From 62d2fd7c6a0a5238c869cac2d32f0a3e7e86b1b7 Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Mon, 13 Jan 2025 18:50:54 -0500
Subject: [PATCH 1/5] docs: add warnings for known issues with Redirect URI and
 authorization callback URL in Authentik and GitHub configurations

---
 documentation/docs/configuration/social_auth/authentik.md | 5 +++++
 documentation/docs/configuration/social_auth/github.md    | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/documentation/docs/configuration/social_auth/authentik.md b/documentation/docs/configuration/social_auth/authentik.md
index 6bc62d9..99cf93e 100644
--- a/documentation/docs/configuration/social_auth/authentik.md
+++ b/documentation/docs/configuration/social_auth/authentik.md
@@ -15,6 +15,11 @@ To enable Authentik as an identity provider, the administrator must first config
 1. Log in to Authentik and navigate to the `Providers` page and create a new provider.
 2. Select `OAuth2/OpenID Provider` as the provider type.
 3. Name it `AdventureLog` or any other name you prefer.
+
+::: warning
+Known issue: The `Redirect URI` should use `http` even if your site uses `https`. This is a known issue with AdventureLog and will be fixed in a future release.
+:::
+
 4. Set the `Redirect URI` of type `Regex` to `^http://<adventurelog-server-url>/accounts/oidc/.*$` where `<adventurelog-url>` is the URL of your AdventureLog Server service.
 5. Copy the `Client ID` and `Client Secret` generated by Authentik, you will need these to configure AdventureLog.
 6. Create an application in Authentik and assign the provider to it, name the `slug` `adventurelog` or any other name you prefer.
diff --git a/documentation/docs/configuration/social_auth/github.md b/documentation/docs/configuration/social_auth/github.md
index 2239dc7..7d3df5d 100644
--- a/documentation/docs/configuration/social_auth/github.md
+++ b/documentation/docs/configuration/social_auth/github.md
@@ -15,6 +15,11 @@ To enable GitHub as an identity provider, the administrator must first configure
    - Application Name: `AdventureLog` or any other name you prefer.
    - Homepage URL: `<adventurelog-frontend-url>` where `<adventurelog-frontend-url>` is the URL of your AdventureLog Frontend service.
    - Application Description: `AdventureLog` or any other description you prefer.
+
+   ::: warning
+   Known issue: The uthorization callback URL should use `http` even if your site uses `https`. This is a known issue with AdventureLog and will be fixed in a future release.
+   :::
+
    - Authorization callback URL: `http://<adventurelog-backend-url>/accounts/github/login/callback/` where `<adventurelog-backend-url>` is the URL of your AdventureLog Backend service.
    - If you want the logo, you can find it [here](https://adventurelog.app/adventurelog.png).
 

From 4c84ac0979a0946651fb28a74bba2fd6a2b64d2c Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Mon, 13 Jan 2025 19:21:35 -0500
Subject: [PATCH 2/5] fix: enhance middleware to set HTTP_X_FORWARDED_PROTO and
 secure proxy SSL header

---
 backend/server/adventures/middleware.py | 14 +++++++++-----
 backend/server/main/settings.py         |  2 ++
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/backend/server/adventures/middleware.py b/backend/server/adventures/middleware.py
index 550e581..9c5badd 100644
--- a/backend/server/adventures/middleware.py
+++ b/backend/server/adventures/middleware.py
@@ -31,12 +31,16 @@ class OverrideHostMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
-    def __call__(self, request: HttpRequest):
-        # Override the host with the PUBLIC_URL environment variable
+    def __call__(self, request):
         public_url = os.getenv('PUBLIC_URL', None)
         if public_url:
-            # Split the public URL to extract the host and port (if available)
-            host = public_url.split("//")[-1].split("/")[0]
-            request.META['HTTP_HOST'] = host  # Override the HTTP_HOST header
+            # Extract host and scheme
+            scheme, host = public_url.split("://")
+            request.META['HTTP_HOST'] = host
+            request.META['wsgi.url_scheme'] = scheme
+
+            # Set X-Forwarded-Proto for Django
+            request.META['HTTP_X_FORWARDED_PROTO'] = scheme
+
         response = self.get_response(request)
         return response
diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py
index 32e1a07..8ccb49b 100644
--- a/backend/server/main/settings.py
+++ b/backend/server/main/settings.py
@@ -139,6 +139,8 @@ SESSION_COOKIE_DOMAIN = '.' + '.'.join(domain_parts[-2:]) if len(domain_parts) >
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/1.7/howto/static-files/
 
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 STATIC_ROOT = BASE_DIR / "staticfiles"

From a8e84be28e6977f156bf31d41d040946441c2251 Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Mon, 13 Jan 2025 19:34:19 -0500
Subject: [PATCH 3/5] docs: update known issues for Redirect URI and
 authorization callback URL in Authentik and GitHub configurations fix:
 enhance session cookie deletion logic with dynamic domain handling

---
 .../configuration/social_auth/authentik.md    |  5 ----
 .../docs/configuration/social_auth/github.md  |  5 ----
 frontend/src/routes/+page.server.ts           | 30 +++++++++++++++++--
 3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/documentation/docs/configuration/social_auth/authentik.md b/documentation/docs/configuration/social_auth/authentik.md
index 99cf93e..6bc62d9 100644
--- a/documentation/docs/configuration/social_auth/authentik.md
+++ b/documentation/docs/configuration/social_auth/authentik.md
@@ -15,11 +15,6 @@ To enable Authentik as an identity provider, the administrator must first config
 1. Log in to Authentik and navigate to the `Providers` page and create a new provider.
 2. Select `OAuth2/OpenID Provider` as the provider type.
 3. Name it `AdventureLog` or any other name you prefer.
-
-::: warning
-Known issue: The `Redirect URI` should use `http` even if your site uses `https`. This is a known issue with AdventureLog and will be fixed in a future release.
-:::
-
 4. Set the `Redirect URI` of type `Regex` to `^http://<adventurelog-server-url>/accounts/oidc/.*$` where `<adventurelog-url>` is the URL of your AdventureLog Server service.
 5. Copy the `Client ID` and `Client Secret` generated by Authentik, you will need these to configure AdventureLog.
 6. Create an application in Authentik and assign the provider to it, name the `slug` `adventurelog` or any other name you prefer.
diff --git a/documentation/docs/configuration/social_auth/github.md b/documentation/docs/configuration/social_auth/github.md
index 7d3df5d..2239dc7 100644
--- a/documentation/docs/configuration/social_auth/github.md
+++ b/documentation/docs/configuration/social_auth/github.md
@@ -15,11 +15,6 @@ To enable GitHub as an identity provider, the administrator must first configure
    - Application Name: `AdventureLog` or any other name you prefer.
    - Homepage URL: `<adventurelog-frontend-url>` where `<adventurelog-frontend-url>` is the URL of your AdventureLog Frontend service.
    - Application Description: `AdventureLog` or any other description you prefer.
-
-   ::: warning
-   Known issue: The uthorization callback URL should use `http` even if your site uses `https`. This is a known issue with AdventureLog and will be fixed in a future release.
-   :::
-
    - Authorization callback URL: `http://<adventurelog-backend-url>/accounts/github/login/callback/` where `<adventurelog-backend-url>` is the URL of your AdventureLog Backend service.
    - If you want the logo, you can find it [here](https://adventurelog.app/adventurelog.png).
 
diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
index b379a8c..2987b88 100644
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@@ -3,6 +3,7 @@ import { redirect, type Actions } from '@sveltejs/kit';
 import { themes } from '$lib';
 import { fetchCSRFToken } from '$lib/index.server';
 import type { PageServerLoad } from './$types';
+import { log } from 'console';
 
 const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000';
 
@@ -41,8 +42,33 @@ export const actions: Actions = {
 			},
 			credentials: 'include'
 		});
-		if (res.status == 401) {
-			event.cookies.delete('sessionid', { path: '/', secure: event.url.protocol === 'https:' });
+
+		// Determine the proper cookie domain
+		const hostname = event.url.hostname;
+		const domainParts = hostname.split('.');
+		let cookieDomain: string | undefined = undefined;
+
+		if (domainParts.length > 2) {
+			// For subdomains like app.mydomain.com -> .mydomain.com
+			cookieDomain = '.' + domainParts.slice(-2).join('.');
+		} else if (domainParts.length === 2) {
+			// For root domains like mydomain.com -> .mydomain.com
+			cookieDomain = '.' + hostname;
+		} else {
+			// For localhost or single-part domains (e.g., "localhost")
+			cookieDomain = undefined; // Do not set the domain
+		}
+
+		console.log('Deleting sessionid cookie with domain:', cookieDomain);
+
+		// Delete the session cookie
+		event.cookies.delete('sessionid', {
+			path: '/',
+			secure: event.url.protocol === 'https:',
+			domain: cookieDomain
+		});
+
+		if (res.status === 401) {
 			return redirect(302, '/login');
 		} else {
 			return redirect(302, '/');

From 96ff727b570ed427673e4625e83a6e70e4e7213f Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Mon, 13 Jan 2025 19:47:19 -0500
Subject: [PATCH 4/5] fix: include Referer header and ensure CSRF token is set
 in request headers

---
 frontend/src/routes/+page.server.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
index 2987b88..9391b5b 100644
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@@ -37,8 +37,9 @@ export const actions: Actions = {
 			method: 'DELETE',
 			headers: {
 				'Content-Type': 'application/json',
-				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`,
-				'X-CSRFToken': csrfToken
+				'X-CSRFToken': csrfToken, // Ensure CSRF token is in header
+				Referer: event.url.origin, // Include Referer header
+				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`
 			},
 			credentials: 'include'
 		});
@@ -59,8 +60,6 @@ export const actions: Actions = {
 			cookieDomain = undefined; // Do not set the domain
 		}
 
-		console.log('Deleting sessionid cookie with domain:', cookieDomain);
-
 		// Delete the session cookie
 		event.cookies.delete('sessionid', {
 			path: '/',

From ef448363280fc69f92007ee1a29aa78de42915af Mon Sep 17 00:00:00 2001
From: Sean Morley <zipsm15@gmail.com>
Date: Mon, 13 Jan 2025 19:55:00 -0500
Subject: [PATCH 5/5] fix: remove unused console log import from page server
 file

---
 frontend/src/routes/+page.server.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
index 9391b5b..af567d0 100644
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@@ -3,7 +3,6 @@ import { redirect, type Actions } from '@sveltejs/kit';
 import { themes } from '$lib';
 import { fetchCSRFToken } from '$lib/index.server';
 import type { PageServerLoad } from './$types';
-import { log } from 'console';
 
 const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000';