WIP: Working on player

api/src/rehearsalhub/config.py

@@ -21,6 +21,8 @@ class Settings(BaseSettings):
     # App
     domain: str = "localhost"
     debug: bool = False
+    # Additional CORS origins (comma-separated)
+    cors_origins: str = ""
 
     # Worker
     analysis_version: str = "1.0.0"

api/src/rehearsalhub/main.py

@@ -52,9 +52,24 @@ def create_app() -> FastAPI:
     app.state.limiter = limiter
     app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
 
+    # Get allowed origins from environment or use defaults
+    allowed_origins = [f"https://{settings.domain}", "http://localhost:3000"]
+    
+    # Add specific domain for production
+    if settings.domain != "localhost":
+        allowed_origins.extend([
+            f"https://{settings.domain}",
+            f"http://{settings.domain}",
+        ])
+    
+    # Add additional CORS origins from environment variable
+    if settings.cors_origins:
+        additional_origins = [origin.strip() for origin in settings.cors_origins.split(",")]
+        allowed_origins.extend(additional_origins)
+    
     app.add_middleware(
         CORSMiddleware,
-        allow_origins=[f"https://{settings.domain}", "http://localhost:3000"],
+        allow_origins=allowed_origins,
         allow_credentials=True,
         allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE"],
         allow_headers=["Authorization", "Content-Type", "Accept"],

api/src/rehearsalhub/routers/auth.py

@@ -52,14 +52,29 @@ async def login(
             status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials"
         )
     settings = get_settings()
+    
+    # Determine cookie domain based on settings
+    cookie_domain = None
+    if settings.domain != "localhost":
+        # For production domains, set cookie domain to allow subdomains
+        if "." in settings.domain:  # Check if it's a proper domain
+            cookie_domain = "." + settings.domain.split(".")[-2] + "." + settings.domain.split(".")[-1]
+    
+    # For cross-site functionality, use samesite="none" with secure flag.
+    # localhost is always plain HTTP — never set Secure there or the browser drops the cookie.
+    is_localhost = settings.domain == "localhost"
+    samesite_value = "lax" if is_localhost else "none"
+    secure_flag = False if is_localhost else True
+    
     response.set_cookie(
         key="rh_token",
         value=token.access_token,
         httponly=True,
-        secure=not settings.debug,
-        samesite="lax",
+        secure=secure_flag,
+        samesite=samesite_value,
         max_age=settings.access_token_expire_minutes * 60,
         path="/",
+        domain=cookie_domain,
     )
     return token