Fix 401 Unauthorized on all API calls after login (HTTP installs)

Root cause: cookie was set with Secure=true whenever NODE_ENV=production.
Browsers refuse to send Secure cookies over plain HTTP, so the session
cookie was dropped on every request after login — causing every protected
endpoint to return 401.

Fix: replace the NODE_ENV check with an explicit COOKIE_SECURE env var
(default false). Set COOKIE_SECURE=true only when running behind an HTTPS
reverse proxy. Direct HTTP installs (standard Unraid setup) work as-is.

Also updated UNRAID.md to document COOKIE_SECURE with a warning explaining
why it must stay false for plain-HTTP access.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

UNRAID.md

@@ -114,12 +114,15 @@ Click **Add another Path, Port, Variable, Label or Device** → select **Variabl
 | Admin Password | `ADMIN_PASSWORD` | `yourpassword` |
 | JWT Secret | `JWT_SECRET` | `a-long-random-string-min-32-chars` |
 | JWT Expiry | `JWT_EXPIRY` | `8h` *(optional — defaults to 8h)* |
+| Secure Cookie | `COOKIE_SECURE` | `false` *(set to `true` only if behind HTTPS reverse proxy)* |
 
 > **JWT_SECRET** should be a random string of at least 32 characters. You can generate one in the Unraid terminal:
 > ```bash
 > cat /proc/sys/kernel/random/uuid | tr -d '-' && cat /proc/sys/kernel/random/uuid | tr -d '-'
 > ```
 
+> **COOKIE_SECURE** — Leave this unset or `false` for direct HTTP access (the default for Unraid). Only set it to `true` if you are terminating HTTPS at a reverse proxy (e.g. Nginx Proxy Manager, Traefik) in front of RackMapper, otherwise login will succeed but every subsequent API call will return 401 Unauthorized because the browser will refuse to send the session cookie over plain HTTP.
+
 ---
 
 ### Step 3 — Apply
@@ -153,6 +156,7 @@ docker run -d \
   -e ADMIN_PASSWORD=yourpassword \
   -e JWT_SECRET=a-long-random-string-min-32-chars \
   -e JWT_EXPIRY=8h \
+  -e COOKIE_SECURE=false \
   rackmapper:latest
 ```