Caddy sets X-Forwarded-Proto: https on all routes, making SvelteKit
think the request is HTTPS. The session cookie got the Secure flag,
but the browser on http://100.81.174.129 won't send Secure cookies
over plain HTTP. Now checks the actual Origin header to determine
if the connection is truly HTTPS.
Tor works because .onion is treated as a secure context by Tor Browser.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Users and sessions tables (Argon2 password hashing, SHA-256 session tokens)
- Server hooks validate session cookie on every request
- (app) routes redirect to /login if not authenticated
- Login page with email/password, styled matching budget app
- Logout via POST form action (invalidates session)
- User display name and sign out button in header
- create-user CLI script: npm run create-user <email> <password> [name]
- 30-day sessions with auto-refresh after 15 days
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
grabowski