From bfef6bdde9cd0271882c99640f7d52c97272bd25 Mon Sep 17 00:00:00 2001
From: Wyatt Hunter <wyatthunter2102@gmail.com>
Date: Wed, 18 Feb 2026 15:49:04 -0600
Subject: [PATCH] Fix Cognito config + forwarded headers for correct HTTPS
 redirects

---
 .github/workflows/deploy.yml  |  4 ++
 CulinaryCommandApp/Program.cs | 84 ++++++++++++++++++++---------------
 2 files changed, 52 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 6abeaea..b2238e9 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -132,6 +132,8 @@ jobs:
                   Authentication__Cognito__ClientId=${{ secrets.COGNITO_CLIENT_ID }}
                   Authentication__Cognito__ClientSecret=${{ secrets.COGNITO_CLIENT_SECRET }}
                   Authentication__Cognito__Domain=${{ secrets.COGNITO_DOMAIN }}
+                  Authentication__Cognito__UserPoolId=${{ secrets.COGNITO_USER_POOL_ID }}
+                  AWS__Region=${{ env.AWS_REGION }}
                 EOF
                   sudo chown ${{ secrets.LIGHTSAIL_USER }}:${{ secrets.LIGHTSAIL_USER }} /var/www/culinarycommand/.env
                   sudo chmod 640 /var/www/culinarycommand/.env
@@ -145,6 +147,8 @@ jobs:
                   export Authentication__Cognito__ClientId="${{ secrets.COGNITO_CLIENT_ID }}"
                   export Authentication__Cognito__ClientSecret="${{ secrets.COGNITO_CLIENT_SECRET }}"
                   export Authentication__Cognito__Domain="${{ secrets.COGNITO_DOMAIN }}"
+                  export Authentication__Cognito__UserPoolId="${{ secrets.COGNITO_USER_POOL_ID }}"
+                  export AWS__Region="${{ env.AWS_REGION }}"
                 EOF
                   sudo chown ${{ secrets.LIGHTSAIL_USER }}:${{ secrets.LIGHTSAIL_USER }} /var/www/culinarycommand/.env.export
                   sudo chmod 640 /var/www/culinarycommand/.env.export
diff --git a/CulinaryCommandApp/Program.cs b/CulinaryCommandApp/Program.cs
index 7ee9e0b..ae2eee7 100644
--- a/CulinaryCommandApp/Program.cs
+++ b/CulinaryCommandApp/Program.cs
@@ -45,33 +45,49 @@
   .AddCookie()
   .AddOpenIdConnect(options =>
   {
-    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-      var userPoolId = "us-east-2_SULe0c9vr";
-      var region = "us-east-2";
+      options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+
+      // ---- Read Cognito config (env/appsettings) ----
+      var region =
+          builder.Configuration["AWS:Region"]
+          ?? builder.Configuration["AWS_REGION"]
+          ?? builder.Configuration["Authentication:Cognito:Region"]; // optional
+
+      var userPoolId = builder.Configuration["Authentication:Cognito:UserPoolId"];
+      var clientId = builder.Configuration["Authentication:Cognito:ClientId"];
+
+      // client secret can come from either config or a raw env var
+      var clientSecret =
+          Environment.GetEnvironmentVariable("COGNITO_CLIENT_SECRET")
+          ?? builder.Configuration["Authentication:Cognito:ClientSecret"];
+
+      // Fail fast if missing (prevents weird half-working deploys)
+      if (string.IsNullOrWhiteSpace(region))
+          throw new InvalidOperationException("Missing config: AWS:Region (or AWS_REGION).");
+      if (string.IsNullOrWhiteSpace(userPoolId))
+          throw new InvalidOperationException("Missing config: Authentication:Cognito:UserPoolId");
+      if (string.IsNullOrWhiteSpace(clientId))
+          throw new InvalidOperationException("Missing config: Authentication:Cognito:ClientId");
+      if (string.IsNullOrWhiteSpace(clientSecret))
+          throw new InvalidOperationException("Missing config: Authentication:Cognito:ClientSecret (or COGNITO_CLIENT_SECRET).");
 
       options.Authority = $"https://cognito-idp.{region}.amazonaws.com/{userPoolId}";
       options.MetadataAddress = $"{options.Authority}/.well-known/openid-configuration";
 
-      options.ClientId = "55joip0viah9qtj7dndhvma2gt";
-      var cognitoClientId = builder.Configuration["Authentication:Cognito:ClientId"];
-        var cognitoSecretFromEnv = Environment.GetEnvironmentVariable("COGNITO_CLIENT_SECRET");
-        var cognitoSecretFromConfig = builder.Configuration["Authentication:Cognito:ClientSecret"];
-
-        var cognitoClientSecret =
-            !string.IsNullOrWhiteSpace(cognitoSecretFromEnv) ? cognitoSecretFromEnv :
-            cognitoSecretFromConfig;
-
-        options.ClientId = cognitoClientId;
-        options.ClientSecret = cognitoClientSecret;
-
+      options.ClientId = clientId;
+      options.ClientSecret = clientSecret;
 
       options.ResponseType = OpenIdConnectResponseType.Code;
       options.SaveTokens = true;
 
-      options.CallbackPath = "/signin-oidc";
-      options.SignedOutCallbackPath = "/signout-callback-oidc";
+      // Use config if present, else default
+      options.CallbackPath =
+          builder.Configuration["Authentication:Cognito:CallbackPath"] ?? "/signin-oidc";
 
-      options.RequireHttpsMetadata = true; // keep true
+      options.SignedOutCallbackPath =
+          builder.Configuration["Authentication:Cognito:SignedOutCallbackPath"] ?? "/signout-callback-oidc";
+
+      options.RequireHttpsMetadata = true;
 
       options.Scope.Clear();
       options.Scope.Add("openid");
@@ -80,10 +96,18 @@
 
       options.TokenValidationParameters.NameClaimType = "cognito:username";
       options.TokenValidationParameters.RoleClaimType = "cognito:groups";
+      options.Events.OnRedirectToIdentityProvider = ctx =>
+        {
+            // Forces correct scheme/host behind nginx
+            ctx.ProtocolMessage.RedirectUri = $"{ctx.Request.Scheme}://{ctx.Request.Host}{options.CallbackPath}";
+            return Task.CompletedTask;
+        };
+
   });
 
 builder.Services.AddAuthorization();
 
+
 //
 // =====================
 // AI Services
@@ -91,23 +115,6 @@
 builder.Services.AddSingleton<Client>(_ => new Client());
 builder.Services.AddScoped<AIReportingService>();
 
-// var googleKey =
-//     Environment.GetEnvironmentVariable("GOOGLE_API_KEY")
-//     ?? builder.Configuration["Google:ApiKey"]; // optional appsettings slot
-
-// if (!string.IsNullOrWhiteSpace(googleKey))
-// {
-//     builder.Services.AddSingleton(_ => new Google.GenAI.Client(apiKey: googleKey));
-//     builder.Services.AddScoped<AIReportingService>();
-//     Console.WriteLine("✅ AI enabled (GOOGLE_API_KEY found).");
-// }
-// else
-// {
-//     Console.WriteLine("⚠️ GOOGLE_API_KEY not set; AI features disabled.");
-//     // Do NOT register AIReportingService at all.
-// }
-
-
 //
 // =====================
 // Database
@@ -159,12 +166,17 @@
 
 builder.Services.Configure<ForwardedHeadersOptions>(o =>
 {
-    o.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+    o.ForwardedHeaders =
+        ForwardedHeaders.XForwardedFor |
+        ForwardedHeaders.XForwardedProto |
+        ForwardedHeaders.XForwardedHost;
+
     o.KnownNetworks.Clear();
     o.KnownProxies.Clear();
 });
 
 
+
 //
 // =====================
 // Build App