rehearshalhub/LOGIN_BUG_FIX_SUMMARY.md

# Login Bug Fix Summary

## Problem Analysis
The login issue was caused by CORS and cookie domain restrictions that prevented users from logging in from different hosts (e.g., `rehearshalhub.sschuhmann.de` or IP addresses).

## Root Causes Identified
1. **CORS Restrictions**: API only allowed requests from `https://{settings.domain}` and `http://localhost:3000`
2. **Cookie Domain Issues**: `rh_token` cookie was set without explicit domain, causing cross-domain problems
3. **SameSite Cookie Policy**: `samesite="lax"` was blocking cross-site cookie sending
4. **Domain Configuration**: Was set to `localhost` instead of the production domain

## Changes Made

### 1. CORS Configuration (`api/src/rehearsalhub/main.py`)
- Made CORS middleware more flexible by adding the production domain automatically
- Added support for additional CORS origins via environment variable `CORS_ORIGINS`
- Now allows both HTTP and HTTPS for the configured domain

### 2. Cookie Configuration (`api/src/rehearsalhub/routers/auth.py`)
- Added dynamic cookie domain detection for production domains
- Changed `samesite` policy to `"none"` with `secure=True` for cross-site functionality
- Made cookie settings adaptive based on domain configuration

### 3. Configuration Updates (`api/src/rehearsalhub/config.py`)
- Added `cors_origins` configuration option for additional CORS origins

### 4. Environment Files (`.env` and `api/.env`)
- Updated `DOMAIN` from `localhost` to `rehearshalhub.sschuhmann.de`
- Added `CORS_ORIGINS` with production domain URLs
- Updated `ACME_EMAIL` to match the domain

## Technical Details

### Cookie Domain Logic
```python
# For production domains like "rehearshalhub.sschuhmann.de"
# Cookie domain becomes ".sschuhmann.de" to allow subdomains
cookie_domain = "." + settings.domain.split(".")[-2] + "." + settings.domain.split(".")[-1]
```

### SameSite Policy
- Development (`localhost`): `samesite="lax"`, `secure=False` (if debug=True)
- Production: `samesite="none"`, `secure=True` (requires HTTPS)

### CORS Origins
- Default: `https://{domain}`, `http://localhost:3000`
- Production: Also adds `https://{domain}`, `http://{domain}`
- Additional: From `CORS_ORIGINS` environment variable

## Testing Instructions

### 1. Local Development
```bash
# Test with localhost (should work as before)
curl -X POST http://localhost:8000/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"password"}' \
  --cookie-jar cookies.txt
```

### 2. Production Domain
```bash
# Test with production domain
curl -X POST https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"password"}' \
  --cookie-jar cookies.txt \
  --insecure  # Only if using self-signed cert
```

### 3. Cross-Origin Test
```bash
# Test CORS headers
curl -I -X OPTIONS https://rehearshalhub.sschuhmann.de/api/v1/auth/login \
  -H "Origin: https://rehearshalhub.sschuhmann.de" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: content-type"
```

## Security Considerations

1. **HTTPS Required**: The `secure=True` cookie flag requires HTTPS in production
2. **SameSite=None**: Requires HTTPS and provides cross-site cookie functionality
3. **CORS Safety**: Credentials are still restricted to allowed origins
4. **CSRF Protection**: Maintain existing protections as cookies are httpOnly

## Rollback Plan

If issues occur, revert changes by:
1. Changing domain back to `localhost` in `.env` files
2. Removing the CORS origins logic
3. Reverting cookie settings to original values

## Files Modified
- `api/src/rehearsalhub/main.py` - CORS middleware configuration
- `api/src/rehearsalhub/routers/auth.py` - Cookie settings
- `api/src/rehearsalhub/config.py` - Added cors_origins config
- `.env` - Domain and CORS configuration
- `api/.env` - Domain and CORS configuration