login fixes

app/config.py

@@ -9,6 +9,16 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 DATA_DIR = BASE_DIR / "data"
 
 
+def _env_bool(name: str, default: bool) -> bool:
+    value = os.getenv(name)
+    if value is None:
+        return default
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
+IS_HUGGINGFACE_SPACE = bool(os.getenv("SPACE_ID") or os.getenv("SPACE_HOST"))
+
+
 @dataclass(frozen=True)
 class Settings:
     app_name: str = os.getenv("APP_NAME", "TravelMap")
@@ -17,6 +27,11 @@ class Settings:
         f"sqlite:///{(DATA_DIR / 'webarena_airbnb.db').as_posix()}",
     )
     session_secret: str = os.getenv("SESSION_SECRET", "webarena-airbnb-dev-secret")
+    session_same_site: str = os.getenv(
+        "SESSION_SAME_SITE",
+        "none" if IS_HUGGINGFACE_SPACE else "lax",
+    )
+    session_https_only: bool = _env_bool("SESSION_HTTPS_ONLY", IS_HUGGINGFACE_SPACE)
     reset_token: str = os.getenv("RESET_TOKEN", "")
     host: str = os.getenv("HOST", "0.0.0.0")
     port: int = int(os.getenv("PORT", "7860"))

app/main.py

@@ -35,7 +35,12 @@ app = FastAPI(
     title=settings.app_name,
     description="A resettable vacation-rental marketplace with booking, messaging, and hosting flows.",
 )
-app.add_middleware(SessionMiddleware, secret_key=settings.session_secret, same_site="lax")
+app.add_middleware(
+    SessionMiddleware,
+    secret_key=settings.session_secret,
+    same_site=settings.session_same_site,
+    https_only=settings.session_https_only,
+)
 app.mount("/static", StaticFiles(directory="app/static"), name="static")
 templates = Jinja2Templates(directory="app/templates")