Fix login to local admin panel without need to set KHOJ_DEBUG

Issue introduced in commit 5a3c7b1.

Usage of KHOJ_DOMAIN
---
KHOJ_DOMAIN is tri-state for local, official and other production deployments:
- If KHOJ_DOMAIN is unset (for local):
  - sets CSRF cookie to localhost
  - adds khoj.dev variants to ALLOWED_HOSTS, CSRF_TRUSTED_ORIGINS
  - adds app.khoj.dev variants to CORS origins
- If KHOJ_DOMAIN is set to empty (for official):
  - sets CSRF to khoj.dev
  - adds khoj.dev variants to ALLOWED_HOSTS, CSRF_TRUSTED_ORIGINS
  - adds app.khoj.dev variants to CORS origins
- If KHOJ_DOMAIN is set (for other prod deployments):
  - sets CSRF cookie to KHOJ_DOMAIN
  - adds KHOJ_DOMAIN variants to ALLOWED_HOSTS, CSRF_TRUSTED_ORIGINS
  - adds KHOJ_DOMAIN variants to CORS origins

Related #1137, #1152

Resolves #1123

src/khoj/app/settings.py

@@ -17,7 +17,7 @@ from pathlib import Path
 
 from django.templatetags.static import static
 
-from khoj.utils.helpers import in_debug_mode, is_env_var_true
+from khoj.utils.helpers import is_env_var_true
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -29,11 +29,8 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # SECURITY WARNING: keep the secret key used in production secret!
 SECRET_KEY = os.getenv("KHOJ_DJANGO_SECRET_KEY", "!secret")
 
-# SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = in_debug_mode()
-
 # All Subdomains of KHOJ_DOMAIN are trusted
-KHOJ_DOMAIN = os.getenv("KHOJ_DOMAIN", "khoj.dev")
+KHOJ_DOMAIN = os.getenv("KHOJ_DOMAIN") or "khoj.dev"
 KHOJ_ALLOWED_DOMAIN = os.getenv("KHOJ_ALLOWED_DOMAIN", KHOJ_DOMAIN)
 ALLOWED_HOSTS = [f".{KHOJ_ALLOWED_DOMAIN}", "localhost", "127.0.0.1", "[::1]", f"{KHOJ_ALLOWED_DOMAIN}"]
 
@@ -47,8 +44,12 @@ CSRF_TRUSTED_ORIGINS = [
 
 DISABLE_HTTPS = is_env_var_true("KHOJ_NO_HTTPS")
 
-COOKIE_SAMESITE = "None"
-if DEBUG and os.getenv("KHOJ_DOMAIN") == None:
+# KHOJ_DOMAIN is tri-state.
+# - Unset it for local deployments.
+# - Set it to empty for official production deployment.
+# - Set it to custom domain for other production deployments.
+# WARNING: Change this check only if you know what you are doing.
+if os.getenv("KHOJ_DOMAIN") == None:
     SESSION_COOKIE_DOMAIN = "localhost"
     CSRF_COOKIE_DOMAIN = "localhost"
 else:
@@ -58,6 +59,7 @@ else:
     if not DISABLE_HTTPS:
         SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
+COOKIE_SAMESITE = "None"
 if DISABLE_HTTPS:
     SESSION_COOKIE_SECURE = False
     CSRF_COOKIE_SECURE = False

src/khoj/main.py

@@ -66,7 +66,7 @@ else:
 django_app = get_asgi_application()
 
 # Add CORS middleware
-KHOJ_DOMAIN = os.getenv("KHOJ_DOMAIN", "app.khoj.dev")
+KHOJ_DOMAIN = os.getenv("KHOJ_DOMAIN") or "app.khoj.dev"
 scheme = "https" if not is_env_var_true("KHOJ_NO_HTTPS") else "http"
 custom_origins = [f"{scheme}://{KHOJ_DOMAIN.strip()}", f"{scheme}://{KHOJ_DOMAIN.strip()}:*"]
 default_origins = [