fix(auth): harden session lifecycle, reset links, and OIDC logging

- Fix session store expiry: cookie.maxAge is already in milliseconds, so
  stored sessions outlived the cookie by 1000x
- Regenerate the session ID on login, first-run setup, and OIDC login to
  prevent session fixation
- Mark session cookies Secure on TLS connections (secure: 'auto') and add
  TRUST_PROXY support for reverse-proxy deployments
- Build password reset links from APP_BASE_URL instead of the Host header
  to prevent reset-link poisoning
- Rate-limit forgot-password requests (5 per IP per 15 minutes)
- Strip OIDC debug logging that leaked authorization codes, subject IDs,
  and emails to logs

src/app.js

@@ -27,12 +27,20 @@ const SESSION_SECRET = process.env.SESSION_SECRET;
 
 const SESSION_MAX_AGE_MS = (parseInt(process.env.SESSION_MAX_AGE_HOURS, 10) || 168) * 60 * 60 * 1000;
 
+// Behind a reverse proxy (TLS termination), set TRUST_PROXY=1 so req.ip and
+// req.protocol reflect the original client instead of the proxy.
+if (process.env.TRUST_PROXY === '1' || process.env.TRUST_PROXY === 'true') {
+  app.set('trust proxy', 1);
+}
+
 app.use(session({
   store: new SessionStore(db),
   secret: SESSION_SECRET,
   resave: false,
   saveUninitialized: false,
-  cookie: { httpOnly: true, sameSite: 'strict', maxAge: SESSION_MAX_AGE_MS },
+  // secure: 'auto' marks the cookie Secure only on TLS connections, so plain-HTTP
+  // LAN deployments keep working while proxied HTTPS deployments get Secure cookies
+  cookie: { httpOnly: true, sameSite: 'strict', secure: 'auto', maxAge: SESSION_MAX_AGE_MS },
 }));
 
 // Security headers