oauth fix for real??

RyanKim17920 · RyanKim17920 · commit 95a3fcd2db3f · 2025-12-06T17:09:00.000-06:00
diff --git a/.env.example b/.env.example
@@ -115,6 +115,12 @@ GOOGLE_CLIENT_SECRET=
 FRONTEND_URL=http://localhost:5173
 BACKEND_URL=http://localhost:5001
 
+# API_URL is used for OAuth redirect_uri construction in production
+# CRITICAL: Set this to your actual production backend URL (with https://)
+# Example: API_URL=https://papers2code.onrender.com
+# If not set, defaults to http://localhost:5001
+API_URL=http://localhost:5001
+
 # ---------------------------------------------
 # Email Configuration
 # ---------------------------------------------
diff --git a/papers2code_app2/services/github_oauth_service.py b/papers2code_app2/services/github_oauth_service.py
@@ -55,7 +55,9 @@ def prepare_github_login_redirect(self, request: Request) -> RedirectResponse:
 
         # For production, use explicit environment variable
         # For development, construct from request
-        if config_settings.ENV_TYPE == "production" and config_settings.API_URL and "localhost" not in config_settings.API_URL:
+        is_production = config_settings.ENV_TYPE == "production"
+
+        if is_production and config_settings.API_URL and "localhost" not in config_settings.API_URL:
             redirect_uri = f"{config_settings.API_URL.rstrip('/')}/api/auth/github/callback"
             logger.info(f"GitHub OAuth (production): Using explicit API_URL: {redirect_uri}")
         else:
@@ -64,11 +66,16 @@ def prepare_github_login_redirect(self, request: Request) -> RedirectResponse:
                 if not redirect_uri.startswith("http"):
                     base_url = str(request.base_url).rstrip('/')
                     redirect_uri = f"{base_url}/api/auth/github/callback"
-                logger.info(f"GitHub OAuth (dev): Using request.url_for: {redirect_uri}")
+                logger.info(f"GitHub OAuth: Using request.url_for: {redirect_uri}")
             except Exception as e:
                 logger.error(f"Error constructing redirect_uri: {e}")
                 raise OAuthException(detail="Error preparing authentication request to GitHub.")
 
+        # CRITICAL: Ensure HTTPS in production (belt-and-suspenders with proxy_headers)
+        if is_production and redirect_uri.startswith("http://"):
+            redirect_uri = redirect_uri.replace("http://", "https://", 1)
+            logger.info(f"GitHub OAuth: Forced HTTPS in production: {redirect_uri}")
+
         # Diagnostic logging - VERY detailed for debugging
         logger.info(f"[GITHUB_OAUTH_DEBUG] redirect_uri = '{redirect_uri}'")
         logger.info(f"[GITHUB_OAUTH_DEBUG] redirect_uri length = {len(redirect_uri)}")
@@ -146,7 +153,9 @@ async def handle_github_callback(
             return RedirectResponse(url=f"{frontend_url}/?login_error=github_no_code", status_code=307)
 
         # Match the same construction as prepare_github_login_redirect
-        if config_settings.ENV_TYPE == "production" and config_settings.API_URL and "localhost" not in config_settings.API_URL:
+        is_production = config_settings.ENV_TYPE == "production"
+
+        if is_production and config_settings.API_URL and "localhost" not in config_settings.API_URL:
             actual_redirect_uri = f"{config_settings.API_URL.rstrip('/')}/api/auth/github/callback"
         else:
             try:
@@ -158,6 +167,11 @@ async def handle_github_callback(
                 base_url = str(request.base_url).rstrip('/')
                 actual_redirect_uri = f"{base_url}/api/auth/github/callback"
 
+        # CRITICAL: Ensure HTTPS in production (belt-and-suspenders with proxy_headers)
+        if is_production and actual_redirect_uri.startswith("http://"):
+            actual_redirect_uri = actual_redirect_uri.replace("http://", "https://", 1)
+            logger.info(f"GitHub OAuth callback: Forced HTTPS in production: {actual_redirect_uri}")
+
         # Diagnostic logging - VERY detailed for debugging callback
         logger.info(f"[GITHUB_CALLBACK_DEBUG] actual_redirect_uri = '{actual_redirect_uri}'")
         logger.info(f"[GITHUB_CALLBACK_DEBUG] actual_redirect_uri length = {len(actual_redirect_uri)}")
diff --git a/papers2code_app2/services/google_oauth_service.py b/papers2code_app2/services/google_oauth_service.py
@@ -54,7 +54,9 @@ def prepare_google_login_redirect(self, request: Request) -> RedirectResponse:
             raise OAuthException(detail="Authentication service is misconfigured (Google Client ID not set).")
 
         # For production, use explicit environment variable
-        if config_settings.ENV_TYPE == "production" and config_settings.API_URL and "localhost" not in config_settings.API_URL:
+        is_production = config_settings.ENV_TYPE == "production"
+
+        if is_production and config_settings.API_URL and "localhost" not in config_settings.API_URL:
             redirect_uri = f"{config_settings.API_URL.rstrip('/')}/api/auth/google/callback"
         else:
             try:
@@ -66,6 +68,11 @@ def prepare_google_login_redirect(self, request: Request) -> RedirectResponse:
                 logger.error(f"Error constructing redirect_uri for Google OAuth: {e}")
                 raise OAuthException(detail="Error preparing authentication request to Google.")
 
+        # CRITICAL: Ensure HTTPS in production (belt-and-suspenders with proxy_headers)
+        if is_production and redirect_uri.startswith("http://"):
+            redirect_uri = redirect_uri.replace("http://", "https://", 1)
+            logger.info(f"Google OAuth: Forced HTTPS in production: {redirect_uri}")
+
         # Diagnostic logging - VERY detailed for debugging
         logger.info(f"[GOOGLE_OAUTH_DEBUG] redirect_uri = '{redirect_uri}'")
         logger.info(f"[GOOGLE_OAUTH_DEBUG] redirect_uri length = {len(redirect_uri)}")
@@ -148,7 +155,9 @@ async def handle_google_callback(
             return RedirectResponse(url=f"{frontend_url}/?login_error=google_no_code", status_code=307)
 
         # Match the same construction as prepare_google_login_redirect
-        if config_settings.ENV_TYPE == "production" and config_settings.API_URL and "localhost" not in config_settings.API_URL:
+        is_production = config_settings.ENV_TYPE == "production"
+
+        if is_production and config_settings.API_URL and "localhost" not in config_settings.API_URL:
             actual_redirect_uri = f"{config_settings.API_URL.rstrip('/')}/api/auth/google/callback"
         else:
             try:
@@ -160,6 +169,11 @@ async def handle_google_callback(
                 base_url = str(request.base_url).rstrip('/')
                 actual_redirect_uri = f"{base_url}/api/auth/google/callback"
 
+        # CRITICAL: Ensure HTTPS in production (belt-and-suspenders with proxy_headers)
+        if is_production and actual_redirect_uri.startswith("http://"):
+            actual_redirect_uri = actual_redirect_uri.replace("http://", "https://", 1)
+            logger.info(f"Google OAuth callback: Forced HTTPS in production: {actual_redirect_uri}")
+
         # Diagnostic logging - VERY detailed for debugging callback
         logger.info(f"[GOOGLE_CALLBACK_DEBUG] actual_redirect_uri = '{actual_redirect_uri}'")
         logger.info(f"[GOOGLE_CALLBACK_DEBUG] actual_redirect_uri length = {len(actual_redirect_uri)}")
diff --git a/run.py b/run.py
@@ -162,8 +162,13 @@ def get_uvicorn_config(self) -> dict:
                 })
                 self._log("info", "Using development configuration with hot reload")
             else:
-                # Production or any other environment - simple single-worker setup
-                self._log("info", "Using production configuration on port 5001")
+                # Production: trust X-Forwarded headers from Render's reverse proxy
+                # This is CRITICAL for OAuth redirect_uri to use correct https:// scheme
+                base_config.update({
+                    "proxy_headers": True,
+                    "forwarded_allow_ips": "*",
+                })
+                self._log("info", "Using production configuration on port 5001 with proxy headers enabled")
 
             return base_config
 
