I'm trying to integrate an application on "domain-a.com" with the metabase on "domain-b.com" and for that I'm using the "POST /api/session" API that allows me to pass a username and password to receive the session ID. In order for the metabase to identify the user's session I need to have a "metabase.SESSION" cookie with the ID but when I try to assign this cookie between different domains the metabase doesn't identify the cookie.
I've tried switching between cookie sending settings (httpOnly=true, sameSite=Lax, domain=domain-b.com) but without success.
I've tried changing the "MB_SESSION_COOKIE_SAMESITE=none" parameter but the metabase stops working as it should.
Could someone please help me?
Today I have backend service to bypass CORS like this:
const express = require('express');
const axios = require('axios')
const app = express();
app.use((_req, res, next) => {
res.setHeader('access-control-allow-headers', '*');
res.setHeader('access-control-allow-methods', '*');
res.setHeader('access-control-allow-origin', '*');
res.setHeader('access-control-allow-credentials', 'true');
next();
});
app.get('/api/session', ({query: {metabase_url, ...query}}, res) => {
const url = new URL(metabase_url)
url.pathname = '/api/session';
axios
.post(`${url}`, query)
.then(response => {
res.cookie('metabase.SESSION', response.data.id);
res.redirect(`${url.protocol}//${url.host}`);
})
.catch(error => res.status(error.status).json(error.response.data));
});
module.exports = app;
Note: when metabase is located in localhost and my API running in localhost, it works but when domains are different isn't.