# Production OAuth Setup Guide ## 🔧 Changes Made ### 1. Kubernetes Configuration Updated **Files Modified:** - `tasko-chart/templates/secret.yaml` - Added OAuth secrets - `tasko-chart/templates/backend-deployment.yaml` - Added environment variables from secrets - `tasko-chart/values.yaml` - Added OAuth configuration **What was added:** ```yaml backend: env: ENVIRONMENT: "production" GOOGLE_REDIRECT_URI: "https://api-tasko.dvirlabs.com/auth/google/callback" FRONTEND_URL: "https://tasko.dvirlabs.com" oauth: google: clientId: "YOUR_CLIENT_ID" clientSecret: "YOUR_CLIENT_SECRET" sessionSecret: "YOUR_SESSION_SECRET" ``` --- ## 🔐 Google Cloud Console Setup ### Step 1: Add Production Redirect URI 1. Go to [Google Cloud Console](https://console.cloud.google.com/) 2. Navigate to **APIs & Services** → **Credentials** 3. Click on your OAuth 2.0 Client ID (the one you created for Tasko) 4. Under **Authorized redirect URIs**, add: ``` https://api-tasko.dvirlabs.com/auth/google/callback ``` 5. Keep the localhost URI for development: ``` http://localhost:8000/auth/google/callback ``` 6. Click **Save** ### Step 2: Verify Authorized JavaScript Origins Make sure these origins are authorized: - `https://tasko.dvirlabs.com` (frontend) - `https://api-tasko.dvirlabs.com` (backend) - `http://localhost:5173` (local dev) - `http://localhost:8000` (local dev) --- ## 🚀 Deploy to Kubernetes ### Option A: Using Helm Upgrade ```bash # From the tasko-chart directory helm upgrade tasko . --namespace my-apps --create-namespace # Or if first deployment helm install tasko . --namespace my-apps --create-namespace ``` ### Option B: Using kubectl (if you pushed to Git) ```bash # Your GitOps tool (ArgoCD, Flux, etc.) should auto-sync # Or manually trigger sync if needed ``` --- ## ✅ Verify Deployment ### 1. Check Backend Logs ```bash kubectl logs -n my-apps deployment/tasko-backend -f ``` You should see: ``` 🔐 Session Configuration (Development Mode): # Wait, this should say Production! ``` ### 2. Check Environment Variables ```bash kubectl exec -n my-apps deployment/tasko-backend -- env | grep GOOGLE ``` Expected output: ``` GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com GOOGLE_CLIENT_SECRET=GOCSPX-... GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback ``` ### 3. Test OAuth Flow 1. Go to `https://tasko.dvirlabs.com` 2. Click "Continue with Google" 3. You should be redirected to Google login 4. After authentication, you should be redirected back to your app with a token Watch the backend logs: ```bash kubectl logs -n my-apps deployment/tasko-backend -f ``` Expected logs: ``` 🔑 OAuth Login initiated (/auth/google): - Redirect URI: https://api-tasko.dvirlabs.com/auth/google/callback - Response Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=672182384838-... 🔄 OAuth Callback received (/auth/google/callback): - Request headers Cookie: tasko_session=... - Cookies from request.cookies: ['tasko_session'] - Session keys: ['_state_google_...'] ✅ OAuth Login SUCCESS! - User: your.email@gmail.com ``` --- ## 🔒 Security Notes ### Production vs Development The code automatically detects the environment: **Development (`ENVIRONMENT=development`):** - `https_only=False` (allows HTTP cookies for localhost) - Debug logging enabled - Session cookies work on `localhost` **Production (`ENVIRONMENT=production`):** - `https_only=True` (requires HTTPS for cookies) - Debug logging disabled - Secure session cookies ### Session Secret The `sessionSecret` is used to sign session cookies. **Change this to a unique value!** Generate a new secret: ```bash python -c "import secrets; print(secrets.token_hex(32))" ``` Update in `values.yaml`: ```yaml backend: sessionSecret: "YOUR_NEW_SECRET_HERE" ``` --- ## 🐛 Troubleshooting ### Issue: "client_id is empty" **Cause:** Environment variables not loaded in container **Fix:** ```bash # Check if secrets exist kubectl get secret -n my-apps tasko-secrets -o yaml # Verify secret contains OAuth keys kubectl describe secret -n my-apps tasko-secrets # Restart deployment kubectl rollout restart deployment/tasko-backend -n my-apps ``` ### Issue: "mismatching_state: CSRF Warning" **Cause:** Session cookies not being sent **Possible causes:** 1. `ENVIRONMENT` not set to `production` (cookies require HTTPS) 2. Frontend and backend on different domains without proper CORS 3. Cookie `SameSite` settings **Fix:** - Verify `ENVIRONMENT=production` is set - Check that `FRONTEND_URL` matches your actual frontend domain - Ensure HTTPS is working on both frontend and backend ### Issue: "Redirect URI mismatch" **Cause:** Google Console redirect URI doesn't match **Fix:** 1. Check the actual redirect URI in the error message from Google 2. Add that exact URI to Google Console 3. Make sure `GOOGLE_REDIRECT_URI` in `values.yaml` matches --- ## 📝 Frontend Configuration The frontend should automatically use the production API URL because of the proxy setup in `vite.config.js`. ### Build-time Configuration When building the frontend Docker image, ensure `VITE_API_URL` is set: **In `values.yaml`:** ```yaml frontend: env: VITE_API_URL: "https://api-tasko.dvirlabs.com" ``` **Or in Dockerfile:** ```dockerfile ENV VITE_API_URL=https://api-tasko.dvirlabs.com RUN npm run build ``` --- ## ✨ Quick Reference ### Backend URLs - Production API: `https://api-tasko.dvirlabs.com` - OAuth callback: `https://api-tasko.dvirlabs.com/auth/google/callback` ### Frontend URLs - Production: `https://tasko.dvirlabs.com` ### Environment Variables (Backend) ```bash ENVIRONMENT=production GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com GOOGLE_CLIENT_SECRET=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 GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback FRONTEND_URL=https://tasko.dvirlabs.com SESSION_SECRET= DATABASE_URL= ```