I’m developing a mobile application using Ionic 8, Vue 3, and Capacitor 6 that consumes the REST API of an ERPNext 15 instance hosted on a server with NGINX and Plesk. After much effort, I managed to resolve CORS and cookie-related issues when testing from the browser using Vite dev and mkcert to enable HTTPS locally.
However, when I build the application for iOS and Android devices, I can no longer make successful requests to the ERPNext API. I had to add capacitor://localhost to my NGINX configuration’s allowed origins, which allowed the initial login request to succeed. Unfortunately, subsequent requests fail with 403 Forbidden errors or cookie rejection issues related to SameSite and Secure settings.
Here’s what I’ve tried:
- NGINX Configuration:
location / {
proxy_pass http://localhost:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cookie_flags ~ samesite=none;
proxy_cookie_path / “/; SameSite=None; HTTPOnly; Secure”;
set $allowed_origin "";
if ($http_origin ~* (https://localhost:5161|http://localhost:5161|capacitor://localhost|http://localhost)) {
set $allowed_origin $http_origin;
}
add_header 'Access-Control-Allow-Origin' $allowed_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Accept' always;
}
- ERPNext Configuration (common_site_config.json):
{
“allow_cors”: true,
“cookie_secure”: true,
“cookie_samesite”: “None”
}
When I run the mobile application on iOS or Android, the initial login request to /api/method/login succeeds. However, any subsequent requests fail with 403 Forbidden errors or cookie-related issues, often indicating SameSite=Lax and Secure problems.
It also appears that session cookies (sid) are not being properly respected on mobile devices, which causes issues with subsequent requests after login.