Fix OAuth session persistence behind reverse proxy

zachlatta · zachlatta · commit ce9eeec4d0e0 · 2025-06-05T21:58:21.000-04:00
- Revert to POST method for OAuth login
- Add trusted proxies configuration for HTTPS detection
- Change session cookie same_site from :lax to :none for OAuth
- Add debug logging to OAuth callback for troubleshooting
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -13,7 +13,15 @@ def callback
     
     # Store user ID in session
     session[:user_id] = user.id
-    Rails.logger.info "Set session[:user_id] = #{user.id} for user #{user.username}"
+    
+    # Debug logging
+    Rails.logger.info "=== OAuth Callback Debug ==="
+    Rails.logger.info "Session ID: #{session.id}"
+    Rails.logger.info "User ID set: #{session[:user_id]}"
+    Rails.logger.info "Request protocol: #{request.protocol}"
+    Rails.logger.info "Request SSL?: #{request.ssl?}"
+    Rails.logger.info "X-Forwarded-Proto: #{request.headers['X-Forwarded-Proto']}"
+    Rails.logger.info "==========================="
     
     # Redirect to birthday form if not provided, otherwise to dashboard
     if user.birthday_provided?
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -52,7 +52,7 @@
               <%= button_to "Logout", logout_path, method: :delete,
                     class: "inline-flex items-center px-4 py-2 border border-gray-300 text-sm font-medium rounded-md text-gray-700 bg-white hover:bg-gray-50 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500 transition-colors" %>
             <% else %>
-              <%= link_to "Login with GitHub", "/auth/github", 
+              <%= button_to "Login with GitHub", "/auth/github", method: :post, 
               data: { turbo: false },
               class: "inline-flex items-center px-4 py-2 border border-transparent text-sm font-medium rounded-md text-white bg-gray-900 hover:bg-gray-800 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-gray-500 transition-colors" %>
             <% end %>
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -29,6 +29,9 @@
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true
+  
+  # If behind a proxy, add trusted proxies to properly detect HTTPS
+  config.action_dispatch.trusted_proxies = ActionDispatch::RemoteIp::TRUSTED_PROXIES + ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
 
   # Skip http-to-https redirect for the default health check endpoint.
   # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
@@ -1,6 +1,6 @@
 # Configure session store for production
 Rails.application.config.session_store :cookie_store,
   key: '_pyramid_scheme_session',
-  same_site: :lax,
+  same_site: :none,  # Changed from :lax for OAuth compatibility
   secure: Rails.env.production?, # Only use secure cookies in production if HTTPS
   httponly: true
