fix(auth): warn at startup when Secure cookies will break plain-HTTP LAN login

NODE_ENV=production enables the Secure flag on session cookies. Browsers
silently drop Secure cookies over plain HTTP, causing login to fail with
no visible error when HOST=0.0.0.0 is used on a LAN without HTTPS.

- Add startup warning in server-entry.js when non-loopback host +
  production + COOKIE_SECURE not explicitly disabled
- Document COOKIE_SECURE=0 in .env.example alongside the existing =1 case
- Add COOKIE_SECURE entry to README env-vars table

Closes #149

Worked with Interstellar Code

(cherry picked from commit d88d899481871f2d9ac5d01f5c318f668d1e6873)
This commit is contained in:
Rohit Sharma
2026-04-30 08:25:13 +02:00
committed by Aurora release bot
parent 573e7cb83c
commit 6ed37d2d9a
3 changed files with 22 additions and 1 deletions

View File

@@ -565,6 +565,7 @@ Features pending cloud infrastructure:
- `CLAUDE_PASSWORD` — required whenever `HOST ≠ 127.0.0.1`
- `COOKIE_SECURE=1` — force the `Secure` cookie flag when terminating HTTPS at a proxy
- `COOKIE_SECURE=0` — disable the `Secure` flag for plain-HTTP LAN deployments (`HOST=0.0.0.0` without HTTPS); without this, browsers silently drop session cookies and login fails (#149)
- `TRUST_PROXY=1` — trust `x-forwarded-for` / `x-real-ip` (only set behind a sanitizing reverse proxy)
- `HERMES_DASHBOARD_TOKEN` — explicit bearer for dashboard API (preferred over the legacy HTML-scrape fallback)
- `CLAUDE_ALLOW_INSECURE_REMOTE=1` — bypass the fail-closed guard (not recommended)