fix passkey issues hopefully

jp8-isep · jp8-isep · commit df8fb8db3462 · 2026-01-02T17:21:45.000Z
diff --git a/backend/routes/auth.py b/backend/routes/auth.py
@@ -108,7 +108,8 @@ def verify_totp():
     try:
         data = request.get_json()
         user_id = data.get('user_id')
-        totp_code = data.get('totp_code', '')
+        # Ensure totp_code is string and stripped
+        totp_code = str(data.get('totp_code', '')).strip()
         is_setup = data.get('is_setup', False)  # True for initial setup, False for general verification
 
         if not user_id or not validate_totp_code(totp_code):
@@ -125,6 +126,7 @@ def verify_totp():
                 user_id = current_user_result['user']['id']
             else:
                 # For passkey setup, allow user_id from request if provided
+                # but ensure it's valid format if necessary (service handles that)
                 pass
 
         # Use appropriate verification method
@@ -136,6 +138,8 @@ def verify_totp():
         if result['success']:
             return jsonify(result), 200
         else:
+            # Log the specific error for debugging
+            logger.warning(f"TOTP verification failed for user {user_id}: {result.get('errors')}")
             return jsonify(result), 400
 
     except Exception as e:
diff --git a/backend/services/auth_service.py b/backend/services/auth_service.py
@@ -74,7 +74,7 @@ def __init__(self, db):
         self.db = db
         self.user_model = User(db)
         self.email_service = EmailService()
-        self.passkey_service = PasskeyService()
+        self.passkey_service = PasskeyService(self.db)
 
     def register_user(self, username: str, email: str, password: str,
                      phone: str = None, security_questions: list = None, lang: str = 'en') -> dict:
diff --git a/backend/services/passkey_service.py b/backend/services/passkey_service.py
@@ -37,33 +37,48 @@ def _b64url_decode(data: str) -> bytes:
 class PasskeyService:
     """Service for managing WebAuthn/Passkey authentication."""
 
-    def __init__(self, rp_id: str = None, rp_name: str = "TopicsFlow"):
+    def __init__(self, db, rp_id=None, rp_name=None):
         """
         Initialize passkey service.
 
         Args:
             rp_id: Relying Party ID (your domain, e.g., 'localhost' or 'topicsflow.me')
             rp_name: Relying Party name (your app name)
         """
-        # Use environment variable or default
-        # Origin for WebAuthn (e.g., 'http://localhost:3000' or 'https://topicsflow.me')
-        self.origin = os.getenv('FRONTEND_URL', 'http://localhost:3000')
-
-        # Determine RP ID
-        if rp_id:
-            self.rp_id = rp_id
-        elif os.getenv('PASSKEY_RP_ID'):
-            self.rp_id = os.getenv('PASSKEY_RP_ID')
+        self.db = db
+
+        # Determine environment
+        # IS_AZURE is usually set in config.py or env, check here if env var
+        self.is_azure = os.getenv('IS_AZURE', 'False').lower() == 'true'
+
+        if not self.is_azure:
+            # Local Development Override
+            # Force localhost settings to prevent accidental production configuration usage
+            # This is critical for local testing if env vars like FRONTEND_URL are set to prod
+            self.rp_id = 'localhost'
+            self.origin = 'http://localhost:3000'
+            logger.info("Running in local mode: Forced Passkey RP_ID to localhost and Origin to http://localhost:3000")
         else:
-            # Derive from FRONTEND_URL if not explicitly set
-            # This handles 'https://topicsflow.me' -> 'topicsflow.me'
-            from urllib.parse import urlparse
-            try:
-                parsed_url = urlparse(self.origin)
-                self.rp_id = parsed_url.hostname or 'localhost'
-            except Exception as e:
-                logger.warning(f"Failed to parse FRONTEND_URL for RP ID: {e}")
-                self.rp_id = 'localhost'
+            # Production / Azure Configuration
+            # Use environment variable or default
+            # Origin for WebAuthn (e.g., 'http://localhost:3000' or 'https://topicsflow.me')
+            self.origin = os.getenv('FRONTEND_URL', 'http://localhost:3000')
+
+            # Determine RP ID
+            if rp_id:
+                self.rp_id = rp_id
+            elif os.getenv('PASSKEY_RP_ID'):
+                self.rp_id = os.getenv('PASSKEY_RP_ID')
+            else:
+                # Derive from FRONTEND_URL if not explicitly set
+                # This handles 'https://topicsflow.me' -> 'topicsflow.me'
+                from urllib.parse import urlparse
+                try:
+                    parsed_url = urlparse(self.origin)
+                    self.rp_id = parsed_url.hostname or 'localhost'
+                except Exception as e:
+                    logger.warning(f"Failed to parse FRONTEND_URL for RP ID: {e}")
+                    self.rp_id = 'localhost'
 
         self.rp_name = rp_name or os.getenv('APP_NAME', 'TopicsFlow')
 
diff --git a/backend/utils/validators.py b/backend/utils/validators.py
@@ -79,6 +79,9 @@ def validate_totp_code(code: str) -> bool:
     if not code:
         return False
 
+    # Ensure code is a string
+    code = str(code).strip()
+
     # TOTP codes are 6 digits
     return bool(re.match(r'^\d{6}$', code))
 
@@ -88,6 +91,9 @@ def validate_backup_code(code: str) -> bool:
     if not code:
         return False
 
+    # Ensure code is a string
+    code = str(code).strip()
+
     # Backup codes are typically 8 digits
     return bool(re.match(r'^\d{8}$', code))
 
diff --git a/frontend/next.config.js b/frontend/next.config.js
@@ -10,7 +10,8 @@ const nextConfig = {
     formats: ['image/webp', 'image/avif'],
   },
   env: {
-    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL || 'https://topicsflow.me',
+    // defaults to undefined if not set, letting api.ts handle the fallback to localhost
+    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL,
     NEXT_PUBLIC_APP_NAME: process.env.NEXT_PUBLIC_APP_NAME || 'TopicsFlow',
     NEXT_PUBLIC_TENOR_API_KEY: process.env.NEXT_PUBLIC_TENOR_API_KEY || '',
   },
diff --git a/frontend/utils/api.ts b/frontend/utils/api.ts
@@ -21,17 +21,22 @@ class ApiClient {
         window.location.hostname === 'www.topicsflow.me' ||
         window.location.hostname.includes('azurestaticapps.net');
 
-      if (backendUrl) {
-        // Use provided backend URL
-        baseURL = backendUrl;
-      } else if (isProduction) {
-        // Production but no backend URL set: use topicsflow.me
-        // This allows calls to go to /api/... on the same domain (topicsflow.me)
+      const isLocalhost = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
+
+      if (isProduction) {
+        // Production: Always use topicsflow.me
         baseURL = 'https://topicsflow.me';
+      } else if (isLocalhost) {
+        // Local Development: Prioritize localhost:5000
+        // If provided backendUrl matches topicsflow.me, ignore it to prevent accidental prod usage
+        if (backendUrl === 'https://topicsflow.me') {
+          baseURL = 'http://localhost:5000';
+          console.warn('[ApiClient] NEXT_PUBLIC_API_URL points to production but running on localhost. Forcing connection to http://localhost:5000');
+        } else {
+          baseURL = backendUrl || 'http://localhost:5000';
+        }
       } else {
-        // Local Development: Use provided URL or default to topicsflow.me if not set
-        // (to avoid accidental localhost usage when targeting prod)
-        // However, if needed for local dev without env var, users should set NEXT_PUBLIC_API_URL
+        // Other environments (staging, etc): Use provided URL or fallback
         baseURL = backendUrl || 'https://topicsflow.me';
       }
     } else {
@@ -546,6 +551,6 @@ export const getApiBaseUrl = (): string => {
     return 'https://topicsflow.me';
   } else {
     // Local Development:
-    return backendUrl || 'https://topicsflow.me';
+    return backendUrl || 'http://localhost:5000';
   }
 };
