fix docker auth

.gitignore

@@ -7,4 +7,5 @@ out/
 medialore.db
 medialore.db-shm
 medialore.db-wal
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo
+.session_secret

docker-compose.yml

@@ -6,13 +6,18 @@ services:
     environment:
       PORT: 3000
       NODE_ENV: production
+      # CONFIG_PATH points db.ts and secret.ts at the config volume so medialore.db
+      # and .session_secret are created as files inside an existing directory mount.
+      # Without this Docker will create ./medialore.db on the host as an empty directory,
+      # which causes better-sqlite3 to fail with SQLITE_CANTOPEN.
+      CONFIG_PATH: /config
+      # Set to "true" only when serving over HTTPS (e.g. behind a TLS reverse proxy).
+      # Keeping this "false" allows the session cookie to be sent over plain HTTP.
+      COOKIE_SECURE: "false"
     volumes:
-      # Runtime data — must map to /app/ since process.cwd() = /app in the container
-      - ./medialore.db:/app/medialore.db
       - ./.thumbnails:/app/.thumbnails
-      # Library config — mounted as a directory so the atomic rename in the API works.
+      # Library config, database, and session secret — all in one directory volume.
-      # A single-file bind-mount causes EBUSY on rename() because .tmp and the target
+      # Initialize before first run:
-      # end up on different devices. Initialize before first run:
       #   mkdir -p config && echo '[]' > config/libraries.json
       - ./config:/config
 

src/lib/auth.ts

@@ -17,7 +17,7 @@ export function getSessionOptions(): SessionOptions {
     cookieName: 'ml_session',
     ttl: 60 * 60 * 24 * 30, // 30 days
     cookieOptions: {
-      secure: process.env.NODE_ENV === 'production',
+      secure: process.env.COOKIE_SECURE === 'true',
       httpOnly: true,
       sameSite: 'lax',
     },