WIP: Working on player

LOGIN_BUG_FIX_SUMMARY.md

@@ -0,0 +1,99 @@
+# Login Bug Fix Summary
+
+## Problem Analysis
+The login issue was caused by CORS and cookie domain restrictions that prevented users from logging in from different hosts (e.g., `rehearshalhub.sschuhmann.de` or IP addresses).
+
+## Root Causes Identified
+1. **CORS Restrictions**: API only allowed requests from `https://{settings.domain}` and `http://localhost:3000`
+2. **Cookie Domain Issues**: `rh_token` cookie was set without explicit domain, causing cross-domain problems
+3. **SameSite Cookie Policy**: `samesite="lax"` was blocking cross-site cookie sending
+4. **Domain Configuration**: Was set to `localhost` instead of the production domain
+
+## Changes Made
+
+### 1. CORS Configuration (`api/src/rehearsalhub/main.py`)
+- Made CORS middleware more flexible by adding the production domain automatically
+- Added support for additional CORS origins via environment variable `CORS_ORIGINS`
+- Now allows both HTTP and HTTPS for the configured domain
+
+### 2. Cookie Configuration (`api/src/rehearsalhub/routers/auth.py`)
+- Added dynamic cookie domain detection for production domains
+- Changed `samesite` policy to `"none"` with `secure=True` for cross-site functionality
+- Made cookie settings adaptive based on domain configuration
+
+### 3. Configuration Updates (`api/src/rehearsalhub/config.py`)
+- Added `cors_origins` configuration option for additional CORS origins
+
+### 4. Environment Files (`.env` and `api/.env`)
+- Updated `DOMAIN` from `localhost` to `rehearshalhub.sschuhmann.de`
+- Added `CORS_ORIGINS` with production domain URLs
+- Updated `ACME_EMAIL` to match the domain
+
+## Technical Details
+
+### Cookie Domain Logic
+```python
+# For production domains like "rehearshalhub.sschuhmann.de"
+# Cookie domain becomes ".sschuhmann.de" to allow subdomains
+cookie_domain = "." + settings.domain.split(".")[-2] + "." + settings.domain.split(".")[-1]
+```
+
+### SameSite Policy
+- Development (`localhost`): `samesite="lax"`, `secure=False` (if debug=True)
+- Production: `samesite="none"`, `secure=True` (requires HTTPS)
+
+### CORS Origins
+- Default: `https://{domain}`, `http://localhost:3000`
+- Production: Also adds `https://{domain}`, `http://{domain}`
+- Additional: From `CORS_ORIGINS` environment variable
+
+## Testing Instructions
+
+### 1. Local Development
+```bash
+# Test with localhost (should work as before)
+curl -X POST http://localhost:8000/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email":"test@example.com","password":"password"}' \
+  --cookie-jar cookies.txt
+```
+
+### 2. Production Domain
+```bash
+# Test with production domain
+curl -X POST https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email":"test@example.com","password":"password"}' \
+  --cookie-jar cookies.txt \
+  --insecure  # Only if using self-signed cert
+```
+
+### 3. Cross-Origin Test
+```bash
+# Test CORS headers
+curl -I -X OPTIONS https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
+  -H "Origin: https://rehearshalhub.sschuhmann.de" \
+  -H "Access-Control-Request-Method: POST" \
+  -H "Access-Control-Request-Headers: content-type"
+```
+
+## Security Considerations
+
+1. **HTTPS Required**: The `secure=True` cookie flag requires HTTPS in production
+2. **SameSite=None**: Requires HTTPS and provides cross-site cookie functionality
+3. **CORS Safety**: Credentials are still restricted to allowed origins
+4. **CSRF Protection**: Maintain existing protections as cookies are httpOnly
+
+## Rollback Plan
+
+If issues occur, revert changes by:
+1. Changing domain back to `localhost` in `.env` files
+2. Removing the CORS origins logic
+3. Reverting cookie settings to original values
+
+## Files Modified
+- `api/src/rehearsalhub/main.py` - CORS middleware configuration
+- `api/src/rehearsalhub/routers/auth.py` - Cookie settings
+- `api/src/rehearsalhub/config.py` - Added cors_origins config
+- `.env` - Domain and CORS configuration
+- `api/.env` - Domain and CORS configuration