tasko/PRODUCTION_OAUTH_SETUP.md

Production OAuth Setup Guide

🔧 Changes Made

1. Kubernetes Configuration Updated

Files Modified:

• tasko-chart/templates/secret.yaml - Added OAuth secrets
• tasko-chart/templates/backend-deployment.yaml - Added environment variables from secrets
• tasko-chart/values.yaml - Added OAuth configuration

What was added:

backend:
  env:
    ENVIRONMENT: "production"
    GOOGLE_REDIRECT_URI: "https://api-tasko.dvirlabs.com/auth/google/callback"
    FRONTEND_URL: "https://tasko.dvirlabs.com"
  
  oauth:
    google:
      clientId: "YOUR_CLIENT_ID"
      clientSecret: "YOUR_CLIENT_SECRET"
  
  sessionSecret: "YOUR_SESSION_SECRET"

---

🔐 Google Cloud Console Setup

Step 1: Add Production Redirect URI

1. Go to Google Cloud Console
2. Navigate to APIs & Services → Credentials
3. Click on your OAuth 2.0 Client ID (the one you created for Tasko)
4. Under Authorized redirect URIs, add:

   https://api-tasko.dvirlabs.com/auth/google/callback
   

5. Keep the localhost URI for development:

   http://localhost:8000/auth/google/callback
   

6. Click Save

Step 2: Verify Authorized JavaScript Origins

Make sure these origins are authorized:

• https://tasko.dvirlabs.com (frontend)
• https://api-tasko.dvirlabs.com (backend)
• http://localhost:5173 (local dev)
• http://localhost:8000 (local dev)

---

🚀 Deploy to Kubernetes

Option A: Using Helm Upgrade

# From the tasko-chart directory
helm upgrade tasko . --namespace my-apps --create-namespace

# Or if first deployment
helm install tasko . --namespace my-apps --create-namespace

Option B: Using kubectl (if you pushed to Git)

# Your GitOps tool (ArgoCD, Flux, etc.) should auto-sync
# Or manually trigger sync if needed

---

✅ Verify Deployment

1. Check Backend Logs

kubectl logs -n my-apps deployment/tasko-backend -f

You should see:

🔐 Session Configuration (Development Mode):  # Wait, this should say Production!

2. Check Environment Variables

kubectl exec -n my-apps deployment/tasko-backend -- env | grep GOOGLE

Expected output:

GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback

3. Test OAuth Flow

1. Go to https://tasko.dvirlabs.com
2. Click "Continue with Google"
3. You should be redirected to Google login
4. After authentication, you should be redirected back to your app with a token

Watch the backend logs:

kubectl logs -n my-apps deployment/tasko-backend -f

Expected logs:

🔑 OAuth Login initiated (/auth/google):
   - Redirect URI: https://api-tasko.dvirlabs.com/auth/google/callback
   - Response Location: https://accounts.google.com/o/oauth2/v2/auth?client_id=672182384838-...

🔄 OAuth Callback received (/auth/google/callback):
   - Request headers Cookie: tasko_session=...
   - Cookies from request.cookies: ['tasko_session']
   - Session keys: ['_state_google_...']

✅ OAuth Login SUCCESS!
   - User: your.email@gmail.com

---

🔒 Security Notes

Production vs Development

The code automatically detects the environment:

Development (ENVIRONMENT=development):

• https_only=False (allows HTTP cookies for localhost)
• Debug logging enabled
• Session cookies work on localhost

Production (ENVIRONMENT=production):

• https_only=True (requires HTTPS for cookies)
• Debug logging disabled
• Secure session cookies

Session Secret

The sessionSecret is used to sign session cookies. Change this to a unique value!

Generate a new secret:

python -c "import secrets; print(secrets.token_hex(32))"

Update in values.yaml:

backend:
  sessionSecret: "YOUR_NEW_SECRET_HERE"

---

🐛 Troubleshooting

Issue: "client_id is empty"

Cause: Environment variables not loaded in container

Fix:

# Check if secrets exist
kubectl get secret -n my-apps tasko-secrets -o yaml

# Verify secret contains OAuth keys
kubectl describe secret -n my-apps tasko-secrets

# Restart deployment
kubectl rollout restart deployment/tasko-backend -n my-apps

Issue: "mismatching_state: CSRF Warning"

Cause: Session cookies not being sent

Possible causes:

1. ENVIRONMENT not set to production (cookies require HTTPS)
2. Frontend and backend on different domains without proper CORS
3. Cookie SameSite settings

Fix:

• Verify ENVIRONMENT=production is set
• Check that FRONTEND_URL matches your actual frontend domain
• Ensure HTTPS is working on both frontend and backend

Issue: "Redirect URI mismatch"

Cause: Google Console redirect URI doesn't match

Fix:

1. Check the actual redirect URI in the error message from Google
2. Add that exact URI to Google Console
3. Make sure GOOGLE_REDIRECT_URI in values.yaml matches

---

📝 Frontend Configuration

The frontend should automatically use the production API URL because of the proxy setup in vite.config.js.

Build-time Configuration

When building the frontend Docker image, ensure VITE_API_URL is set:

In values.yaml:

frontend:
  env:
    VITE_API_URL: "https://api-tasko.dvirlabs.com"

Or in Dockerfile:

ENV VITE_API_URL=https://api-tasko.dvirlabs.com
RUN npm run build

---

✨ Quick Reference

Backend URLs

• Production API: https://api-tasko.dvirlabs.com
• OAuth callback: https://api-tasko.dvirlabs.com/auth/google/callback

Frontend URLs

• Production: https://tasko.dvirlabs.com

Environment Variables (Backend)

ENVIRONMENT=production
GOOGLE_CLIENT_ID=672182384838-vob26vd0qhmf0g9mru4u4sibkqre0rfa.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=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
GOOGLE_REDIRECT_URI=https://api-tasko.dvirlabs.com/auth/google/callback
FRONTEND_URL=https://tasko.dvirlabs.com
SESSION_SECRET=<generate-new-secret>
DATABASE_URL=<from-secret>