'changes'

README.md

@@ -9,3 +9,14 @@ short_description: TaskFlow A Full-Stack-Web-Application Hackathon 2 Phase 2
 ---
 
 Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+
+## Cross-site deployment notes 🔧
+
+If your backend is hosted on a different domain (e.g., Hugging Face Spaces) than your frontend (e.g., Vercel), follow these steps to make cookie-based auth work:
+
+- Set `FRONTEND_URL` in your environment to your Vercel URL (e.g. `https://your-app.vercel.app`).
+- Ensure `JWT_COOKIE_SECURE=True` in production (browsers require `Secure` when `SameSite=None`).
+- Frontend fetch calls that rely on cookies must use `credentials: 'include'` (e.g. `fetch(url, { method, credentials: 'include' })`).
+- Backend CORS must have `allow_credentials=True` and the exact frontend origin (not `*`) in allowed origins. This project reads `FRONTEND_URL` for that purpose.
+
+If cookies are still not sent/received, open DevTools network tab and inspect the `Set-Cookie` response header and browser cookie/journal to see why it was blocked (e.g., SameSite/Secure/Domain issues).

requirements.txt

@@ -1,7 +1,5 @@
 alembic>=1.17.2
 fastapi>=0.124.4
-passlib>=1.7.4
-bcrypt>=4.0.0,<4.2.0
 passlib[bcrypt]==1.7.4
 bcrypt==4.2.1
 psycopg2-binary>=2.9.11

src/main.py

@@ -21,14 +21,20 @@ app.include_router(tasks.router)
 app.include_router(projects.router)
 
 # CORS configuration (development and production)
+# Use configured frontend origin (set your Vercel URL in FRONTEND_URL production env)
+allow_origins = [settings.FRONTEND_URL]
+# Always include localhost for local development/testing convenience
+if "localhost" not in settings.FRONTEND_URL:
+    allow_origins.append("http://localhost:3000")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["https://task-flow-mauve-zeta.vercel.app", "http://localhost:3000"],  # Use configured frontend origin (set to your Vercel URL in production)
+    allow_origins=list(dict.fromkeys(allow_origins)),  # deduplicate if FRONTEND_URL is localhost
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
-    # Expose headers for auth
-    expose_headers=["Access-Control-Allow-Origin", "Set-Cookie"]
+    # Expose Set-Cookie so clients can inspect (browsers handle cookies automatically for credentials)
+    expose_headers=["Set-Cookie"]
 )
 
 @app.get("/api/health")

src/routers/auth.py

@@ -15,6 +15,12 @@ from ..config import settings
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])
 
+# NOTE: For cross-site cookie auth to work (backend on a different domain than the frontend):
+# - The frontend must call login/register endpoints with `fetch(..., credentials: 'include')`
+# - The backend must have CORS allow_credentials=True and the exact frontend origin in allow_origins
+# - Cookies must be set with `Secure=True` and `samesite='none'` in production
+# See project README or docs for full details
+
 
 @router.post("/register", response_model=RegisterResponse, status_code=status.HTTP_201_CREATED)
 def register(user_data: RegisterRequest, response: Response, session: Session = Depends(get_session_dep)):
@@ -98,9 +104,8 @@ def login(login_data: LoginRequest, response: Response, session: Session = Depen
         path="/"
     )
     
-    # Debug: Print the cookie being set
-    print(f"Setting cookie: access_token={access_token}")
-    print(f"Cookie attributes: httponly={True}, secure={settings.JWT_COOKIE_SECURE}, samesite=none, max_age={settings.ACCESS_TOKEN_EXPIRE_DAYS * 24 * 60 * 60}")
+    # Debug: Print cookie attributes (do NOT log token value in production)
+    print(f"Cookie set (httponly={True}, secure={settings.JWT_COOKIE_SECURE}, samesite=none, max_age={settings.ACCESS_TOKEN_EXPIRE_DAYS * 24 * 60 * 60})")
 
     # Return response
     return LoginResponse(