cors

app.py

@@ -146,9 +146,13 @@ app = FastAPI(
 )
 
 # Configure CORS
+# For cookies to work with credentials, we need specific origins (not "*")
+allowed_origins = os.getenv("CORS_ORIGINS", "http://localhost:3000,http://localhost:5173").split(",")
+logger.info(f"CORS allowed origins: {allowed_origins}")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Configure appropriately for production
+    allow_origins=allowed_origins,  # Specific origins for production
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

core/database.py

@@ -7,7 +7,7 @@ import os
 
 # Database configuration
 DB_NAME = os.getenv("DB_NAME", "apigateway")
-ENV = os.getenv("ENV", "prod")
+ENV = os.getenv("ENVIRONMENT", "production")
 DB_FILENAME = f"{DB_NAME}_{ENV}.db"
 
 # Database URL - SQLite file in the same directory

routers/auth.py

@@ -239,21 +239,27 @@ async def google_auth(
     }
     
     # Handle token delivery based on client type
-    if request.client_type == "web":
+    if client_type == "web":
         # Web: Set HttpOnly cookie for refresh token
         response = JSONResponse(content=response_data)
+        # Cookie settings for production
+        import os
+        is_production = os.getenv("ENVIRONMENT", "production") == "production"
         response.set_cookie(
             key="refresh_token",
             value=refresh_token,
             httponly=True,
-            secure=True,  # Should be True in production
-            samesite="lax",
-            max_age=7 * 24 * 60 * 60  # 7 days
+            secure=is_production,  # True in production (HTTPS), False locally (HTTP)
+            samesite="none" if is_production else "lax",  # 'none' for cross-origin in production
+            max_age=7 * 24 * 60 * 60,  # 7 days
+            domain=None  # Let browser set domain automatically
         )
+        logger.info(f"Set refresh_token cookie for web client (production={is_production})")
     else:
         # Mobile: Return refresh token in body
         response_data["refresh_token"] = refresh_token
         response = JSONResponse(content=response_data)
+        logger.info(f"Returned refresh_token in body for mobile client")
         
     return response
 
@@ -372,14 +378,19 @@ async def refresh_token(
         if using_cookie:
             # If came from cookie, rotate cookie
             response = JSONResponse(content=response_data)
+            # Cookie settings for production
+            import os
+            is_production = os.getenv("ENVIRONMENT", "production") == "production"
             response.set_cookie(
                 key="refresh_token",
                 value=new_refresh_token,
                 httponly=True,
-                secure=True,
-                samesite="lax",
-                max_age=7 * 24 * 60 * 60
+                secure=is_production,  # True in production (HTTPS), False locally (HTTP)
+                samesite="none" if is_production else "lax",  # 'none' for cross-origin in production
+                max_age=7 * 24 * 60 * 60,
+                domain=None  # Let browser set domain automatically
             )
+            logger.info(f"Rotated refresh_token cookie (production={is_production})")
             return response
         else:
             # If came from body, return in body