Refactor authentication handling and improve API client security

- Updated OAuth endpoints for Challonge and Discord in platforms configuration. - Implemented session and CSRF cookie initialization in main application entry. - Enhanced Challonge API client to avoid sending sensitive API keys from the browser. - Modified tournament querying to handle new state definitions and improved error handling. - Updated UI components to reflect server-side storage of authentication tokens. - Improved user experience in API Key Manager and Authentication Hub with clearer messaging. - Refactored client credentials management to support asynchronous operations. - Adjusted API client tests to validate new request configurations. - Updated Vite configuration to support session and CSRF handling through proxies.
2026-02-03 12:50:11 -05:00
parent 161b758a1b
commit 700c1cbbbe
39 changed files with 2434 additions and 999 deletions
--- a/code/websites/pokedex.online/nginx.conf
+++ b/code/websites/pokedex.online/nginx.conf
@@ -65,43 +65,6 @@ server {
        proxy_buffers 8 4k;
    }

-    # Proxy Challonge API requests to avoid CORS
-    location /api/challonge/ {
-        # Remove /api/challonge prefix and forward to Challonge API
-        rewrite ^/api/challonge/(.*) /$1 break;
-        
-        proxy_pass https://api.challonge.com;
-        proxy_ssl_server_name on;
-        proxy_ssl_protocols TLSv1.2 TLSv1.3;
-        
-        # Proxy headers
-        proxy_set_header Host api.challonge.com;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        
-        # CORS headers for browser requests
-        add_header Access-Control-Allow-Origin $http_origin always;
-        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
-        add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept" always;
-        add_header Access-Control-Allow-Credentials "true" always;
-        
-        # Handle preflight OPTIONS requests
-        if ($request_method = OPTIONS) {
-            add_header Access-Control-Allow-Origin $http_origin always;
-            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
-            add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept" always;
-            add_header Access-Control-Max-Age 86400;
-            add_header Content-Length 0;
-            return 204;
-        }
-        
-        # Timeout settings
-        proxy_connect_timeout 10s;
-        proxy_send_timeout 30s;
-        proxy_read_timeout 30s;
-    }
-
    # Health check endpoint
    location /health {
        access_log off;