Spaces:

moazx
/

Lung-Cancer-AI-Advisor

Running

App Files Files Community

moazx commited on Oct 22

Commit

898dfc1

verified ·

1 Parent(s): 282f966

Update api/routers/auth.py

Browse files

Files changed (1) hide show

api/routers/auth.py +25 -11

api/routers/auth.py CHANGED Viewed

@@ -100,6 +100,9 @@ async def login(
     """
     Login endpoint - validates credentials and creates session
     """
     # Verify credentials
     if not verify_credentials(username, password):
         logger.warning(f"Failed login attempt for username: {username}")
@@ -107,18 +110,22 @@ async def login(
     # Create session
     token = create_session(username)
     # Set secure cookie
-    # In development (HTTP), use lax samesite and secure=False
-    # In production (HTTPS), use none samesite and secure=True
-    is_production = os.getenv("ENVIRONMENT", "development") == "production"
-    origin = request.headers.get("origin")
-    parsed_origin = urlparse(origin) if origin else None
-    is_cross_site = bool(parsed_origin and parsed_origin.hostname and parsed_origin.hostname != request.url.hostname)
-    is_https = request.url.scheme == "https"
-    samesite = "none" if (is_https and (is_production or is_cross_site)) else "lax"
-    secure = True if samesite == "none" else is_production
     response.set_cookie(
         key="session_token",
@@ -126,7 +133,8 @@ async def login(
         httponly=True,
         max_age=SESSION_MAX_AGE,
         samesite=samesite,
-        secure=secure
     )
     logger.info(f"Successful login for user: {username}")
@@ -175,12 +183,18 @@ async def verify(session_token: Optional[str] = Cookie(None)):
 @router.get("/status")
-async def status(session_token: Optional[str] = Cookie(None)):
     """
     Check authentication status without raising exception
     """
     session_data = verify_session(session_token)
     return {
         "authenticated": session_data is not None,
         "username": session_data.get("username") if session_data else None

     """
     Login endpoint - validates credentials and creates session
     """
+    # Log login attempt
+    logger.info(f"Login attempt for username: {username}, Origin: {request.headers.get('origin')}")
     # Verify credentials
     if not verify_credentials(username, password):
         logger.warning(f"Failed login attempt for username: {username}")
     # Create session
     token = create_session(username)
+    logger.info(f"Session created for user: {username}")
     # Set secure cookie
+    # Detect if we're running on HTTPS (Hugging Face Spaces use HTTPS)
+    is_https = request.url.scheme == "https" or request.headers.get("x-forwarded-proto") == "https"
+    # For HTTPS (production/HF Spaces), use SameSite=None with Secure=True for cross-origin
+    # For HTTP (local dev), use SameSite=Lax with Secure=False
+    if is_https:
+        samesite = "none"
+        secure = True
+    else:
+        samesite = "lax"
+        secure = False
+    logger.info(f"Setting cookie with samesite={samesite}, secure={secure}, is_https={is_https}")
     response.set_cookie(
         key="session_token",
         httponly=True,
         max_age=SESSION_MAX_AGE,
         samesite=samesite,
+        secure=secure,
+        path="/"
     )
     logger.info(f"Successful login for user: {username}")
 @router.get("/status")
+async def status(request: Request, session_token: Optional[str] = Cookie(None)):
     """
     Check authentication status without raising exception
     """
+    logger.info(f"Status check - Cookie present: {session_token is not None}, Origin: {request.headers.get('origin')}")
     session_data = verify_session(session_token)
+    if session_data:
+        logger.info(f"Status check - Authenticated as: {session_data.get('username')}")
+    else:
+        logger.info("Status check - Not authenticated")
     return {
         "authenticated": session_data is not None,
         "username": session_data.get("username") if session_data else None