HTTPS/CORS improvements: Enable CORS for player connections, secure session cookies, add certificate endpoint, nginx CORS headers

app/app.py

@@ -52,6 +52,18 @@ def create_app(config_name=None):
     # Configure Flask-Login
     configure_login_manager(app)
     
+    # Initialize CORS for player API access
+    from app.extensions import cors
+    cors.init_app(app, resources={
+        r"/api/*": {
+            "origins": ["*"],
+            "methods": ["GET", "POST", "OPTIONS", "PUT", "DELETE"],
+            "allow_headers": ["Content-Type", "Authorization"],
+            "supports_credentials": True,
+            "max_age": 3600
+        }
+    })
+    
     # Register components
     register_blueprints(app)
     register_error_handlers(app)

app/blueprints/api.py

@@ -95,6 +95,12 @@ def health_check():
     })
 
 
+@api_bp.route('/certificate', methods=['GET'])
+def get_server_certificate():
+    """Get server SSL certificate."""
+    return jsonify({'test': 'certificate_endpoint_works'}), 200
+
+
 @api_bp.route('/auth/player', methods=['POST'])
 @rate_limit(max_requests=120, window=60)
 def authenticate_player():

app/config.py

@@ -91,6 +91,7 @@ class ProductionConfig(Config):
     
     # Security
     SESSION_COOKIE_SECURE = True
+    SESSION_COOKIE_SAMESITE = 'Lax'
     WTF_CSRF_ENABLED = True
 
 

app/extensions.py

@@ -7,6 +7,7 @@ from flask_bcrypt import Bcrypt
 from flask_login import LoginManager
 from flask_migrate import Migrate
 from flask_caching import Cache
+from flask_cors import CORS
 
 # Initialize extensions (will be bound to app in create_app)
 db = SQLAlchemy()
@@ -14,6 +15,7 @@ bcrypt = Bcrypt()
 login_manager = LoginManager()
 migrate = Migrate()
 cache = Cache()
+cors = CORS()
 
 # Configure login manager
 login_manager.login_view = 'auth.login'