Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 4a155721b6 |
@ -1,250 +0,0 @@
|
||||
# Production OAuth Setup Guide
|
||||
|
||||
## 🔧 Changes Made
|
||||
|
||||
### 1. Kubernetes Configuration Updated
|
||||
|
||||
**Files Modified:**
|
||||
- `tasko-chart/templates/secret.yaml` - Added OAuth secrets
|
||||
- `tasko-chart/templates/backend-deployment.yaml` - Added environment variables from secrets
|
||||
- `tasko-chart/values.yaml` - Added OAuth configuration
|
||||
|
||||
**What was added:**
|
||||
```yaml
|
||||
backend:
|
||||
env:
|
||||
ENVIRONMENT: "production"
|
||||
GOOGLE_REDIRECT_URI: "https://api-tasko.dvirlabs.com/auth/google/callback"
|
||||
FRONTEND_URL: "https://tasko.dvirlabs.com"
|
||||
|
||||
oauth:
|
||||
google:
|
||||
clientId: "YOUR_CLIENT_ID"
|
||||
clientSecret: "YOUR_CLIENT_SECRET"
|
||||
|
||||
sessionSecret: "YOUR_SESSION_SECRET"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 🔐 Google Cloud Console Setup
|
||||
|
||||
### Step 1: Add Production Redirect URI
|
||||
|
||||
1. Go to [Google Cloud Console](https://console.cloud.google.com/)
|
||||
2. Navigate to **APIs & Services** → **Credentials**
|
||||
3. Click on your OAuth 2.0 Client ID (the one you created for Tasko)
|
||||
4. Under **Authorized redirect URIs**, add:
|
||||
```
|
||||
https://api-tasko.dvirlabs.com/auth/google/callback
|
||||
```
|
||||
5. Keep the localhost URI for development:
|
||||
```
|
||||
http://localhost:8000/auth/google/callback
|
||||
```
|
||||
6. Click **Save**
|
||||
|
||||
### Step 2: Verify Authorized JavaScript Origins
|
||||
|
||||
Make sure these origins are authorized:
|
||||
- `https://tasko.dvirlabs.com` (frontend)
|
||||
- `https://api-tasko.dvirlabs.com` (backend)
|
||||
- `http://localhost:5173` (local dev)
|
||||
- `http://localhost:8000` (local dev)
|
||||
|
||||
---
|
||||
|
||||
## 🚀 Deploy to Kubernetes
|
||||
|
||||
### Option A: Using Helm Upgrade
|
||||
|
||||
```bash
|
||||
# From the tasko-chart directory
|
||||
helm upgrade tasko . --namespace my-apps --create-namespace
|
||||
|
||||
# Or if first deployment
|
||||
helm install tasko . --namespace my-apps --create-namespace
|
||||
```
|
||||
|
||||
### Option B: Using kubectl (if you pushed to Git)
|
||||
|
||||
```bash
|
||||
# Your GitOps tool (ArgoCD, Flux, etc.) should auto-sync
|
||||
# Or manually trigger sync if needed
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## ✅ Verify Deployment
|
||||
|
||||
### 1. Check Backend Logs
|
||||
|
||||
```bash
|
||||
kubectl logs -n my-apps deployment/tasko-backend -f
|
||||
```
|
||||
|
||||
You should see:
|
||||
```
|
||||
🔐 Session Configuration (Development Mode): # Wait, this should say Production!
|
||||
```
|
||||
|
||||
### 2. Check Environment Variables
|
||||
|
||||
```bash
|
||||
kubectl exec -n my-apps deployment/tasko-backend -- env | grep GOOGLE
|
||||
```
|
||||
|
||||
Expected output:
|
||||
```
|
||||
GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com
|
||||
GOOGLE_CLIENT_SECRET=GOCSPX-...
|
||||
GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback
|
||||
```
|
||||
|
||||
### 3. Test OAuth Flow
|
||||
|
||||
1. Go to `https://tasko.dvirlabs.com`
|
||||
2. Click "Continue with Google"
|
||||
3. You should be redirected to Google login
|
||||
4. After authentication, you should be redirected back to your app with a token
|
||||
|
||||
Watch the backend logs:
|
||||
```bash
|
||||
kubectl logs -n my-apps deployment/tasko-backend -f
|
||||
```
|
||||
|
||||
Expected logs:
|
||||
```
|
||||
🔑 OAuth Login initiated (/auth/google):
|
||||
- Redirect URI: https://api-tasko.dvirlabs.com/auth/google/callback
|
||||
- Response Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=672182384838-...
|
||||
|
||||
🔄 OAuth Callback received (/auth/google/callback):
|
||||
- Request headers Cookie: tasko_session=...
|
||||
- Cookies from request.cookies: ['tasko_session']
|
||||
- Session keys: ['_state_google_...']
|
||||
|
||||
✅ OAuth Login SUCCESS!
|
||||
- User: your.email@gmail.com
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 🔒 Security Notes
|
||||
|
||||
### Production vs Development
|
||||
|
||||
The code automatically detects the environment:
|
||||
|
||||
**Development (`ENVIRONMENT=development`):**
|
||||
- `https_only=False` (allows HTTP cookies for localhost)
|
||||
- Debug logging enabled
|
||||
- Session cookies work on `localhost`
|
||||
|
||||
**Production (`ENVIRONMENT=production`):**
|
||||
- `https_only=True` (requires HTTPS for cookies)
|
||||
- Debug logging disabled
|
||||
- Secure session cookies
|
||||
|
||||
### Session Secret
|
||||
|
||||
The `sessionSecret` is used to sign session cookies. **Change this to a unique value!**
|
||||
|
||||
Generate a new secret:
|
||||
```bash
|
||||
python -c "import secrets; print(secrets.token_hex(32))"
|
||||
```
|
||||
|
||||
Update in `values.yaml`:
|
||||
```yaml
|
||||
backend:
|
||||
sessionSecret: "YOUR_NEW_SECRET_HERE"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 🐛 Troubleshooting
|
||||
|
||||
### Issue: "client_id is empty"
|
||||
|
||||
**Cause:** Environment variables not loaded in container
|
||||
|
||||
**Fix:**
|
||||
```bash
|
||||
# Check if secrets exist
|
||||
kubectl get secret -n my-apps tasko-secrets -o yaml
|
||||
|
||||
# Verify secret contains OAuth keys
|
||||
kubectl describe secret -n my-apps tasko-secrets
|
||||
|
||||
# Restart deployment
|
||||
kubectl rollout restart deployment/tasko-backend -n my-apps
|
||||
```
|
||||
|
||||
### Issue: "mismatching_state: CSRF Warning"
|
||||
|
||||
**Cause:** Session cookies not being sent
|
||||
|
||||
**Possible causes:**
|
||||
1. `ENVIRONMENT` not set to `production` (cookies require HTTPS)
|
||||
2. Frontend and backend on different domains without proper CORS
|
||||
3. Cookie `SameSite` settings
|
||||
|
||||
**Fix:**
|
||||
- Verify `ENVIRONMENT=production` is set
|
||||
- Check that `FRONTEND_URL` matches your actual frontend domain
|
||||
- Ensure HTTPS is working on both frontend and backend
|
||||
|
||||
### Issue: "Redirect URI mismatch"
|
||||
|
||||
**Cause:** Google Console redirect URI doesn't match
|
||||
|
||||
**Fix:**
|
||||
1. Check the actual redirect URI in the error message from Google
|
||||
2. Add that exact URI to Google Console
|
||||
3. Make sure `GOOGLE_REDIRECT_URI` in `values.yaml` matches
|
||||
|
||||
---
|
||||
|
||||
## 📝 Frontend Configuration
|
||||
|
||||
The frontend should automatically use the production API URL because of the proxy setup in `vite.config.js`.
|
||||
|
||||
### Build-time Configuration
|
||||
|
||||
When building the frontend Docker image, ensure `VITE_API_URL` is set:
|
||||
|
||||
**In `values.yaml`:**
|
||||
```yaml
|
||||
frontend:
|
||||
env:
|
||||
VITE_API_URL: "https://api-tasko.dvirlabs.com"
|
||||
```
|
||||
|
||||
**Or in Dockerfile:**
|
||||
```dockerfile
|
||||
ENV VITE_API_URL=https://api-tasko.dvirlabs.com
|
||||
RUN npm run build
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## ✨ Quick Reference
|
||||
|
||||
### Backend URLs
|
||||
- Production API: `https://api-tasko.dvirlabs.com`
|
||||
- OAuth callback: `https://api-tasko.dvirlabs.com/auth/google/callback`
|
||||
|
||||
### Frontend URLs
|
||||
- Production: `https://tasko.dvirlabs.com`
|
||||
|
||||
### Environment Variables (Backend)
|
||||
```bash
|
||||
ENVIRONMENT=production
|
||||
GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com
|
||||
GOOGLE_CLIENT_SECRET=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
|
||||
GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback
|
||||
FRONTEND_URL=https://tasko.dvirlabs.com
|
||||
SESSION_SECRET=<generate-new-secret>
|
||||
DATABASE_URL=<from-secret>
|
||||
```
|
||||
Loading…
x
Reference in New Issue
Block a user