My app's back-end is an Express API, and I run a React SPA (vite) on the front-end.

I'm implementing the "Sign in with Google" functionality. During development, when testing on localhost, I could:

- Click on the Sign In button (it's an anchor tag, not a Fetch request)
- This targets by back-end auth route (/auth/google)
- I use Passport's Google strategy which then targets the callback route (if login successful)
- In the "/auth/google/callback" route, I get the user, create a signed JWT token, which I then send back to the front-end as a cookie that I set (res.cookie, then res.redirect to front-end).
- Back on the React front-end, on the redirect it gets the cookie, and I can then fetch whatever back-end protected route I like, using Fetch with "credentials: include".

This whole process has been working fine while testing, I could log in, log out, access my routes, etc...

I've now hosted my app (frontend on Render, backend on Railway), and modified the Google account settings (which were previously set for localhost:xxxx, and now my hosting url).

Now on the hosted site, when I click on "Sign in with Google", I can see from my back-end logs that I am successfully signed in, but for some reason the cookie I set isn't sent to the front-end. I don't get any errors, it's just that the front-end doesn't get the cookie, so it's like I'm never signed in.

And I don't know why it was working on localhost, and suddenly stopped working in "production". All the ressources I've read about the issue on google, simply say to set the fetch request with "credentials: include" option, but in my case it's not a fetch request from the front-end.

Any clues on how to get around that?