GET /admin/users/me returns 401 Unauthorized: Session Cookie Not Being Set

[Pacocc97]

After logging into the Medusa admin panel, any GET request to /admin/users/me returns a 401 Unauthorized error. The network request only includes a cookie: lng=en header, and the session cookie (typically something like connect.sid) is missing. I’ve verified that my JWT_SECRET and COOKIE_SECRET environment variables are correctly set, and my CORS configuration includes the appropriate domains. I’m running the backend on http://localhost:9000 and accessing the admin panel via http://localhost:9000/app. I suspect the issue is related to session cookie misconfiguration or CORS settings in production.

[luomoxu]

Maybe shoud enbale X-Forwarded-Proto

[JoaoAPS]

I'm having the same issue, admin app works fine when running medusa develop. But the /admin routes return only 401 Unauthorized if running medusa start and accessing via http://localhost:9000.

The issue is on the POST /auth/session call (explained here). It is not setting the connect.sid cookie in the conditions mentioned above as it should.
I think the problem is that in production the cookie is set to secure mode. Console.logging req.session when running via start gives

{auth_context: {...}, cookie: {..., secure: true}}

but when running develop gives

{auth_context: {...}, cookie: {..., secure: false}}

As localhost runs on http I think the cookie is being blocked.

One solution for testing the built app locally is to use some tool like Ngrok to access the localhost via an https url. Though a configuration to turn secure cookie off for testing the build locally would be nice. As far as I know this isn`t available right now.

[Edit] Typos

[raweber42]

Saved me a ton of time, thanks a lot!

Strange though that this is not being logged anywhere that the problem is related to CORS.

[raweber42]

So everything has to be https, otherwise it won't work?

[JoaoAPS]

As far as I know, yes. When running medusa start The admin will only work if served via https.

[deepakvishwakarma-hh]

I am also seeing the same issue. I have hosted medusa on AWS and I am using npm run dev due to which I am getting 401 error in /admin. And also facing html file is not found in public folder (I'm frustrated using medusajs)

[deepakvishwakarma-hh]

please guys anybody help Its been 6 hours facing this issue

[scherddel]

Did you try the following?

// medusa-config.ts
module.exports = defineConfig({
  projectConfig: {
    cookieOptions: {
      secure: false, // Only for development!
    },
    // ...other config
  },
  // ...other config

[deepakvishwakarma-hh]

medusa build && node build-script.js

info: Starting build...
info: Compiling backend source...
info: Removing existing ".medusa/server" folder
info: Compiling frontend source...
medusa-config.ts:8:5 - error TS2353: Object literal may only specify known properties, and 'cookieOptions' does not exist in type 'ProjectConfigOptions'.

8 cookieOptions : {
~~~~~~~~~~~~~

warn: Backend build completed with errors (13.15s)
info: Frontend build completed successfully (54.91s)

[scherddel]

this works fine for me. Can you share your full medusa-config? And most importantly, what medusa version are you running?

[deepakvishwakarma-hh]

import { loadEnv, defineConfig } from '@medusajs/framework/utils'

loadEnv(process.env.NODE_ENV || 'development', process.cwd())

module.exports = defineConfig({
projectConfig: {
databaseUrl: process.env.DATABASE_URL,
http: {
storeCors: process.env.STORE_CORS!,
adminCors: process.env.ADMIN_CORS!,
authCors: process.env.AUTH_CORS!,
jwtSecret: process.env.JWT_SECRET || "supersecret",
cookieSecret: process.env.COOKIE_SECRET || "supersecret",
}
},
modules: [
{
resolve: "./src/modules/review",
},
{
resolve: "./src/modules/carousel",
},
{
resolve: "./src/modules/brand",
},
{
resolve: "./src/modules/video",
},
{
resolve: "@medusajs/medusa/payment",
options: {
providers: [
{
// if module provider is in a plugin, use plugin-name/providers/my-payment
resolve: "./src/modules/payment-razorpay",
id: "my-custom-payment",
options: {
key_id:
process?.env?.RAZORPAY_TEST_KEY_ID ?? process?.env?.RAZORPAY_ID,
key_secret:
process?.env?.RAZORPAY_TEST_KEY_SECRET ??
process?.env?.RAZORPAY_SECRET,
razorpay_account:
process?.env?.RAZORPAY_TEST_ACCOUNT ??
process?.env?.RAZORPAY_ACCOUNT,
automatic_expiry_period: 30 /* any value between 12minuts and 30 days expressed in minutes*/,
manual_expiry_period: 20,
refund_speed: "normal",
webhook_secret:
process?.env?.RAZORPAY_TEST_WEBHOOK_SECRET ??
process?.env?.RAZORPAY_WEBHOOK_SECRET,
},
},
],
},
},
{
resolve: "@medusajs/medusa/file",
options: {
providers: [
{
resolve: "@medusajs/medusa/file-local",
id: "local",

        options: {
          // provider options...
          backend_url: `${process.env.MEDUSA_BACKEND_URL}/static`,
        },
      },
      // {
      //   resolve: "@medusajs/medusa/file-s3",
      //   id: "s3",
      //   options: {
      //     file_url: process.env.VITE_S3_FILE_URL,
      //     access_key_id: process.env.VITE_S3_ACCESS_KEY_ID,
      //     secret_access_key: process.env.VITE_S3_SECRET_ACCESS_KEY,
      //     region: process.env.VITE_S3_REGION,
      //     bucket: process.env.VITE_S3_BUCKET,
      //     endpoint: process.env.VITE_S3_ENDPOINT,
      //     // other options...
      //   },
      // },
    ],
  },
},
{
  resolve: "@medusajs/medusa/fulfillment",
  options: {
    providers: [
      {
        resolve: "@medusajs/medusa/fulfillment-manual",
        id: "manual",
      },
      {
        resolve: "./src/modules/shiprocket",
        id: "shiprocket",
        options: {
          // provider options...
          channel_id: process.env.SHIPROCKET_CHANNEL_ID, //(required)
          email: process.env.SHIPROCKET_EMAIL, //(required)
          password: process.env.SHIPROCKET_PASSWORD, //(required)
          token: process.env.SHIPROCKET_TOKEN, //(required. leave empty)
          pricing: "calculated", //"flat_rate" or "calculated" (required)
          length_unit: "cm", //"mm", "cm" or "inches" (required)
          multiple_items: "split_shipment", //"single_shipment" or "split_shipment"(default) (required)
          inventory_sync: false, //true or false(default) (required)
          forward_action: "create_order", //'create_fulfillment' or 'create_order'(default) (required)
          return_action: "create_order", //'create_fulfillment' or 'create_order'(default) (required)
        },
      },
    ],
  },
},

]

})

[deepakvishwakarma-hh]

"dependencies": {
"@medusajs/admin-sdk": "2.8.4",
"@medusajs/cli": "2.8.4",
"@medusajs/framework": "2.8.4",
"@medusajs/medusa": "2.8.4",
"@mikro-orm/core": "6.4.3",
"@mikro-orm/knex": "6.4.3",
"@mikro-orm/migrations": "6.4.3",
"@mikro-orm/postgresql": "6.4.3",
"awilix": "^8.0.1",
"aws-sdk": "^2.1692.0",
"csv-parse": "^5.6.0",
"lucide-react": "^0.523.0",
"medusa-payment-razorpay": "^7.3.2",
"multer": "^2.0.1",
"node-fetch": "^3.3.2",
"pg": "^8.13.0",
"react-quill": "^2.0.0"
},

[scherddel]

Please nest the cookieOptions attribute under projectConfig:

projectConfig: {
    cookieOptions: { secure: false },

[deepakvishwakarma-hh]

also I applied this configuration medusa-config and issue is there .

[deepakvishwakarma-hh]

I can't update right now. It will take more time

[scherddel]

Let me know if you have more concerns here once you upgraded to the newest release. Thank you

[deepakvishwakarma-hh]

how to update on latest version ?

[scherddel]

https://docs.medusajs.com/learn/update

[deepakvishwakarma-hh]

"dependencies": {
"@medusajs/admin-sdk": "2.8.8",
"@medusajs/cli": "2.8.8",
"@medusajs/framework": "2.8.8",
"@medusajs/medusa": "2.8.8",
"@mikro-orm/core": "6.4.3",
"@mikro-orm/knex": "6.4.3",
"@mikro-orm/migrations": "6.4.3",
"@mikro-orm/postgresql": "6.4.3",
"@sgftech/payment-razorpay": "^2.1.11",
"awilix": "^8.0.1",
"aws-sdk": "^2.1692.0",
"csv-parse": "^5.6.0",
"lucide-react": "^0.523.0",
"multer": "^2.0.1",
"node-fetch": "^3.3.2",
"pg": "^8.13.0",
"react-quill": "^2.0.0"
},
"devDependencies": {
"@medusajs/test-utils": "2.8.8",
"@mikro-orm/cli": "6.4.3",
"@swc/core": "1.5.7",
"@swc/jest": "^0.2.36",
"@types/jest": "^29.5.13",
"@types/node": "^20.0.0",
"@types/react": "^18.3.2",
"@types/react-dom": "^18.2.25",
"jest": "^29.7.0",
"prop-types": "^15.8.1",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"ts-node": "^10.9.2",
"typescript": "^5.6.2",
"vite": "^5.2.11",
"yalc": "^1.0.0-pre.53"
},
"engines": {
"node": ">=20"
}

[deepakvishwakarma-hh]

projectConfig: {
cookieOptions: { secure: false },
databaseUrl: process.env.DATABASE_URL,
http: {
storeCors: process.env.STORE_CORS!,
adminCors: process.env.ADMIN_CORS!,
authCors: process.env.AUTH_CORS!,
jwtSecret: process.env.JWT_SECRET || "supersecret",
cookieSecret: process.env.COOKIE_SECRET || "supersecret",
}
},

[deepakvishwakarma-hh]

updated things still getting this error

[deepakvishwakarma-hh]

Hey Its working fine in dev

[deepakvishwakarma-hh]

server {
listen 80;
server_name ;

return 301 https://$host$request_uri; # redirect all HTTP to HTTPS

}

server {
listen 443 ssl http2;
server_name ;

ssl_certificate /etc/letsencrypt/live/<domain goes here>fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain goes here>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {
    proxy_pass http://localhost:9000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;

    # Add all required headers for secure cookies & forwarding
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_cookie_path / "/; Secure; HttpOnly; SameSite=None";
    proxy_cache_bypass $http_upgrade;
}

}

[deepakvishwakarma-hh]

Please medusa list how to deploy on AWS without showing microtica integration

[anubus298]

if you are testing on local, add this to your defineConfig inside medusa-config.ts:
cookieOptions: { secure: false, sameSite: "lax", },

[SarinSajuIqlytika]

Thank you soooooooooooooooooooo much....It worked like charm...You are the BEST