jason
69b7262535
Root cause: cookie was set with Secure=true whenever NODE_ENV=production. Browsers refuse to send Secure cookies over plain HTTP, so the session cookie was dropped on every request after login — causing every protected endpoint to return 401. Fix: replace the NODE_ENV check with an explicit COOKIE_SECURE env var (default false). Set COOKIE_SECURE=true only when running behind an HTTPS reverse proxy. Direct HTTP installs (standard Unraid setup) work as-is. Also updated UNRAID.md to document COOKIE_SECURE with a warning explaining why it must stay false for plain-HTTP access. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>