fix:[nmrxiv-app]update chart to fix CSRF issue

Author: NishaSharma14

charts/nmrxiv-app/Chart.yaml

@@ -6,7 +6,7 @@ maintainers:
     email: [email protected]
 
 type: application
-version: 1.0.3
+version: 1.2.0
 appVersion: "1.16.0"
 
 dependencies:

charts/nmrxiv-app/templates/configmap.yaml

@@ -56,8 +56,25 @@ data:
   MEMCACHED_HOST: {{ .Values.redis.memcachedHost | quote }}
   REDIS_HOST: {{ printf "%s-redis-master" .Release.Name  | quote }}
   REDIS_PORT: {{ .Values.redis.port | default 6379 | quote }}
+  {{ else }}
+  SESSION_DRIVER: {{ .Values.sessionDriver | default "database" | quote }}
+  SESSION_LIFETIME: "{{ .Values.sessionLifetime | default 120 }}"
   {{ end }}
 
+#Session Security Properties
+  SESSION_SECURE_COOKIE: "{{ .Values.session.secureCookie | default true }}"
+  SESSION_SAME_SITE: {{ .Values.session.sameSite | default "lax" | quote }}
+  SESSION_COOKIE: {{ .Values.session.cookieName | default "nmrxiv_session" | quote }}
+
+#Trusted Proxies for CSRF Protection
+  TRUSTED_PROXIES: {{ .Values.trustedProxies | default "*" | quote }}
+
+#CSRF Configuration  
+  SANCTUM_STATEFUL_DOMAINS: {{ .Values.sanctum.statefulDomains | default .Values.appProperties.url | quote }}
+
+#Force HTTPS for URL generation (important in Kubernetes with ingress)
+  FORCE_HTTPS: "{{ .Values.forceHttps | default true }}"
+
 #RabbitMQ Properties
   {{ if .Values.rabbitmq.enabled }}
   QUEUE_CONNECTION: {{ .Values.rabbitmq.queueConnection | quote }}

charts/nmrxiv-app/templates/ingress.yaml

@@ -1,14 +1,43 @@
 {{- if .Values.ingress.enabled -}}
+{{- $fullName := include "nmrxiv-app.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ include "nmrxiv-app.fullname" . }}-ingress
+  name: {{ $fullName }}
+  labels:
+    {{- include "nmrxiv-app.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
   annotations:
-    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  defaultBackend:
-    service:
-      name: {{ include "nmrxiv-app.fullname" . }}
-      port:
-        number: {{ .Values.service.port }}
+  {{- if .Values.ingress.className }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}

charts/nmrxiv-app/values.yaml

@@ -101,10 +101,11 @@ service:
 ingress:
   enabled: false
   className: ""
-  annotations: {
-    # kubernetes.io/ingress.global-static-ip-name: nmrxiv-app-ip-address
-    # kubernetes.io/ingress.class: "nginx"
-  }
+  annotations:
+    # Essential for Laravel CSRF protection behind ingress
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Forwarded-Proto: https";
+      more_set_headers "X-Forwarded-Port: 443";
   hosts:
     - host: chart-example.local
       paths:
@@ -242,6 +243,26 @@ redis:
   sessionLifetime: 120
   memcachedHost: memcached
 
+# Session configuration for Laravel when Redis is disabled
+sessionDriver: database
+sessionLifetime: 120
+
+# Session security settings (critical for HTTPS deployments)
+session:
+  secureCookie: true
+  sameSite: lax
+  cookieName: nmrxiv_session
+
+# Trusted proxies configuration (required for proper CSRF handling behind ingress/load balancer)
+trustedProxies: "*"
+
+# Sanctum configuration for API authentication
+sanctum:
+  statefulDomains: ""  # Will default to APP_URL if not set
+
+# Force HTTPS URLs (important for Kubernetes deployments with HTTPS ingress)
+forceHttps: true
+
 rabbitmq: 
   enabled: false
   queueConnection: sync