Deploy: cookie fixes (Secure + None + Partitioned)

verification.py

@@ -5,8 +5,6 @@ from dotenv import load_dotenv
 BASEDIR = os.path.abspath(os.path.dirname(__file__))
 load_dotenv(os.path.join(BASEDIR, ".env"))  # loads DB_USER, DB_PASSWORD, RUN_INIT_DB
 
-
-# import os
 import logging
 from threading import Lock
 from functools import wraps
@@ -18,13 +16,16 @@ from flask import Flask, request, jsonify, make_response
 from flask_cors import CORS
 
 # ------------------------------------------------------------------------------
-# App & CORS
+# App, ENV, CORS
 # ------------------------------------------------------------------------------
 app = Flask(__name__)
-CORS(app, supports_credentials=True, origins=["http://localhost:4200"])  # add your prod origins later
 app.config['SECRET_KEY'] = '96c63da06374c1bde332516f3acbd23c84f35f90d8a6321a25d790a0a451af32'
 
-# Optional: cleaner logs on Spaces / local
+IS_PROD = os.getenv("ENV", "dev").lower() == "prod"
+_origins = os.getenv("ALLOWED_ORIGINS", "http://localhost:4200")
+ALLOWED_ORIGINS = [o.strip() for o in _origins.split(",") if o.strip()]
+CORS(app, supports_credentials=True, origins=ALLOWED_ORIGINS)
+
 logging.basicConfig(level=logging.INFO)
 
 # ------------------------------------------------------------------------------
@@ -34,10 +35,8 @@ DB_SERVER = "pykara-sqlserver.c5aosm6ie5j3.eu-north-1.rds.amazonaws.com,1433"
 DB_DATABASE = "AuthenticationDB1"
 
 if DB_SERVER.lower().startswith("localhost") or "\\" in DB_SERVER:
-    # Local Windows SQL Express with integrated auth
     CONN_STR = f"DRIVER={{SQL Server}};SERVER={DB_SERVER};DATABASE={DB_DATABASE};Trusted_Connection=yes"
 else:
-    # RDS / SQL login via env secrets
     CONN_STR = (
         "DRIVER={ODBC Driver 17 for SQL Server};"
         f"SERVER={DB_SERVER};DATABASE={DB_DATABASE};"
@@ -112,7 +111,23 @@ def maybe_init_db():
                     _db_init_done = True
 
 # ------------------------------------------------------------------------------
-# Health endpoint (helps confirm worker booted)
+# Cookie helpers
+# ------------------------------------------------------------------------------
+def add_cookie(resp, name: str, value: str, max_age: int):
+    """
+    In prod: Secure + SameSite=None + Partitioned (works with third-party cookie protections).
+    In dev:  SameSite=Lax, not Secure.
+    """
+    if IS_PROD:
+        resp.headers.add(
+            "Set-Cookie",
+            f"{name}={value}; Path=/; Max-Age={max_age}; Secure; HttpOnly; SameSite=None; Partitioned"
+        )
+    else:
+        resp.set_cookie(name, value, httponly=True, secure=False, samesite="Lax", max_age=max_age, path="/")
+
+# ------------------------------------------------------------------------------
+# Health
 # ------------------------------------------------------------------------------
 @app.get("/")
 def health():
@@ -203,8 +218,8 @@ def login():
         return jsonify({"message": "Database is unavailable"}), 503
 
     resp = make_response(jsonify({"message": "Login successful"}))
-    resp.set_cookie('access_token', access_token, httponly=True, secure=False, samesite='Lax', max_age=900)
-    resp.set_cookie('refresh_token', refresh_token, httponly=True, secure=False, samesite='Lax', max_age=7*24*60*60)
+    add_cookie(resp, 'access_token', access_token, 900)                 # 15 min
+    add_cookie(resp, 'refresh_token', refresh_token, 7*24*60*60)       # 7 days
     return resp
 
 @app.post("/refresh")
@@ -241,7 +256,7 @@ def refresh():
     )
 
     resp = make_response(jsonify({'access_token': new_access}))
-    resp.set_cookie('access_token', new_access, httponly=True, secure=False, samesite='Lax', max_age=900)
+    add_cookie(resp, 'access_token', new_access, 900)
     return resp
 
 @app.post("/logout")