Merge pull request #442 from seanmorley15/development

Development
2025-08-02 19:55:18 +02:00 · 2025-01-13 19:55:15 -05:00 · 2025-01-13 19:55:15 -05:00 · 187f4c0a4f
commit 187f4c0a4f
parent 609f68b10d ef44836328
3 changed files with 39 additions and 9 deletions
--- a/backend/server/adventures/middleware.py
+++ b/backend/server/adventures/middleware.py
@ -31,12 +31,16 @@ class OverrideHostMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

-    def __call__(self, request: HttpRequest):
-        # Override the host with the PUBLIC_URL environment variable
+    def __call__(self, request):
        public_url = os.getenv('PUBLIC_URL', None)
        if public_url:
-            # Split the public URL to extract the host and port (if available)
-            host = public_url.split("//")[-1].split("/")[0]
-            request.META['HTTP_HOST'] = host  # Override the HTTP_HOST header
+            # Extract host and scheme
+            scheme, host = public_url.split("://")
+            request.META['HTTP_HOST'] = host
+            request.META['wsgi.url_scheme'] = scheme
+
+            # Set X-Forwarded-Proto for Django
+            request.META['HTTP_X_FORWARDED_PROTO'] = scheme
+
        response = self.get_response(request)
        return response
--- a/backend/server/main/settings.py
+++ b/backend/server/main/settings.py
@ -139,6 +139,8 @@ SESSION_COOKIE_DOMAIN = '.' + '.'.join(domain_parts[-2:]) if len(domain_parts) >
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/1.7/howto/static-files/

+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+

 BASE_DIR = Path(__file__).resolve().parent.parent
 STATIC_ROOT = BASE_DIR / "staticfiles"
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@ -36,13 +36,37 @@ export const actions: Actions = {
 			method: 'DELETE',
 			headers: {
 				'Content-Type': 'application/json',
-				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`,
-				'X-CSRFToken': csrfToken
+				'X-CSRFToken': csrfToken, // Ensure CSRF token is in header
+				Referer: event.url.origin, // Include Referer header
+				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`
 			},
 			credentials: 'include'
 		});
-		if (res.status == 401) {
-			event.cookies.delete('sessionid', { path: '/', secure: event.url.protocol === 'https:' });
+
+		// Determine the proper cookie domain
+		const hostname = event.url.hostname;
+		const domainParts = hostname.split('.');
+		let cookieDomain: string | undefined = undefined;
+
+		if (domainParts.length > 2) {
+			// For subdomains like app.mydomain.com -> .mydomain.com
+			cookieDomain = '.' + domainParts.slice(-2).join('.');
+		} else if (domainParts.length === 2) {
+			// For root domains like mydomain.com -> .mydomain.com
+			cookieDomain = '.' + hostname;
+		} else {
+			// For localhost or single-part domains (e.g., "localhost")
+			cookieDomain = undefined; // Do not set the domain
+		}
+
+		// Delete the session cookie
+		event.cookies.delete('sessionid', {
+			path: '/',
+			secure: event.url.protocol === 'https:',
+			domain: cookieDomain
+		});
+
+		if (res.status === 401) {
 			return redirect(302, '/login');
 		} else {
 			return redirect(302, '/');