Merge pull request #442 from seanmorley15/development

Development
seanmorley15 · Jan 14, 2025 · 187f4c0 · 187f4c0
2 parents 609f68b + ef44836
commit 187f4c0
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 9 deletions.
diff --git a/backend/server/adventures/middleware.py b/backend/server/adventures/middleware.py
@@ -31,12 +31,16 @@ class OverrideHostMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
-    def __call__(self, request: HttpRequest):
-        # Override the host with the PUBLIC_URL environment variable
+    def __call__(self, request):
         public_url = os.getenv('PUBLIC_URL', None)
         if public_url:
-            # Split the public URL to extract the host and port (if available)
-            host = public_url.split("//")[-1].split("/")[0]
-            request.META['HTTP_HOST'] = host  # Override the HTTP_HOST header
+            # Extract host and scheme
+            scheme, host = public_url.split("://")
+            request.META['HTTP_HOST'] = host
+            request.META['wsgi.url_scheme'] = scheme
+
+            # Set X-Forwarded-Proto for Django
+            request.META['HTTP_X_FORWARDED_PROTO'] = scheme
+
         response = self.get_response(request)
         return response
diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py
@@ -139,6 +139,8 @@
 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/1.7/howto/static-files/
 
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 STATIC_ROOT = BASE_DIR / "staticfiles"

diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
@@ -36,13 +36,37 @@ export const actions: Actions = {
 			method: 'DELETE',
 			headers: {
 				'Content-Type': 'application/json',
-				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`,
-				'X-CSRFToken': csrfToken
+				'X-CSRFToken': csrfToken, // Ensure CSRF token is in header
+				Referer: event.url.origin, // Include Referer header
+				Cookie: `sessionid=${sessionId}; csrftoken=${csrfToken}`
 			},
 			credentials: 'include'
 		});
-		if (res.status == 401) {
-			event.cookies.delete('sessionid', { path: '/', secure: event.url.protocol === 'https:' });
+
+		// Determine the proper cookie domain
+		const hostname = event.url.hostname;
+		const domainParts = hostname.split('.');
+		let cookieDomain: string | undefined = undefined;
+
+		if (domainParts.length > 2) {
+			// For subdomains like app.mydomain.com -> .mydomain.com
+			cookieDomain = '.' + domainParts.slice(-2).join('.');
+		} else if (domainParts.length === 2) {
+			// For root domains like mydomain.com -> .mydomain.com
+			cookieDomain = '.' + hostname;
+		} else {
+			// For localhost or single-part domains (e.g., "localhost")
+			cookieDomain = undefined; // Do not set the domain
+		}
+
+		// Delete the session cookie
+		event.cookies.delete('sessionid', {
+			path: '/',
+			secure: event.url.protocol === 'https:',
+			domain: cookieDomain
+		});
+
+		if (res.status === 401) {
 			return redirect(302, '/login');
 		} else {
 			return redirect(302, '/');