chore(release): bump version to 0.9.19-rc.4

- Add production Docker Compose configuration

- Add check_auth.py diagnostic script for session 401 debugging

check_auth.py

@@ -0,0 +1,147 @@
+#!/usr/bin/env python3
+"""Diagnostic script for BanGUI auth/session 401 issue.
+
+Tests the full auth flow against http://192.168.178.43:8080/api/v1/auth
+using password "Hallo123!".
+
+Usage:
+    python3 check_auth.py
+"""
+
+import json
+import urllib.error
+import urllib.request
+
+BASE_URL = "http://192.168.178.43:8080/api/v1"
+PASSWORD = "Hallo123!"
+
+
+def make_request(url, method="GET", data=None, headers=None, cookie=None):
+    """Make an HTTP request and return (status, headers, body, cookies)."""
+    req_headers = headers or {}
+    if data:
+        req_headers["Content-Type"] = "application/json"
+    if cookie:
+        req_headers["Cookie"] = cookie
+
+    req = urllib.request.Request(
+        url,
+        data=json.dumps(data).encode("utf-8") if data else None,
+        headers=req_headers,
+        method=method,
+    )
+
+    try:
+        with urllib.request.urlopen(req) as resp:
+            body = resp.read().decode("utf-8")
+            cookies = resp.headers.get_all("Set-Cookie") or []
+            return resp.status, dict(resp.headers), body, cookies
+    except urllib.error.HTTPError as e:
+        body = e.read().decode("utf-8")
+        cookies = e.headers.get_all("Set-Cookie") or []
+        return e.code, dict(e.headers), body, cookies
+    except Exception as e:
+        return None, {}, str(e), []
+
+
+def extract_cookie_value(set_cookie_headers, cookie_name):
+    """Extract cookie value from Set-Cookie headers."""
+    for header in set_cookie_headers:
+        if header.startswith(cookie_name + "="):
+            return header.split(";")[0]
+    return None
+
+
+def main():
+    print("=" * 60)
+    print("BanGUI Auth Diagnostic Script")
+    print("Target:", BASE_URL)
+    print("=" * 60)
+
+    # 1. Check health endpoint (no auth needed)
+    print("\n[1] GET /health")
+    status, headers, body, _ = make_request(f"{BASE_URL}/health")
+    print(f"    Status: {status}")
+    print(f"    Response: {body[:200]}")
+
+    # 2. Check CORS preflight for login
+    print("\n[2] OPTIONS /auth/login (CORS preflight)")
+    status, headers, body, _ = make_request(
+        f"{BASE_URL}/auth/login",
+        method="OPTIONS",
+        headers={
+            "Origin": "http://192.168.178.43:8080",
+            "Access-Control-Request-Method": "POST",
+            "Access-Control-Request-Headers": "Content-Type",
+        },
+    )
+    print(f"    Status: {status}")
+    print(f"    Access-Control-Allow-Origin: {headers.get('Access-Control-Allow-Origin', 'MISSING')}")
+    print(f"    Access-Control-Allow-Credentials: {headers.get('Access-Control-Allow-Credentials', 'MISSING')}")
+
+    # 3. Login
+    print(f"\n[3] POST /auth/login (password: {PASSWORD})")
+    status, headers, body, cookies = make_request(
+        f"{BASE_URL}/auth/login",
+        method="POST",
+        data={"password": PASSWORD},
+        headers={"Origin": "http://192.168.178.43:8080"},
+    )
+    print(f"    Status: {status}")
+    print(f"    Response: {body}")
+    print(f"    Set-Cookie headers: {cookies}")
+
+    session_cookie = extract_cookie_value(cookies, "bangui_session")
+    if session_cookie:
+        print(f"    Extracted session cookie: {session_cookie[:50]}...")
+    else:
+        print("    WARNING: No bangui_session cookie received!")
+
+    # 4. Validate session with cookie
+    print("\n[4] GET /auth/session (with cookie)")
+    if session_cookie:
+        status, headers, body, _ = make_request(
+            f"{BASE_URL}/auth/session",
+            cookie=session_cookie,
+            headers={"Origin": "http://192.168.178.43:8080"},
+        )
+        print(f"    Status: {status}")
+        print(f"    Response: {body}")
+    else:
+        print("    SKIPPED (no cookie from login)")
+
+    # 5. Validate session WITHOUT cookie (should be 401)
+    print("\n[5] GET /auth/session (without cookie)")
+    status, headers, body, _ = make_request(f"{BASE_URL}/auth/session")
+    print(f"    Status: {status}")
+    print(f"    Response: {body}")
+
+    # 6. Check backend settings (if available via /setup or other endpoint)
+    print("\n[6] GET /setup (check if setup is complete)")
+    status, headers, body, _ = make_request(f"{BASE_URL}/setup")
+    print(f"    Status: {status}")
+    print(f"    Response: {body[:200]}")
+
+    print("\n" + "=" * 60)
+    print("DIAGNOSIS SUMMARY")
+    print("=" * 60)
+
+    if session_cookie and "Secure" in str(cookies):
+        print("\n  PROBLEM FOUND: Session cookie has 'Secure' flag set,")
+        print("  but you are accessing over HTTP (not HTTPS).")
+        print("  Browsers will NOT send Secure cookies over HTTP!")
+        print("\n  FIX: Set SESSION_COOKIE_SECURE=false in your backend .env")
+        print("       and restart the backend.")
+
+    if not session_cookie and status == 401:
+        print("\n  PROBLEM FOUND: Login succeeded but no session cookie was set.")
+        print("  This usually means the cookie is being rejected by the browser")
+        print("  due to Secure flag on HTTP, or SameSite restrictions.")
+
+    print("\n  If CORS Access-Control-Allow-Origin is missing or wrong,")
+    print("  add your frontend origin to CORS_ALLOWED_ORIGINS in .env")
+    print("=" * 60)
+
+
+if __name__ == "__main__":
+    main()