rehearshalhub/LOGIN_BUG_FIX_SUMMARY.md

Login Bug Fix Summary

Problem Analysis

The login issue was caused by CORS and cookie domain restrictions that prevented users from logging in from different hosts (e.g., rehearshalhub.sschuhmann.de or IP addresses).

Root Causes Identified

1. CORS Restrictions: API only allowed requests from https://{settings.domain} and http://localhost:3000
2. Cookie Domain Issues: rh_token cookie was set without explicit domain, causing cross-domain problems
3. SameSite Cookie Policy: samesite="lax" was blocking cross-site cookie sending
4. Domain Configuration: Was set to localhost instead of the production domain

Changes Made

1. CORS Configuration (api/src/rehearsalhub/main.py)

• Made CORS middleware more flexible by adding the production domain automatically
• Added support for additional CORS origins via environment variable CORS_ORIGINS
• Now allows both HTTP and HTTPS for the configured domain

2. Cookie Configuration (api/src/rehearsalhub/routers/auth.py)

• Added dynamic cookie domain detection for production domains
• Changed samesite policy to "none" with secure=True for cross-site functionality
• Made cookie settings adaptive based on domain configuration

3. Configuration Updates (api/src/rehearsalhub/config.py)

• Added cors_origins configuration option for additional CORS origins

4. Environment Files (.env and api/.env)

• Updated DOMAIN from localhost to rehearshalhub.sschuhmann.de
• Added CORS_ORIGINS with production domain URLs
• Updated ACME_EMAIL to match the domain

Technical Details

Cookie Domain Logic

# For production domains like "rehearshalhub.sschuhmann.de"
# Cookie domain becomes ".sschuhmann.de" to allow subdomains
cookie_domain = "." + settings.domain.split(".")[-2] + "." + settings.domain.split(".")[-1]

SameSite Policy

• Development (localhost): samesite="lax", secure=False (if debug=True)
• Production: samesite="none", secure=True (requires HTTPS)

CORS Origins

• Default: https://{domain}, http://localhost:3000
• Production: Also adds https://{domain}, http://{domain}
• Additional: From CORS_ORIGINS environment variable

Testing Instructions

1. Local Development

# Test with localhost (should work as before)
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"password"}' \
  --cookie-jar cookies.txt

2. Production Domain

# Test with production domain
curl -X POST https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"password"}' \
  --cookie-jar cookies.txt \
  --insecure  # Only if using self-signed cert

3. Cross-Origin Test

# Test CORS headers
curl -I -X OPTIONS https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
  -H "Origin: https://rehearshalhub.sschuhmann.de" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: content-type"

Security Considerations

1. HTTPS Required: The secure=True cookie flag requires HTTPS in production
2. SameSite=None: Requires HTTPS and provides cross-site cookie functionality
3. CORS Safety: Credentials are still restricted to allowed origins
4. CSRF Protection: Maintain existing protections as cookies are httpOnly

Rollback Plan

If issues occur, revert changes by:

1. Changing domain back to localhost in .env files
2. Removing the CORS origins logic
3. Reverting cookie settings to original values

Files Modified

• api/src/rehearsalhub/main.py - CORS middleware configuration
• api/src/rehearsalhub/routers/auth.py - Cookie settings
• api/src/rehearsalhub/config.py - Added cors_origins config
• .env - Domain and CORS configuration
• api/.env - Domain and CORS configuration