Fix CSRF: add before_request session init, limit CORS to API routes

web_app/__init__.py

@@ -29,8 +29,13 @@ def create_app(config_class=Config):
 
     # Initialize CSRF protection
     csrf.init_app(app)
+    
+    # Exempt API endpoints from CSRF (they use token auth)
+    @csrf.exempt
+    def csrf_exempt_api():
+        pass
 
-    # Enable CORS for all routes
+    # Enable CORS for API routes only (not for auth pages)
     # This allows requests from Codespace frontend and mobile app
     allowed_origins = [
         "http://localhost:3000",   # React frontend
@@ -45,14 +50,13 @@ def create_app(config_class=Config):
     if extra_origin and extra_origin not in allowed_origins:
         allowed_origins.append(extra_origin)
 
-    # For mobile devices, allow all origins since they don't send Origin header
-    # or send the local IP which varies
+    # Apply CORS only to /api/* routes to avoid interfering with session cookies
     CORS(app,
-         resources={r"/*": {"origins": "*"}},
+         resources={r"/api/*": {"origins": "*"}},
          methods=["GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"],
          allow_headers=["Content-Type", "Authorization", "X-Requested-With"],
-         supports_credentials=False,  # Must be False when using wildcard origin
-         max_age=3600)  # Preflight cache time
+         supports_credentials=False,
+         max_age=3600)
 
     # Set DEV_MODE from environment
     app.config['DEV_MODE'] = os.environ.get(
@@ -63,6 +67,14 @@ def create_app(config_class=Config):
     db.init_app(app)
     login_manager.init_app(app)
     migrate.init_app(app, db)
+    
+    # Ensure session is always started (required for CSRF tokens)
+    @app.before_request
+    def ensure_session():
+        from flask import session
+        if '_csrf_token' not in session:
+            session['_csrf_token'] = True
+            session.modified = True
 
     # Initialize Redis connection for RQ
     try: