Implementing WebAuthN signin on my application with firebase and nuxt 3. I create a session cookie with firebase auth and try to use H3 “setCookie” to set the cookie. If I set “strict: false” in the options it works on localhost. But it fails when i try to set it in production but it does not provide any errors.

Client side request to endpoint:

  const response: setCookieResponse = await $fetch(`/api/users/auth/setAuthCookie`, {
      method: "POST",
      credentials: "include", // Ensures cookies are sent with cross-origin requests
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        sessionToken,
        domain: appSetupConfig.cookieDomain, // Ensure this domain is correctly set
      }),
    });

Serverside endpoint:

import { getFirestore } from "../../../firebaseAdminConfig";
import { createCorsHandler } from "../../../utils/security/cors";
import { readBody, setCookie, sendError } from "#imports";

const corsOptions = {
  allowedOrigins: [""],
  allowedMethods: ["GET", "POST"],
  allowedHeaders: ["Content-Type", "Authorization", "credentials"],
};

const corsHandler = createCorsHandler(corsOptions);

export default defineEventHandler(async (event) => {
  const admin = await getFirestore();
  const auth = admin.auth();
  const req = event.node.req;
  const res = event.node.res;

  await new Promise<void>((resolve) => {
    corsHandler(req, res, resolve);
  });

  // Allow credentials from the endpoint
  res.setHeader("Access-Control-Allow-Credentials", "true");
  const origin = req.headers.origin || "";
  if (origin) {
    res.setHeader("Access-Control-Allow-Origin", origin); // Set to specific origin
  }

  const body = await readBody(event);
  const { sessionToken, domain } = body;

  if (!sessionToken) {
    return sendError(
      event,
      createError({
        statusCode: 400,
        statusMessage: "Missing sessionToken in request body",
      })
    );
  }

  const token = sessionToken.toString();

  try {
    const decodedToken = await auth.verifyIdToken(token);

    const sessionExpiresIn = 60 * 60 * 24 * 14 * 1000; // 14 days

    
        const cookieOptions = {
          maxAge: sessionExpiresIn / 1000,
          httpOnly: true,
          secure: true,
          domain: ".mathiasqm.dk", // Make it accessible across all subdomains
          path: "/",
          sameSite: "lax",
        };
    const sessionCookie = await auth.createSessionCookie(token, { expiresIn: sessionExpiresIn });

    setCookie(event, "__session", sessionCookie, cookieOptions);

    return { status: true, message: "Set session cookie sucessfully", decodedToken, sessionExpiresIn, sessionCookie };
  } catch (error) {
    return { status: false, message: "Unsuccessful", error };
  }
});

Tried naming the endpoint setAuthCookie.post.ts with no luck.