I have an issue with cookie-session when using Firebase Functions in production. I have a React app in Firebase Hosting, and an Express app in Functions (that I'm using as my API), and I've created a template repo that demonstrates this setup for all to see (https://github.com/cjmyles/firebase-react-express).
I'm making fetch calls from the React app to /api/* (notice the lack of a fully qualified url) and the request is proxied to the API in development mode using the proxy config value in package.json; and proxied to the API in production using the rewrites config value in firebase.json.
This works fine until I start to use sessions. I have some code that mimics a login request using PassportJS where the user information is stored in the session, and this works in development mode, but not in production. I have a feeling it's something to do with the cookies. I'm using cookie-session in my express app and I've made sure that the secure flag is set to true in production (as it's served over https), but I think the cookie isn't being passed to the API properly when the request is proxied via the Firebase rewrites.
Do I need to add something to firebase.json to enable cookie-session in production?
