Bug Fixes
- Fixed login redirect loop on HTTP connections - Session cookie was incorrectly set with
Secureflag whenAPP_ENV=production, which broke authentication when accessing the app via HTTP (e.g., on local network by IP address). Now theSecureflag is set based on actual connection protocol.
Technical Details
- Added
isSecureConnection()helper that checks:X-Forwarded-Protoheader (for reverse proxy setups)- Direct connection protocol
- This ensures cookies work correctly on both HTTP (local network) and HTTPS (behind reverse proxy) setups.
Fixes #1