fixed

lib/auth.ts

@@ -17,6 +17,10 @@ function getAuthSecret() {
   return process.env.AUTH_SECRET || "dev-insecure-auth-secret";
 }
 
+function useSecureCookies() {
+  return process.env.AUTH_SECURE_COOKIES === "true";
+}
+
 function hashPassword(password: string) {
   const salt = crypto.randomBytes(16).toString("hex");
   const hash = crypto.scryptSync(password, salt, 64).toString("hex");
@@ -105,7 +109,7 @@ export async function createSession(user: { id: number; email: string; role: str
   cookieStore.set(SESSION_COOKIE, encodeSession(payload), {
     httpOnly: true,
     sameSite: "lax",
-    secure: process.env.NODE_ENV === "production",
+    secure: useSecureCookies(),
     path: "/",
     maxAge: SESSION_TTL_SECONDS
   });