Update .gitignore to include frontend and Lung Cancer Guidelines directories. Enhance CORS middleware configuration to allow origins from environment variables, with defaults for local development. Modify session cookie settings to require secure flag for SameSite=None, improving security for cross-site requests.

.gitignore

@@ -144,6 +144,7 @@ ENV/
 env.bak/
 venv.bak/
 
+
 # Spyder project settings
 .spyderproject
 .spyproject
@@ -206,5 +207,6 @@ marimo/_static/
 marimo/_lsp/
 __marimo__/
 
-# Frontend
-# frontend/
+
+Lung Cancer Guidelines/
+frontend/

api/middleware.py

@@ -139,9 +139,22 @@ class AuthenticationMiddleware(BaseHTTPMiddleware):
 
 def get_cors_middleware_config():
     """Get CORS middleware configuration"""
+    import os
+    
+    # Get allowed origins from environment or use defaults
+    allowed_origins = os.getenv("ALLOWED_ORIGINS", "").split(",")
+    if not allowed_origins or allowed_origins == [""]:
+        # Default to allowing Hugging Face Space and localhost
+        allowed_origins = [
+            "https://moazx-api.hf.space",
+            "http://localhost:8000",
+            "http://127.0.0.1:8000"
+        ]
+    
     return {
-        "allow_origins": ["*"],  # Configure appropriately for production
+        "allow_origins": allowed_origins,
         "allow_credentials": True,
         "allow_methods": ["*"],
         "allow_headers": ["*"],
+        "expose_headers": ["*"],
     }

api/routers/auth.py

@@ -112,8 +112,8 @@ async def login(
         value=token,
         httponly=True,
         max_age=SESSION_MAX_AGE,
-        samesite="lax",
-        secure=False  # Set to True in production with HTTPS
+        samesite="none",
+        secure=True  # Required for SameSite=None
     )
     
     logger.info(f"Successful login for user: {username}")