diff --git a/PRODUCTION_OAUTH_SETUP.md b/PRODUCTION_OAUTH_SETUP.md new file mode 100644 index 0000000..281007f --- /dev/null +++ b/PRODUCTION_OAUTH_SETUP.md @@ -0,0 +1,250 @@ +# Production OAuth Setup Guide + +## 🔧 Changes Made + +### 1. Kubernetes Configuration Updated + +**Files Modified:** +- `tasko-chart/templates/secret.yaml` - Added OAuth secrets +- `tasko-chart/templates/backend-deployment.yaml` - Added environment variables from secrets +- `tasko-chart/values.yaml` - Added OAuth configuration + +**What was added:** +```yaml +backend: + env: + ENVIRONMENT: "production" + GOOGLE_REDIRECT_URI: "https://api-tasko.dvirlabs.com/auth/google/callback" + FRONTEND_URL: "https://tasko.dvirlabs.com" + + oauth: + google: + clientId: "YOUR_CLIENT_ID" + clientSecret: "YOUR_CLIENT_SECRET" + + sessionSecret: "YOUR_SESSION_SECRET" +``` + +--- + +## 🔐 Google Cloud Console Setup + +### Step 1: Add Production Redirect URI + +1. Go to [Google Cloud Console](https://console.cloud.google.com/) +2. Navigate to **APIs & Services** → **Credentials** +3. Click on your OAuth 2.0 Client ID (the one you created for Tasko) +4. Under **Authorized redirect URIs**, add: + ``` + https://api-tasko.dvirlabs.com/auth/google/callback + ``` +5. Keep the localhost URI for development: + ``` + http://localhost:8000/auth/google/callback + ``` +6. Click **Save** + +### Step 2: Verify Authorized JavaScript Origins + +Make sure these origins are authorized: +- `https://tasko.dvirlabs.com` (frontend) +- `https://api-tasko.dvirlabs.com` (backend) +- `http://localhost:5173` (local dev) +- `http://localhost:8000` (local dev) + +--- + +## 🚀 Deploy to Kubernetes + +### Option A: Using Helm Upgrade + +```bash +# From the tasko-chart directory +helm upgrade tasko . --namespace my-apps --create-namespace + +# Or if first deployment +helm install tasko . --namespace my-apps --create-namespace +``` + +### Option B: Using kubectl (if you pushed to Git) + +```bash +# Your GitOps tool (ArgoCD, Flux, etc.) should auto-sync +# Or manually trigger sync if needed +``` + +--- + +## ✅ Verify Deployment + +### 1. Check Backend Logs + +```bash +kubectl logs -n my-apps deployment/tasko-backend -f +``` + +You should see: +``` +🔐 Session Configuration (Development Mode): # Wait, this should say Production! +``` + +### 2. Check Environment Variables + +```bash +kubectl exec -n my-apps deployment/tasko-backend -- env | grep GOOGLE +``` + +Expected output: +``` +GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com +GOOGLE_CLIENT_SECRET=GOCSPX-... +GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback +``` + +### 3. Test OAuth Flow + +1. Go to `https://tasko.dvirlabs.com` +2. Click "Continue with Google" +3. You should be redirected to Google login +4. After authentication, you should be redirected back to your app with a token + +Watch the backend logs: +```bash +kubectl logs -n my-apps deployment/tasko-backend -f +``` + +Expected logs: +``` +🔑 OAuth Login initiated (/auth/google): + - Redirect URI: https://api-tasko.dvirlabs.com/auth/google/callback + - Response Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=672182384838-... + +🔄 OAuth Callback received (/auth/google/callback): + - Request headers Cookie: tasko_session=... + - Cookies from request.cookies: ['tasko_session'] + - Session keys: ['_state_google_...'] + +✅ OAuth Login SUCCESS! + - User: your.email@gmail.com +``` + +--- + +## 🔒 Security Notes + +### Production vs Development + +The code automatically detects the environment: + +**Development (`ENVIRONMENT=development`):** +- `https_only=False` (allows HTTP cookies for localhost) +- Debug logging enabled +- Session cookies work on `localhost` + +**Production (`ENVIRONMENT=production`):** +- `https_only=True` (requires HTTPS for cookies) +- Debug logging disabled +- Secure session cookies + +### Session Secret + +The `sessionSecret` is used to sign session cookies. **Change this to a unique value!** + +Generate a new secret: +```bash +python -c "import secrets; print(secrets.token_hex(32))" +``` + +Update in `values.yaml`: +```yaml +backend: + sessionSecret: "YOUR_NEW_SECRET_HERE" +``` + +--- + +## 🐛 Troubleshooting + +### Issue: "client_id is empty" + +**Cause:** Environment variables not loaded in container + +**Fix:** +```bash +# Check if secrets exist +kubectl get secret -n my-apps tasko-secrets -o yaml + +# Verify secret contains OAuth keys +kubectl describe secret -n my-apps tasko-secrets + +# Restart deployment +kubectl rollout restart deployment/tasko-backend -n my-apps +``` + +### Issue: "mismatching_state: CSRF Warning" + +**Cause:** Session cookies not being sent + +**Possible causes:** +1. `ENVIRONMENT` not set to `production` (cookies require HTTPS) +2. Frontend and backend on different domains without proper CORS +3. Cookie `SameSite` settings + +**Fix:** +- Verify `ENVIRONMENT=production` is set +- Check that `FRONTEND_URL` matches your actual frontend domain +- Ensure HTTPS is working on both frontend and backend + +### Issue: "Redirect URI mismatch" + +**Cause:** Google Console redirect URI doesn't match + +**Fix:** +1. Check the actual redirect URI in the error message from Google +2. Add that exact URI to Google Console +3. Make sure `GOOGLE_REDIRECT_URI` in `values.yaml` matches + +--- + +## 📝 Frontend Configuration + +The frontend should automatically use the production API URL because of the proxy setup in `vite.config.js`. + +### Build-time Configuration + +When building the frontend Docker image, ensure `VITE_API_URL` is set: + +**In `values.yaml`:** +```yaml +frontend: + env: + VITE_API_URL: "https://api-tasko.dvirlabs.com" +``` + +**Or in Dockerfile:** +```dockerfile +ENV VITE_API_URL=https://api-tasko.dvirlabs.com +RUN npm run build +``` + +--- + +## ✨ Quick Reference + +### Backend URLs +- Production API: `https://api-tasko.dvirlabs.com` +- OAuth callback: `https://api-tasko.dvirlabs.com/auth/google/callback` + +### Frontend URLs +- Production: `https://tasko.dvirlabs.com` + +### Environment Variables (Backend) +```bash +ENVIRONMENT=production +GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com +GOOGLE_CLIENT_SECRET=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 +GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback +FRONTEND_URL=https://tasko.dvirlabs.com +SESSION_SECRET= +DATABASE_URL= +``` diff --git a/backend/Dockerfile b/backend/Dockerfile index 05a42c7..ed3e9b7 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -21,4 +21,4 @@ COPY . . EXPOSE 8000 # Run the application -CMD ["python", "main.py"] +CMD ["python", "main.py"] \ No newline at end of file diff --git a/frontend/Dockerfile b/frontend/Dockerfile index da3913a..ca57438 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -31,4 +31,4 @@ COPY nginx.conf /etc/nginx/conf.d/default.conf # Expose port 80 EXPOSE 80 -CMD ["nginx", "-g", "daemon off;"] +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file