Fix CSRF: initialize session and disable secure cookie for HF internal HTTP

config.py

@@ -31,9 +31,10 @@ class Config:
     PERMANENT_SESSION_LIFETIME = 7200  # 2 hours
     SESSION_COOKIE_NAME = 'learning_path_session'
     
-    # Production settings (HF Spaces uses HTTPS)
-    SESSION_COOKIE_SECURE = IS_PRODUCTION  # True for HTTPS, False for HTTP
-    REMEMBER_COOKIE_SECURE = IS_PRODUCTION
+    # HF Spaces internal traffic is HTTP even though external is HTTPS
+    # Setting SECURE=False allows cookies to be set over internal HTTP
+    SESSION_COOKIE_SECURE = False  # Must be False for HF Spaces
+    REMEMBER_COOKIE_SECURE = False
     REMEMBER_COOKIE_SAMESITE = 'Lax'
         
     LOG_TO_STDOUT = os.environ.get('LOG_TO_STDOUT')

web_app/auth_routes.py

@@ -1,4 +1,4 @@
-from flask import Blueprint, render_template, redirect, url_for, flash, request, jsonify
+from flask import Blueprint, render_template, redirect, url_for, flash, request, jsonify, session
 from flask_login import login_user, logout_user, login_required, current_user
 # Assuming db and login_manager are initialized in __init__.py
 from web_app import db, login_manager
@@ -15,6 +15,10 @@ bp = Blueprint('auth', __name__, template_folder='templates/auth')
 
 @bp.route('/register', methods=['GET', 'POST'])
 def register():
+    # Ensure session is initialized for CSRF token
+    session.setdefault('_csrf_init', True)
+    session.modified = True
+    
     if current_user.is_authenticated:
         return redirect('/')  # Redirect to React homepage
 
@@ -50,6 +54,10 @@ def register():
 
 @bp.route('/login', methods=['GET', 'POST'])
 def login():
+    # Ensure session is initialized for CSRF token
+    session.setdefault('_csrf_init', True)
+    session.modified = True
+    
     if current_user.is_authenticated:
         return redirect('/')