fix(redirect)

app/readme.md → app/README.md

@@ -1,5 +1,8 @@
 # Flags quiz api
 
+### Add localhost 
+echo "127.0.0.1 host.docker.internal" | sudo tee -a /etc/hosts
+
 ### development environment:
 original .env of simply github secret env is required as pre-requisite 
 

app/config/packages/framework.yaml

@@ -11,10 +11,10 @@ framework:
         cookie_domain: null # Ensures it defaults to the current host
 #        handler_id: App\Shared\Session\RedisSessionHandler
         handler_id: Symfony\Component\HttpFoundation\Session\Storage\Handler\RedisSessionHandler
-#        cookie_samesite: lax
-        cookie_samesite: null
-#        cookie_secure: auto
-        cookie_secure: false
+        cookie_samesite: lax
+#        cookie_samesite: null
+        cookie_secure: auto
+#        cookie_secure: false
     # Trust proxy headers (k8s, Caddy, ngrok)
     trusted_proxies: '127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
     trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-port', 'x-forwarded-proto']

app/docker-compose.override.yml

@@ -5,6 +5,8 @@ services:
             USER_ID: 1000
             GROUP_ID: 1000
           target: development
+        extra_hosts:
+            - "host.docker.internal:host-gateway"
         volumes:
             - .:/var/www/html:rw,cached
     db:

app/docker-compose.test.yml

@@ -17,7 +17,7 @@ services:
                 condition: service_healthy
     db:
         build:
-            context: ..host.docker.internal
+            context: ..
             dockerfile: .docker/mysql/Dockerfile
         environment:
             MYSQL_ROOT_PASSWORD: root

app/src/Flags/Security/HqAuthAuthenticator.php

@@ -129,12 +129,20 @@ public function onAuthenticationFailure(
             )
         );
 
-        // Temporarily return error instead of redirect loop
-        return new JsonResponse([
+        $response = new JsonResponse([
             'error' => 'authentication_failed',
             'message' => $exception->getMessage(),
-            'previous' => $exception->getPrevious() ? $exception->getPrevious()->getMessage() : null,
+            'previous' => $exception->getPrevious()?->getMessage(),
         ], 401);
+
+        // Add CORS headers for error visibility in browser console
+        $origin = $request->headers->get('Origin');
+        if ($origin && preg_match('/^https:\/\/(flags|capitals)\.izeebot\.top$/', $origin)) {
+            $response->headers->set('Access-Control-Allow-Origin', $origin);
+            $response->headers->set('Access-Control-Allow-Credentials', 'true');
+        }
+
+        return $response;
     }
 
     //    private function loadOrCreateUser($userInfo)

k8s/REDIS.md

@@ -0,0 +1,27 @@
+# Connect to Redis CLI
+  kubectl exec -it -n flags-api redis-8979f9646-pwp79 -- redis-cli
+
+  # Once inside redis-cli, run these commands:
+
+  # 1. List all session keys (they have prefix 'flags_sess_')
+  KEYS flags_sess_*
+
+  # 2. Check how many keys exist
+  DBSIZE
+
+  # 3. Look at a specific session's content (replace <session_id> with actual key)
+  GET flags_sess_<session_id>
+
+  # 4. Check TTL of a session key
+  TTL flags_sess_<session_id>
+
+  # 5. Monitor Redis in real-time (watch new commands coming in)
+  MONITOR
+
+  To test the OAuth flow:
+  1. Open a terminal with kubectl exec -it -n flags-api redis-8979f9646-pwp79 -- redis-cli MONITOR
+  2. In another browser, click "Login to Play" on flags.izeebot.top
+  3. Watch Redis - you should see SET flags_sess_... when /login is called
+  4. After OAuth redirect back, you should see GET flags_sess_... to retrieve the state
+
+  If the session key is missing on the callback, that confirms the cookie isn't being sent (the Turbo/XHR issue we fixed).