[yamadapc]

You can just wrap `fetch` with something that knows where your server is. In `Este.js` there's something like:

    function ensureServerUrl(url) {
      // parse and replace with your server url
      // in Este you read from a SERVER_URL environment variable
    }

    function fetch(url, options) {
      url = ensureServerUrl(url);
      return fetch(url, options);
    }

[idbehold]

If the route requires a cookie to work how is that set when performing the fetch server-side?

[TheHegemon]

Grab all the request cookies from the user and pass them along.

[JoshTriplett]

That sounds like a recipe for a confused deputy (https://en.wikipedia.org/wiki/Confused_deputy_problem).

[couchand]

All I know about confused deputy is from the Wikipedia article, but it seems like it wouldn't apply in this case. From Wikipedia: "The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority."

In the case the GP describes, the proxying web server has no additional authority on the API server: if the API route requires a cookie from the user, it doesn't matter whether that's passed directly or proxied.

That being said, feel free to correct me if I'm missing something. Also, thank you very much for giving me the name for this problem, it will come in very handy.

[idbehold]

Inside the React component, (wherever this fetch() is being called from), where exactly are the user's cookies accessible from at this point in the code?