From 2495423790b436a1d866dc19e4c20e2690f43cb1 Mon Sep 17 00:00:00 2001
From: kitos <kitos@aegis.local>
Date: Tue, 19 May 2026 09:28:39 +0200
Subject: [PATCH] fix(auth,frontend): secure cookie HTTP fix, technique links y
 CSP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- auth: desacopla SECURE_COOKIES de AEGIS_ENV para que el login
  funcione sobre HTTP (SECURE_COOKIES=false en servidor local)
- TechniqueCell: button -> Link para href real (right-click, a11y)
- TechniquesPage: añade Link en celda MITRE ID en vista lista
- nginx CSP: amplía connect-src con ws:/wss: para evitar bloqueos

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/app/routers/auth.py               | 11 ++++++++++-
 frontend/nginx.conf                       |  2 +-
 frontend/src/components/TechniqueCell.tsx | 15 +++++----------
 frontend/src/pages/TechniquesPage.tsx     | 10 ++++++++--
 4 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index b17584a..b349ebf 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -34,7 +34,16 @@ from app.schemas.user import PasswordChange
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
-_IS_HTTPS = os.environ.get("AEGIS_ENV", "").lower() == "production"
+# SECURE_COOKIES desacopla la seguridad de la cookie del entorno de ejecucion.
+# Por defecto activo en produccion; ponlo en "false" para servidores HTTP.
+_aegis_env = os.environ.get("AEGIS_ENV", "development").lower()
+_secure_cookie_env = os.environ.get("SECURE_COOKIES", "auto").lower()
+if _secure_cookie_env == "false":
+    _IS_HTTPS = False
+elif _secure_cookie_env == "true":
+    _IS_HTTPS = True
+else:  # "auto" — activo solo si AEGIS_ENV=production
+    _IS_HTTPS = _aegis_env == "production"
 _COOKIE_NAME = "aegis_token"
 
 
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index 09124d9..872dc2d 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -14,7 +14,7 @@ server {
     # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     # CSP: allow self + inline styles (React build) + data: URIs for fonts/images
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
 
     # Hide Nginx version
     server_tokens off;
diff --git a/frontend/src/components/TechniqueCell.tsx b/frontend/src/components/TechniqueCell.tsx
index 95158c1..aa8b129 100644
--- a/frontend/src/components/TechniqueCell.tsx
+++ b/frontend/src/components/TechniqueCell.tsx
@@ -1,4 +1,4 @@
-import { useNavigate } from "react-router-dom";
+import { Link } from "react-router-dom";
 import { AlertTriangle } from "lucide-react";
 import type { TechniqueStatus } from "../types/models";
 
@@ -48,18 +48,13 @@ export default function TechniqueCell({
   status,
   reviewRequired = false,
 }: TechniqueCellProps) {
-  const navigate = useNavigate();
   const colors = statusColors[status] || statusColors.not_evaluated;
 
-  const handleClick = () => {
-    navigate(`/techniques/${mitreId}`);
-  };
-
   return (
-    <button
-      onClick={handleClick}
+    <Link
+      to={`/techniques/${mitreId}`}
       className={`
-        relative w-full rounded-md border p-2 text-left transition-all
+        relative block w-full rounded-md border p-2 text-left transition-all
         hover:scale-[1.02] hover:shadow-lg hover:z-10
         ${colors.bg} ${colors.border}
       `}
@@ -73,6 +68,6 @@ export default function TechniqueCell({
       <p className="mt-0.5 truncate text-xs text-gray-300" title={name}>
         {name}
       </p>
-    </button>
+    </Link>
   );
 }
diff --git a/frontend/src/pages/TechniquesPage.tsx b/frontend/src/pages/TechniquesPage.tsx
index 60292e0..7e5d5c3 100644
--- a/frontend/src/pages/TechniquesPage.tsx
+++ b/frontend/src/pages/TechniquesPage.tsx
@@ -4,7 +4,7 @@ import { Loader2, AlertCircle, Filter, X, Grid3X3, List } from "lucide-react";
 import { getTechniques, type TechniqueSummary } from "../api/techniques";
 import AttackMatrix from "../components/AttackMatrix";
 import type { TechniqueStatus } from "../types/models";
-import { useNavigate } from "react-router-dom";
+import { useNavigate, Link } from "react-router-dom";
 
 const STATUS_OPTIONS: { value: TechniqueStatus | "all"; label: string; color: string }[] = [
   { value: "all", label: "All Statuses", color: "text-gray-400" },
@@ -224,7 +224,13 @@ export default function TechniquesPage() {
                   className="cursor-pointer border-b border-gray-800/50 hover:bg-gray-800/50 transition-colors"
                 >
                   <td className="px-4 py-3">
-                    <span className="font-mono text-cyan-400">{tech.mitre_id}</span>
+                    <Link
+                      to={`/techniques/${tech.mitre_id}`}
+                      onClick={(e) => e.stopPropagation()}
+                      className="font-mono text-cyan-400 hover:underline"
+                    >
+                      {tech.mitre_id}
+                    </Link>
                   </td>
                   <td className="px-4 py-3 text-gray-200">{tech.name}</td>
                   <td className="px-4 py-3">