fix OAUTH 'in' HF v3

src/app.py

@@ -67,7 +67,8 @@ def create_app():
     
     # Session cookie configuration
     # For HTTPS (HF Spaces): Set SESSION_COOKIE_SECURE=true
-    app.config["SESSION_COOKIE_SECURE"] = os.getenv("SESSION_COOKIE_SECURE", "False") == "True"
+    secure_cookie = os.getenv("SESSION_COOKIE_SECURE", "False") == "True"
+    app.config["SESSION_COOKIE_SECURE"] = secure_cookie
     app.config["SESSION_COOKIE_HTTPONLY"] = (
         os.getenv("SESSION_COOKIE_HTTPONLY", "True") == "True"
     )
@@ -76,10 +77,20 @@ def create_app():
     app.config["SESSION_COOKIE_SAMESITE"] = None if samesite_value == "None" else samesite_value
     app.config["SESSION_COOKIE_NAME"] = "prepmate_session"  # Explicit session cookie name
     # Don't set SESSION_COOKIE_DOMAIN - let Flask handle it automatically
+    app.config["SESSION_COOKIE_PATH"] = "/"  # Ensure cookie is valid for all paths
     app.config["PERMANENT_SESSION_LIFETIME"] = timedelta(
         seconds=int(os.getenv("PERMANENT_SESSION_LIFETIME", "2592000"))
     )
     
+    # Log session configuration for debugging
+    print(f"[CONFIG] SESSION_COOKIE_SECURE={secure_cookie}")
+    print(f"[CONFIG] SESSION_COOKIE_SAMESITE={app.config['SESSION_COOKIE_SAMESITE']}")
+    print(f"[CONFIG] SESSION_COOKIE_NAME={app.config['SESSION_COOKIE_NAME']}")
+    print(f"[CONFIG] PERMANENT_SESSION_LIFETIME={app.config['PERMANENT_SESSION_LIFETIME']}")
+    print(f"[CONFIG] SESSION_COOKIE_SECURE={secure_cookie}")
+    print(f"[CONFIG] SESSION_COOKIE_SAMESITE={app.config['SESSION_COOKIE_SAMESITE']}")
+    print(f"[CONFIG] SESSION_COOKIE_NAME={app.config['SESSION_COOKIE_NAME']}")
+    
     # Authlib configuration for OAuth state management
     app.config["AUTHLIB_INSECURE_TRANSPORT"] = os.getenv("FLASK_ENV") == "development"
     

src/routes/auth.py

@@ -30,15 +30,25 @@ def login():
     logger.info(f"[OAUTH] Request host: {request.host}")
     logger.info(f"[OAUTH] Request scheme: {request.scheme}")
     
+    # Store redirect_uri in session for callback verification
+    session["oauth_redirect_uri"] = redirect_uri
+    session["test_marker"] = "login_triggered"  # Test value to verify session persistence
+    
+    # Make session permanent to ensure cookie gets set with proper expiry
+    session.permanent = True
+    
     # Mark session as modified to ensure it's saved before redirect
     session.modified = True
     
-    # Store redirect_uri in session for callback verification
-    session["oauth_redirect_uri"] = redirect_uri
+    logger.info(f"[OAUTH] Session data stored: oauth_redirect_uri={redirect_uri}")
+    logger.info(f"[OAUTH] Session keys after storage: {list(session.keys())}")
     
     response = auth_service.hf.authorize_redirect(redirect_uri)
     logger.info(f"[OAUTH] Redirecting to OAuth provider, response location: {response.location if hasattr(response, 'location') else 'N/A'}")
     
+    # Log set cookies to verify session cookie is being sent
+    logger.info(f"[OAUTH] Response cookies: {response.headers.getlist('Set-Cookie')}")
+    
     return response
 
 
@@ -57,10 +67,12 @@ def callback():
     logger.info(f"[OAUTH] Request args: {dict(request.args)}")
     
     try:
-        # Debug session state
+        # Debug session state and cookies
+        logger.info(f"[OAUTH] Cookies received: {list(request.cookies.keys())}")
+        logger.info(f"[OAUTH] Cookie values (redacted): {[(k, v[:20] + '...' if len(v) > 20 else v) for k, v in request.cookies.items()]}")
         logger.info(f"[OAUTH] Session keys: {list(session.keys())}")
+        logger.info(f"[OAUTH] Test marker from login: {session.get('test_marker')}")
         logger.info(f"[OAUTH] OAuth state in session: {session.get('_state_huggingface')}")
-        logger.info(f"[OAUTH] Cookies received: {list(request.cookies.keys())}")
         
         # Exchange authorization code for access token
         # Authlib automatically validates the state and uses the redirect_uri from the session