- 27 Aug 2025
- first updating to module system from commonjs
- import router as mainRouter from './main-routes.js'; what is wronig
- i was doing as its done with normal export not default
- in default export i can use any name
- learnt about app.locals i wanted to share variables created in server.js in other main routes file
- so added that variable in app.locals, later revery req object has app objec
- and app is my express app
- how to make server.js clean seperated all main routes to diff file
- created schema mongoose
- triying to make every api secure
- authorization was 1 option when in response token will be returned and stored
- but storing in ls, browser can access
- if stored in cookies it can't be accessed
- Perfect choice đź‘Ť Using HTTP-only cookies is much safer than storing tokens in localStorage, because
JavaScript in the browser can’t access them (helps prevent XSS token theft).
- 28 Aug 2025
- how to have all request send from UI to have admin details
- store in cookies and always send as part of headers
- how to keep log whenever any update is having
- how to send hashed passsword
- how to create a secret jwt token
-
const res = fetch('http://localhost:3000/gita/create-admin', {
method: 'POST',
body: JSON.stringify({ name: 'Admin', email: 'test', password: 'password' }),
})
i was doing above and req.body was coming as empty object
then realised
headers: { 'Content-Type': 'application/json' }
is required else in node req.body was empty object
- 28 Aug 2025
- had added evn variable but it was not loadin gin node server
- npm i dotenv
- require('dotenv').config(); in server.js
- added .env to gitignore
- further check what it does how does
res.cookie("authToken", token, {
httpOnly: true, // JS can't access it
secure: false, // true in production (with https)
sameSite: "strict",
maxAge: 60 * 60 * 1000 // 1 hour
});
- i had above code, and response was also coming
- but the cookies wsa not getting set in application
- reason
- because
- sameSite: "strict", is true and my frontend and backend were diff domain
app.use(cors({
origin: 'http://127.0.0.1:5501',
credentials: true,
}))
due to credentials true, browser will accept set-cookie value
added above still it didn't work
by adding below to ui code
credentials: 'include',
still the cookie is not getting applied and getting below error
Access to fetch at 'http://localhost:3000/gita/create-admin' from origin 'http://127.0.0.1:5501' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
to fix it
If you use credentials: "include", your backend must also respond with:
Access-Control-Allow-Origin: http://frontend.com // NOT "*"
Access-Control-Allow-Credentials: true
Otherwise the browser will silently drop the cookies.
app.use((req, res, next) => {
res.header("Access-Control-Allow-Origin", "http://127.0.0.1:5501");
res.header("Access-Control-Allow-Credentials", "true");
res.header("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
next();
});
instead of doing app.use(cors()) wrote manual implementation
app.use((req, res, next) => {
res.header("Access-Control-Allow-Origin", "http://127.0.0.1:5501");
res.header("Access-Control-Allow-Credentials", "true");
res.header("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
next();
});
gpt link
now i have got token after creatign admin / login, now each req should be protected by token
created a verifyToken function which will be used in every request
- learnt how to add multiple origins in access-control-allow-origin hedaer
const allowedOrigins = ['https://iskconsarjapurroad.com', 'http://127.0.0.1:5501'];
app.use((req, res, next) => {
if (req.headers.origin && allowedOrigins.includes(req.headers.origin)) {
res.header("Access-Control-Allow-Origin", req.headers.origin);
}`
there is custom date format and when pasting dates in excel sheet
- finally understood why cookies were not getting sent when i was accessing backend
-
from http://127.0.0.1:5501/
to localhòst:3000
-
sameSite: "strict",
and changed it to
sameSite: "none",
- and issue got fixed
-
Here’s why that fixed it:
SameSite=Strict → the cookie is never sent on cross-site requests, not even when your own frontend (running
on a different port like 5173) talks to your backend (3000). So your authToken was being blocked.
SameSite=Lax → cookies are sent on some cross-site requests (like GET navigation), but not on
POST/PUT/DELETE made via fetch/XHR.
SameSite=None → cookies are always sent, even for cross-site fetch requests, as long as you also add Secure
(required by browsers).
That’s why changing it to SameSite: "none" let your frontend actually send the cookie to /add-facilitator.
gpt link
-
# Serve gita-course-dashboard SPA
location /gita-course-dashboard/ {
alias /home/ankit90499/iskcon-sarjapur-road/gita-course-dashboard/dist/;
index index.html;
# First try file, then directory, then fallback to index.html
try_files $uri $uri/ /index.html;
}
- above was not working previously root wsa there not alias is made
- it was just rendering the bottombar but no as such path was getting matched
-
try_files $uri $uri/ /gita-course-dashboard/index.html;
- not sure by adding above in nginix
- and updating the routes in app.js from / to /gita-course-dashboard render home it started working
devServer: {
historyApiFallback: true,
// ...other options
}
i had to write above so that other routes at localhost react app works