As @heiko has pointed out in his comment:

http:localhost:3000 and http:localhost:4200 are considered same site AND cross origin. Meaning when setting cookie config, the SameSite field can be set to strict given that the request is being send from another port on the same site, making it SameSite.

The code changed:

cookie: {
    secure: false,
    httpOnly: true,
    maxAge: 1000 * 60 * 3,
    sameSite: 'strict' // Right here, changed from 'none' to 'strict'
}}));

Here is an in-depth answer for anyone who faces the same issue:

Understanding the Terminology

Same-Site: "Same-Site" refers to requests made within the same registrable domain, ignoring the protocol, port, and subdomains.

For example, http://example.com and https://example.com are considered "same-site" because the domain (example.com) matches. Similarly, http://localhost:3000 and http://localhost:4200 are "same-site" because they share the same base domain: localhost. This concept is primarily relevant when dealing with cookies and the SameSite attribute, which determines whether cookies are sent with cross-site or same-site requests.

Cross-Origin: "Cross-Origin" is a stricter term. For two URLs to be considered same-origin, their protocol, domain, and port must all match.

Since http://localhost:3000 and http://localhost:4200 use different ports, they are cross-origin. This distinction is critical for browser security features like the Same-Origin Policy and CORS (Cross-Origin Resource Sharing), which govern whether resources can be shared between different origins.