequestContext>().middleware(async ({ context, next }) => {
const token = getCookie(context.reqHeaders, COOKIE_NAME)
if (!token) {
throw unauthorized('No token provided')
}
const user = jwtService.verify(token)
if (!user) {
throw unauthorized('Invalid token')
}
context.user = user
return next()
})import { ORPCError } from '@orpc/server'
// usado quando a requisição não pode ser processada devido a dados inválidos
// statusCode: 400
export const badRequest = (message: string) => new ORPCError('BAD_REQUEST', { message })
// usado quando o usuário não está autenticado
// statusCode: 401
export const unauthorized = (message: string) => new ORPCError('UNAUTHORIZED', { message })
// usado quando o usuário não tem permissão para acessar um recurso
// statusCode: 403
export const forbidden = (message: string) => new ORPCError('FORBIDDEN', { message })
// usado quando o recurso solicitado não foi encontrado
// statusCode: 404
export const notFound = (message: string) => new ORPCError('NOT_FOUND', { message })
// usado quando já existe um recurso com os mesmos dados
// statusCode: 409
export const conflict = (message: string) => new ORPCError('CONFLICT', { message })
// usado quando ocorreu um erro inesperado no servidor
// statusCode: 500
export const internal = (message: string) => new ORPCError('INTERNAL_SERVER_ERROR', { message })graph TD
subgraph " "
Client([<fa:fa-user> Client / Frontend])
end
subgraph "Presentation Layer (Camada de Apresentação)"
direction LR
A[<fa:fa-server> oRPC Server <br> index.ts] --> B[<fa:fa-route> Router <br> router.ts]
B --> C[<fa:fa-id-card> Identity Routes <br> identityRoutes.ts]
B --> D[<fa:fa-paw> Animal Routes <br> animalRoutes.ts]
end
subgraph "Composition Root (Injeção de Dependência)"
E[<fa:fa-cogs> DI Container <br> container.ts]
end
subgraph "Application Layer (Casos de Uso)"
direction LR
F[<fa:fa-user-plus> Identity Use Cases <br> e.g., register.ts]
G[<fa:fa-dog> Animal Use Cases <br> e.g., createAnimal.ts]
end
subgraph "Domain Layer (Entidades e Contratos)"
direction LR
H[<fa:fa-address-book> User Entity <br> user.ts]
I[<fa:fa-file-contract> IUserRepository <br> userRepository.ts]
J[<fa:fa-hippo> Animal Entity <br> animal.ts]
K[<fa:fa-file-contract> IAnimalRepository <br> animalRepository.ts]
end
subgraph "Infrastructure Layer (Implementações e Dados)"
direction LR
L[<fa:fa-database> UserRepositoryImpl] --> N[<fa:fa-exchange-alt> UserMapper]
M[<fa:fa-database> AnimalRepositoryImpl] --> O[<fa:fa-exchange-alt> AnimalMapper]
N --> P[<fa:fa-plug> Prisma Client]
O --> P
end
subgraph "External Services"
Q[(<fa:fa-database> PostgreSQL DB)]
end
%% Fluxo de Dependências
Client --> A
%% Presentation -> DI Container (para obter casos de uso)
C --> E
D --> E
%% DI Container -> Instancia Casos de Uso e Repositórios
E -- "instancia" --> F
E -- "instancia" --> G
E -- "injeta" --> L
E -- "injeta" --> M
%% Application -> Domain (depende das interfaces)
F --> I
G --> K
%% Infrastructure -> Domain (implementa interfaces e usa entidades)
L -- "implementa" --> I
M -- "implementa" --> K
N -- "cria" --> H
O -- "cria" --> J
%% Infrastructure -> External Services
P --> Q
%% Definições de Estilo
classDef presentation fill:#87CEEB,stroke:#333,stroke-width:2px,color:#000
classDef application fill:#98FB98,stroke:#333,stroke-width:2px,color:#000
classDef domain fill:#FFD700,stroke:#333,stroke-width:2px,color:#000
classDef infrastructure fill:#F08080,stroke:#333,stroke-width:2px,color:#000
classDef container fill:#DDA0DD,stroke:#333,stroke-width:2px,color:#000
class A,B,C,D presentation
class F,G application
class H,I,J,K domain
class L,M,N,O,P infrastructure
class E container
|
Beta Was this translation helpful? Give feedback.
-
|
@unnoq Actually much simpler |
Beta Was this translation helpful? Give feedback.
-
|
I want to build a simple oRPC application example with DDD+Prisma+oRPC+Monorepo |
Beta Was this translation helpful? Give feedback.
And use this instead of
new Header(req.headers)https://orpc.unnoq.com/docs/plugins/request-headers