Axios, Nest, and cookies in code
export const api = axios.create({
baseURL: process.env.NEXT_PUBLIC_API_URL,
withCredentials: true,
});Read the example from data and control flow to the resulting UI. Keep the component boundary small.
Topic
Definition
Axios must send credentialed requests and Nest must allow credentialed CORS for httpOnly cookie sessions to work across origins.
In simpler words
The browser sends the login cookie; JavaScript does not need to read the JWT.
Axios instances, withCredentials, CORS, and 401 handling.
Axios instances, withCredentials, CORS, and 401 handling.
Start by identifying which value or browser behavior changes. Then describe the UI from that current input instead of editing the DOM as a separate source of truth.
export const api = axios.create({
baseURL: process.env.NEXT_PUBLIC_API_URL,
withCredentials: true,
});Read the example from data and control flow to the resulting UI. Keep the component boundary small.
Keep rendering as a calculation. Put user-triggered changes in event handlers, preserve UI memory in state, and reserve external synchronization for Effects or the server-state layer.
Name values by their UI meaning, test the loading and error path when data is remote, and avoid keeping two editable copies of the same value.
Ask before adding code: is this local UI memory, shared client state, or Nest-owned server state?
Definition
High-bug areas are places where a small API misuse looks correct but produces stale UI, duplicate work, or silent failures.
In simpler words
Each mistake below shows Wrong vs Right code — compare them side by side.
When something misbehaves, match the symptom to a pattern below before rewriting the feature.
Prefer fixing the ownership or update path over adding another Effect or sync step.
// Wrong
axios.get("/tickets")
// Right
axios.get("/tickets", { withCredentials: true })
// or axios.create({ withCredentials: true })Cross-origin cookies require credentials.
// Wrong
localStorage.setItem("token", jwt)
// Right
// Nest httpOnly cookie; browser sends it automaticallyHttpOnly cookies keep tokens away from XSS.
// Wrong
origin: "*", credentials: true
// Right
origin: "http://localhost:3000", credentials: trueBrowsers reject wildcard origin with credentials.
Live playground
Change one input at a time and predict the next render.
axios.create({ withCredentials: true })Test
At least 10 questions — mix of concept, syntax, practical, and logic. Score ≥ 80% (enforced by the API) to save progress.
Checking your session…
10 questions · concept 3 · syntax 3 · practical 2 · logic 2