From 70ab3faf62626229e1df6adec832ad483ca8a539 Mon Sep 17 00:00:00 2001
From: Emily Moir <emi@emimoir.com>
Date: Sat, 11 Apr 2026 16:14:25 +0200
Subject: [PATCH] fix: set cookie secure flag to false in dev config

The dev config uses http://localhost:8080 (plain HTTP), but both session
cookies had secure: true, which tells browsers to only send cookies over
HTTPS. This caused a sign-in loop where authentication succeeded but the
browser dropped the cookie, redirecting back to login. This change sets
secure: false for both cookie configurations in the dev config only.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Emily Moir <emi@emimoir.com>
---
 cfg/dev.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cfg/dev.yaml b/cfg/dev.yaml
index 8a38d6ef9..b3f13530e 100644
--- a/cfg/dev.yaml
+++ b/cfg/dev.yaml
@@ -40,7 +40,7 @@ probod:
       domain: "localhost"
       secret: "this-is-a-secure-secret-for-cookie-signing-at-least-32-bytes"
       duration: 24
-      secure: true
+      secure: false
     password:
       pepper: "this-is-a-secure-pepper-for-password-hashing-at-least-32-bytes"
       iterations: 1000000