cookies/headers does not work in NestJS (Fastify Adapter Only)

[ctjhoa]

Environment

orpc@1.8.8, Node v22.18.0

Reproduction

https://stackblitz.com/edit/github-ztmtcix4-ijyupsmj?file=src%2Fauth%2Fauth.controller.ts

Describe the bug

After having setup the ResponseHeadersPlugin to be able to set a cookie response in Nestjs, the cookie header is not set in the Nestjs response.

Additional context

I tried 2 workarounds:

• Create a NestInterceptor to set the response on the request object and give the request as ORPC context. Without success.
• Using outputStructure: 'detailed' on route declaration allows me to manually define the shape of the response but it shouldn't be such burden. Specially when you need to combine it CORSPlugin.

export const loginContract = oc
  .route({
    method: 'POST',
    path: '/auth/login',
    tags: ['Auth', 'Login'],
    outputStructure: 'detailed',
  })
  .input(loginInputSchema)
  .output(
    z.object({
      headers: z.object({
        'Set-Cookie': z.string(),
      }),
      status: z.literal(200),
      body: loginOutputSchema,
    }),
  );

  @Implement(appRouter.auth.login)
  login() {
    return implement(appRouter.auth.login).handler(async ({ input }) => {
      this.logger.log('ORPC login request');
      const user = await this.authService.validateUser(input.email, input.password);
      if (!user) {
        throw new ORPCError('BAD_REQUEST');
      }
      const accessToken = await this.authService.login(user);
      return {
        status: 200,
        headers: {
          'Set-Cookie': serializeCookie('access_token', accessToken, {
            httpOnly: true,
            path: '/',
          }),
        },
        body: user,
      };
    });
  }

Logs

{
  "log": {
    "version": "1.2",
    "creator": {
      "name": "Firefox",
      "version": "141.0.3"
    },
    "browser": {
      "name": "Firefox",
      "version": "141.0.3"
    },
    "pages": [
      {
        "id": "page_1",
        "pageTimings": {
          "onContentLoad": -58483,
          "onLoad": -58216
        },
        "startedDateTime": "2025-09-12T19:50:15.972+02:00",
        "title": "https://githubztmtcix4ijyupsmj-a335--3000--96435430.local-corp.webcontainer.io/#tag/authentication/post/auth/signin"
      }
    ],
    "entries": [
      {
        "startedDateTime": "2025-09-12T19:50:15.972+02:00",
        "request": {
          "bodySize": 71,
          "method": "POST",
          "url": "http://localhost:3000/auth/signup",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Host",
              "value": "localhost:3000"
            },
            {
              "name": "User-Agent",
              "value": "Mozilla/5.0 (X11; Linux x86_64; rv:141.0) Gecko/20100101 Firefox/141.0"
            },
            {
              "name": "Accept",
              "value": "*/*"
            },
            {
              "name": "Accept-Language",
              "value": "en-US,en;q=0.5"
            },
            {
              "name": "Accept-Encoding",
              "value": "gzip, deflate, br, zstd"
            },
            {
              "name": "Content-Type",
              "value": "application/json"
            },
            {
              "name": "Content-Length",
              "value": "71"
            },
            {
              "name": "Origin",
              "value": "https://githubztmtcix4ijyupsmj-a335--3000--96435430.local-corp.webcontainer.io"
            },
            {
              "name": "Sec-Fetch-Dest",
              "value": "empty"
            },
            {
              "name": "Sec-Fetch-Mode",
              "value": "cors"
            },
            {
              "name": "Sec-Fetch-Site",
              "value": "cross-site"
            },
            {
              "name": "authorization",
              "value": "Bearer default-token"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            }
          ],
          "cookies": [],
          "queryString": [],
          "headersSize": 0,
          "postData": {
            "mimeType": "application/json",
            "params": [],
            "text": "{\"name\": \"John Doe\",\n  \"email\": \"john@doe.com\",\n  \"password\": \"123456\"}"
          }
        },
        "response": {
          "status": 200,
          "statusText": "OK",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "connection",
              "value": "keep-alive"
            },
            {
              "name": "content-type",
              "value": "application/json"
            },
            {
              "name": "cross-origin-embedder-policy",
              "value": "require-corp"
            },
            {
              "name": "cross-origin-opener-policy",
              "value": "same-origin"
            },
            {
              "name": "cross-origin-resource-policy",
              "value": "cross-origin"
            },
            {
              "name": "date",
              "value": "Fri, 12 Sep 2025 17:50:15 GMT"
            },
            {
              "name": "keep-alive",
              "value": "timeout=5"
            },
            {
              "name": "transfer-encoding",
              "value": "chunked"
            },
            {
              "name": "x-powered-by",
              "value": "Express"
            }
          ],
          "cookies": [],
          "content": {
            "mimeType": "application/json",
            "size": 86,
            "text": "{\"id\":\"28aa6286-48e9-4f23-adea-3486c86acd55\",\"name\":\"John Doe\",\"email\":\"john@doe.com\"}"
          },
          "redirectURL": "",
          "headersSize": 0,
          "bodySize": 0
        },
        "cache": {},
        "timings": {
          "blocked": 0,
          "dns": 0,
          "connect": 0,
          "ssl": 0,
          "send": 0,
          "wait": 0,
          "receive": 0
        },
        "time": 0,
        "_securityState": "insecure",
        "pageref": "page_1"
      }
    ]
  }
}

[dosubot]

Hi @ctjhoa! I'm Dosu and I’m helping the orpc team.

Setting cookies in NestJS with orpc@1.8.8 and ResponseHeadersPlugin is tricky because orpc's plugin code is generalized and does not specifically handle NestJS's response object. For the 'Set-Cookie' header to reach the client, it must be set on the raw response before the response is sent, but orpc does not guarantee this in NestJS environments. This means that unless you manually shape the response (as you've done with outputStructure: 'detailed'), the header may not be propagated as expected, especially when combining with plugins like CORS.

The recommended approach is to set cookies using the setCookie() helper or by appending 'Set-Cookie' to the response headers before sending the response, and ensure that your context or adapter passes these headers to the underlying NestJS response object. If the plugin or adapter does not expose the raw response, headers like 'Set-Cookie' may not be set as intended. You may need to handle cookie setting in NestJS middleware or interceptors that have direct access to the response object, rather than relying solely on orpc plugins for this functionality [discussion].

There is no built-in NestJS-specific handling for 'Set-Cookie' in orpc plugins as of 1.8.8, so manual response shaping or middleware remains the most reliable workaround [discussion].

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[ctjhoa]

@dosu

Setting cookies in NestJS with orpc@1.8.8 and ResponseHeadersPlugin is tricky because orpc's plugin code is generalized and does not specifically handle NestJS's response object. For the 'Set-Cookie' header to reach the client, it must be set on the raw response before the response is sent, but orpc does not guarantee this in NestJS environments.

I'm using @orpc/nest so I expect this layer to propagate cookie set inside orpc to the nestjs response.

[dosubot]

@orpc/nest is designed to propagate all response headers—including 'Set-Cookie'—from your orpc handler or plugin to the actual NestJS response. Internally, it adapts the NestJS response object to a Node.js response and uses sendStandardResponse to write all headers present in the orpc response, so if 'Set-Cookie' is set in your handler or via the ResponseHeadersPlugin, it should reach the client as expected [code reference].

If you're not seeing the cookie in the browser, it's likely due to something outside orpc—such as CORS config, proxy, or upstream Express/NestJS middleware—rather than a limitation in @orpc/nest itself. The propagation logic is permissive and does not filter or mishandle 'Set-Cookie' headers [sendStandardResponse].

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}    

[unnoq]

Nest.js integration does not support plugins, and this field is not exists.

Let's try inject res into controller and use it to set cookie dirrectly

[unnoq]

I just try and everything work as expected

[ctjhoa]

@unnoq

Next.js integration does not support plugins, and this field is not exists.

Hum I'm talking about NestJS not Next.js but you're right the useFactory seems to take any properties. Maybe typing can be more strict because there is no error setting random props.
In addition, the plugins are advertised in the @orpc/nest README

🔌 Extendability: Easily extend functionality with plugins, middleware, and interceptors.

I also did not find any mention of incompatibility with plugins in the website. The documentation must be clearer on that.

Let's try inject res into controller and use it to set cookie dirrectly

This is not what you show in your screenshot. Your screenshot show the workaround using outputStructure: 'detailed' which I already confirmed it work. Can you please share a example which "inject res into controller"? Thanks

[unnoq]

@ctjhoa it's just Nestjs, set headers as normal as usual that Nestjs does - don't care about oRPC

[ctjhoa]

The standard way of setting cookie to the response in nestjs is this:

  @Implement(appRouter.auth.login)
  login(@Res({ passthrough: true }) res: FastifyReply) {
    return implement(appRouter.auth.login).handler(async ({ input }) => {
      this.logger.log('ORPC login request');
      const user = await this.authService.validateUser(input.email, input.password);
      if (!user) {
        throw new ORPCError('BAD_REQUEST');
      }
      const accessToken = await this.authService.login(user);
      res.cookie('access_token', accessToken, {
        httpOnly: true,
        path: '/',
      });
      return user;
    });
  }

And I'm sorry but it's not working either.

[unnoq]

Hey @ctjhoa, I just try but use ExpressJS adapter and it work as expected.

  @Implement(contract.planet.find)
  find(@Res() res: Response) {
    return implement(contract.planet.find).handler(({ input }) => {
      res.cookie('a1', 'b1')
      return {
        // headers: {
        //   'set-cookie': ['c=d'],
        // },
      }
    })
  }

Will try again with fastify when I have time.

[unnoq]

@ctjhoa I just tried the Fastify Adapter, and it worked as expected as well

  @Implement(contract.planet.find)
  find(@Res() res: FastifyReply) {
    return implement(contract.planet.find).handler(({ input }) => {
      res.raw.setHeader('set-cookie', ['c1=d1'])
      return {
        // headers: {
        //   'set-cookie': ['c=d'],
        // },
      }
    })
  }

I use res.raw.setHeader because .cookie does not exists on FastifyReply

[ctjhoa]

Ok I think I guess what's going on here.

I use res.raw.setHeader because .cookie does not exists on FastifyReply

Using res.raw.setHeader do work but that's not the idiom way of using fastify + NestJS.
You need to install and setup @fastify/cookie to have the .cookie / setCookie method.

https://docs.nestjs.com/techniques/cookies#use-with-fastify

It's working because you're manipulating the underlying raw node HTTP response.
https://nodejs.org/api/http.html#responsesetheadername-value

And the @Implement decorator seems to rely on that raw HTTP response to build the final response.

So yes it's working but you completely bypass the NestJS server configuration by relying on the Node HTTP response.

For example, I have setup a NestJS server with compression and CORS and you'll see that none of the responses are compressed nor have CORS headers (expect those added by stackblitz).

Tell me if I misunderstand the role of the @Implement decorator. Thanks