diff --git a/app/readme.md b/app/README.md similarity index 96% rename from app/readme.md rename to app/README.md index 0f9dada..37f2bf0 100644 --- a/app/readme.md +++ b/app/README.md @@ -1,5 +1,8 @@ # Flags quiz api +### Add localhost +echo "127.0.0.1 host.docker.internal" | sudo tee -a /etc/hosts + ### development environment: original .env of simply github secret env is required as pre-requisite diff --git a/app/config/packages/framework.yaml b/app/config/packages/framework.yaml index f3f224b..c532704 100644 --- a/app/config/packages/framework.yaml +++ b/app/config/packages/framework.yaml @@ -11,10 +11,10 @@ framework: cookie_domain: null # Ensures it defaults to the current host # handler_id: App\Shared\Session\RedisSessionHandler handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\RedisSessionHandler -# cookie_samesite: lax - cookie_samesite: null -# cookie_secure: auto - cookie_secure: false + cookie_samesite: lax +# cookie_samesite: null + cookie_secure: auto +# cookie_secure: false # Trust proxy headers (k8s, Caddy, ngrok) trusted_proxies: '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-port', 'x-forwarded-proto'] diff --git a/app/docker-compose.override.yml b/app/docker-compose.override.yml index ffcb70b..81fdd64 100644 --- a/app/docker-compose.override.yml +++ b/app/docker-compose.override.yml @@ -5,6 +5,8 @@ services: USER_ID: 1000 GROUP_ID: 1000 target: development + extra_hosts: + - "host.docker.internal:host-gateway" volumes: - .:/var/www/html:rw,cached db: diff --git a/app/docker-compose.test.yml b/app/docker-compose.test.yml index 571bc14..a2b09b1 100644 --- a/app/docker-compose.test.yml +++ b/app/docker-compose.test.yml @@ -17,7 +17,7 @@ services: condition: service_healthy db: build: - context: ..host.docker.internal + context: .. dockerfile: .docker/mysql/Dockerfile environment: MYSQL_ROOT_PASSWORD: root diff --git a/app/src/Flags/Security/HqAuthAuthenticator.php b/app/src/Flags/Security/HqAuthAuthenticator.php index 38a4052..10755dc 100644 --- a/app/src/Flags/Security/HqAuthAuthenticator.php +++ b/app/src/Flags/Security/HqAuthAuthenticator.php @@ -129,12 +129,20 @@ public function onAuthenticationFailure( ) ); - // Temporarily return error instead of redirect loop - return new JsonResponse([ + $response = new JsonResponse([ 'error' => 'authentication_failed', 'message' => $exception->getMessage(), - 'previous' => $exception->getPrevious() ? $exception->getPrevious()->getMessage() : null, + 'previous' => $exception->getPrevious()?->getMessage(), ], 401); + + // Add CORS headers for error visibility in browser console + $origin = $request->headers->get('Origin'); + if ($origin && preg_match('/^https:\/\/(flags|capitals)\.izeebot\.top$/', $origin)) { + $response->headers->set('Access-Control-Allow-Origin', $origin); + $response->headers->set('Access-Control-Allow-Credentials', 'true'); + } + + return $response; } // private function loadOrCreateUser($userInfo) diff --git a/k8s/REDIS.md b/k8s/REDIS.md new file mode 100644 index 0000000..f0dcebc --- /dev/null +++ b/k8s/REDIS.md @@ -0,0 +1,27 @@ +# Connect to Redis CLI + kubectl exec -it -n flags-api redis-8979f9646-pwp79 -- redis-cli + + # Once inside redis-cli, run these commands: + + # 1. List all session keys (they have prefix 'flags_sess_') + KEYS flags_sess_* + + # 2. Check how many keys exist + DBSIZE + + # 3. Look at a specific session's content (replace with actual key) + GET flags_sess_ + + # 4. Check TTL of a session key + TTL flags_sess_ + + # 5. Monitor Redis in real-time (watch new commands coming in) + MONITOR + + To test the OAuth flow: + 1. Open a terminal with kubectl exec -it -n flags-api redis-8979f9646-pwp79 -- redis-cli MONITOR + 2. In another browser, click "Login to Play" on flags.izeebot.top + 3. Watch Redis - you should see SET flags_sess_... when /login is called + 4. After OAuth redirect back, you should see GET flags_sess_... to retrieve the state + + If the session key is missing on the callback, that confirms the cookie isn't being sent (the Turbo/XHR issue we fixed).