I'm using Devise + Devise JWT with on API-only instance of Rails (7.0.2). We are using secure-cookies to pass our auth token to the frontend and noticed that the response we get after signing in has duplicate set-cookie headers. One of the tokens is incorrect/old and it's causing issues on our front-end.

I'm not sure where to even start or pick apart how the middleware is setting this. Has anyone experienced this, or any pointers on what devise methods I can inspect where this is being set? Are both Rails and Devise trying to set their own secure set-cookie?

Some of my secure-cookie config below:

In config/initializers/devise.rb I have:

...

config.rememberable_options = { secure: true }

config/initializers/session_store.rb

Rails.application.config.session_store :cookie_store, key: '_session_id', secure: true

config/application.rb:

...
config.middleware.use ActionDispatch::Cookies
config.middleware.use ActionDispatch::Session::CookieStore

app/controllers/application_controller.rb

include ActionController::Cookies
include ActionController::RequestForgeryProtection

before_action :set_csrf_cookie

protect_from_forgery with: :exception

...

private

def set_csrf_cookie
  cookies['CSRF-TOKEN'] = form_authenticity_token
end

Below is a screenshot from Postman of the set-cookie headers we are getting back

Versions:

Rails 7.0.2.2
Ruby 3.0.3
devise 4.8.1
Devise-jwt 0.9.0

Any help/pointers appreciated