From 7d13e8e345996a1c24b339576f47b088fef55f24 Mon Sep 17 00:00:00 2001 From: riyadhafraa <49757212-riyadhafraa@users.noreply.replit.com> Date: Fri, 15 May 2026 10:33:29 +0000 Subject: [PATCH] deployment: harden self-hosted install behind HTTPS reverse proxies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Task #538. Fixes the four bugs that bit the user's first Tailscale-fronted install of Tx OS on their Mac: 1. Missing `user_sessions` table on fresh installs — `connect-pg-simple` now uses `createTableIfMissing: true`. Drizzle migrations still skip the table (`tablesFilter: ["!user_sessions"]`), so ownership stays with the session store. 2. Session cookie silently dropped behind HTTPS proxies that don't forward `X-Forwarded-Proto` (Tailscale serve, ngrok free, some Cloudflare Tunnels). New `TRUST_PROXY_HTTPS=true` env var injects the header before pino + session middleware, and `cookie.secure` is now derived from `PUBLIC_BASE_URL.startsWith("https://") || trustProxyHttps` instead of `NODE_ENV`. 3. `ALLOWED_ORIGINS` was undocumented for non-localhost URLs — added examples (LAN IP, Tailscale name, custom domain) in `.env.example`, `.env.docker.example`, `README.md`, plus a new "Reverse proxy / Tailscale / external URL" README section. 4. Demo executive meetings always seeded on real installs — gated behind `SEED_DEMO_MEETINGS=true` (default off), wired through `docker-compose.yml` to the migrate service. Architect (code review) approved; added a security note clarifying that `TRUST_PROXY_HTTPS=true` requires the API to be unreachable directly over plain HTTP. The git commit + push to Gitea is delegated to a follow-up task because main-agent sandbox blocks `git commit` / branch creation.