@openparachute/hub 0.5.10-rc.5 → 0.5.10-rc.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openparachute/hub",
-  "version": "0.5.10-rc.5",
+  "version": "0.5.10-rc.6",
   "description": "parachute — the local hub for the Parachute ecosystem (discovery, ports, lifecycle, soon OAuth).",
   "license": "AGPL-3.0",
   "publishConfig": {

package/src/__tests__/csrf.test.ts

@@ -29,7 +29,7 @@ describe("generateCsrfToken", () => {
 });
 
 describe("buildCsrfCookie", () => {
-  test("emits the expected attributes", () => {
+  test("emits the expected attributes (default secure)", () => {
     const v = buildCsrfCookie("abc");
     expect(v).toContain(`${CSRF_COOKIE_NAME}=abc`);
     expect(v).toContain("HttpOnly");
@@ -38,6 +38,19 @@ describe("buildCsrfCookie", () => {
     expect(v).toContain("Path=/");
     expect(v).toContain("Max-Age=");
   });
+
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildCsrfCookie("abc", { secure: false });
+    expect(v).toContain(`${CSRF_COOKIE_NAME}=abc`);
+    expect(v).toContain("HttpOnly");
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("SameSite=Lax");
+  });
+
+  test("keeps Secure when secure: true (explicit)", () => {
+    const v = buildCsrfCookie("abc", { secure: true });
+    expect(v).toContain("Secure");
+  });
 });
 
 describe("parseCsrfCookie", () => {
@@ -71,6 +84,32 @@ describe("ensureCsrfToken", () => {
     expect(result.token.length).toBeGreaterThan(0);
     expect(result.setCookie).toBeDefined();
   });
+
+  // Bug 1 (rc.5 → rc.6) regression: cookies minted over plain HTTP must
+  // NOT carry the Secure attribute or browsers silently drop them on
+  // http://localhost:1939, breaking the very next double-submit POST.
+  test("sets Secure when the request URL is https://", () => {
+    const req = new Request("https://hub.example/admin/setup");
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).toContain("Secure");
+  });
+
+  test("omits Secure when the request URL is http://localhost", () => {
+    const req = new Request("http://localhost:1939/admin/setup");
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).not.toContain("Secure");
+    // The rest of the cookie shape stays intact — only Secure flips.
+    expect(result.setCookie).toContain("HttpOnly");
+    expect(result.setCookie).toContain("SameSite=Lax");
+  });
+
+  test("sets Secure when http:// request carries X-Forwarded-Proto: https", () => {
+    const req = new Request("http://hub.internal/admin/setup", {
+      headers: { "x-forwarded-proto": "https" },
+    });
+    const result = ensureCsrfToken(req);
+    expect(result.setCookie).toContain("Secure");
+  });
 });
 
 describe("verifyCsrfToken", () => {

package/src/__tests__/hub-server.test.ts

@@ -74,10 +74,16 @@ describe("hubFetch routing", () => {
     // The dynamic path takes over from the static disk file the moment a
     // DB is configured. With no session cookie, we still render — just
     // with the "Sign in" affordance.
+    //
+    // hub#259 rc.6: requires an admin row to bypass the fresh-hub
+    // funnel redirect to /admin/setup (Bug 2 fix). Seed one so this
+    // test continues to exercise the signed-out-but-setup-done branch.
     const h = makeHarness();
     try {
       const db = openHubDb(hubDbPath(h.dir));
       try {
+        const { createUser } = await import("../users.ts");
+        await createUser(db, "owner", "pw");
         const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
         expect(res.status).toBe(200);
         expect(res.headers.get("content-type")).toBe("text/html; charset=utf-8");
@@ -1083,7 +1089,7 @@ describe("hubFetch routing", () => {
     }
   });
 
-  test("pre-admin lockout: /login is gated, /admin/setup + /health + well-known stay open", async () => {
+  test("pre-admin lockout: /login is gated, /admin/setup + /health + well-known stay open, / funnels to /admin/setup", async () => {
     const h = makeHarness();
     try {
       writeFileSync(join(h.dir, "hub.html"), "<html>discovery</html>");
@@ -1100,9 +1106,11 @@ describe("hubFetch routing", () => {
         // /health open
         const healthRes = await handler(req("/health"));
         expect(healthRes.status).toBe(200);
-        // / open
+        // / funnels to the wizard (hub#259 rc.6 fix for Bug 2 — the
+        // static portal pre-setup is useless; redirect to setup).
         const rootRes = await handler(req("/"));
-        expect(rootRes.status).toBe(200);
+        expect(rootRes.status).toBe(302);
+        expect(rootRes.headers.get("location")).toBe("/admin/setup");
         // /.well-known/parachute.json open
         const wkRes = await handler(req("/.well-known/parachute.json"));
         expect(wkRes.status).toBe(200);

package/src/__tests__/request-protocol.test.ts

@@ -0,0 +1,54 @@
+/**
+ * `isHttpsRequest` is the single signal cookie-mint helpers use to
+ * decide whether to set the `Secure` attribute. Wrong answer here
+ * causes browsers to silently drop cookies on HTTP localhost (Bug 1
+ * from the rc.5 fresh-machine test) OR mint Secure-less cookies behind
+ * a TLS-terminating reverse proxy (the opposite failure mode).
+ *
+ * Three signals tested, in priority order: direct URL scheme,
+ * X-Forwarded-Proto header, plain HTTP default.
+ */
+import { describe, expect, test } from "bun:test";
+import { isHttpsRequest } from "../request-protocol.ts";
+
+describe("isHttpsRequest", () => {
+  test("returns true for https:// request URL", () => {
+    expect(isHttpsRequest(new Request("https://hub.example/x"))).toBe(true);
+  });
+
+  test("returns false for http:// request URL", () => {
+    expect(isHttpsRequest(new Request("http://localhost:1939/x"))).toBe(false);
+  });
+
+  test("returns true when X-Forwarded-Proto: https on an http:// request", () => {
+    const req = new Request("http://hub.internal/x", {
+      headers: { "x-forwarded-proto": "https" },
+    });
+    expect(isHttpsRequest(req)).toBe(true);
+  });
+
+  test("returns false when X-Forwarded-Proto: http", () => {
+    const req = new Request("http://hub.internal/x", {
+      headers: { "x-forwarded-proto": "http" },
+    });
+    expect(isHttpsRequest(req)).toBe(false);
+  });
+
+  test("tolerates uppercase / whitespace / list shape in X-Forwarded-Proto", () => {
+    // Some proxies emit `https,http` (chain of two hops) or " HTTPS "
+    // with whitespace. The first token is what we honor.
+    expect(
+      isHttpsRequest(new Request("http://hub/x", { headers: { "x-forwarded-proto": " HTTPS " } })),
+    ).toBe(true);
+    expect(
+      isHttpsRequest(
+        new Request("http://hub/x", { headers: { "x-forwarded-proto": "https,http" } }),
+      ),
+    ).toBe(true);
+    expect(
+      isHttpsRequest(
+        new Request("http://hub/x", { headers: { "x-forwarded-proto": "http,https" } }),
+      ),
+    ).toBe(false);
+  });
+});

package/src/__tests__/sessions.test.ts

@@ -81,7 +81,7 @@ describe("deleteSession", () => {
 });
 
 describe("buildSessionCookie", () => {
-  test("emits the expected attributes", () => {
+  test("emits the expected attributes (default secure)", () => {
     const v = buildSessionCookie("abc", 86400);
     expect(v).toContain(`${SESSION_COOKIE_NAME}=abc`);
     expect(v).toContain("HttpOnly");
@@ -91,16 +91,39 @@ describe("buildSessionCookie", () => {
     expect(v).not.toContain("Path=/oauth");
     expect(v).toContain("Max-Age=86400");
   });
+
+  // Bug 1 (rc.5 → rc.6) regression: session cookies minted over plain
+  // HTTP must NOT carry Secure or browsers drop them, leaving the
+  // operator un-signed-in on the very next request.
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildSessionCookie("abc", 86400, { secure: false });
+    expect(v).toContain(`${SESSION_COOKIE_NAME}=abc`);
+    expect(v).toContain("HttpOnly");
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("SameSite=Lax");
+  });
+
+  test("keeps Secure when secure: true (explicit)", () => {
+    const v = buildSessionCookie("abc", 86400, { secure: true });
+    expect(v).toContain("Secure");
+  });
 });
 
 describe("buildSessionClearCookie", () => {
-  test("emits Max-Age=0", () => {
+  test("emits Max-Age=0 (default secure)", () => {
     const v = buildSessionClearCookie();
     expect(v).toContain(`${SESSION_COOKIE_NAME}=`);
     expect(v).toContain("Max-Age=0");
+    expect(v).toContain("Secure");
     expect(v).toContain("Path=/");
     expect(v).not.toContain("Path=/oauth");
   });
+
+  test("omits Secure when secure: false (HTTP localhost)", () => {
+    const v = buildSessionClearCookie({ secure: false });
+    expect(v).not.toContain("Secure");
+    expect(v).toContain("Max-Age=0");
+  });
 });
 
 describe("parseSessionCookie", () => {

package/src/__tests__/setup-gate.test.ts

@@ -130,12 +130,28 @@ describe("setup gate (no admin yet)", () => {
     }
   });
 
-  test("/ passes through the gate (renders discovery page)", async () => {
+  // Bug 2 (rc.5 → rc.6) regression: on a fresh hub, GET `/` should
+  // funnel straight to the wizard rather than render the static
+  // portal — the operator otherwise has to manually navigate to
+  // `/admin/setup`. The portal pre-setup carries no usable signal
+  // (no installed services to discover, no admin to sign in as).
+  test("/ 302s to /admin/setup when no admin exists (fresh-hub funnel)", async () => {
     const db = openHubDb(hubDbPath(h.dir));
     try {
       const res = await hubFetch(h.dir, { getDb: () => db })(req("/"));
-      expect(res.status).toBe(200);
-      expect(res.headers.get("content-type")).toContain("text/html");
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
+    } finally {
+      db.close();
+    }
+  });
+
+  test("/hub.html 302s to /admin/setup when no admin exists", async () => {
+    const db = openHubDb(hubDbPath(h.dir));
+    try {
+      const res = await hubFetch(h.dir, { getDb: () => db })(req("/hub.html"));
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe("/admin/setup");
     } finally {
       db.close();
     }

package/src/admin-handlers.ts

@@ -14,6 +14,7 @@ import type { Database } from "bun:sqlite";
 import { renderAdminError, renderAdminLogin } from "./admin-login-ui.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
 import { checkAndRecord, clientIpFromRequest } from "./rate-limit.ts";
+import { isHttpsRequest } from "./request-protocol.ts";
 import {
   SESSION_TTL_MS,
   buildSessionClearCookie,
@@ -124,7 +125,9 @@ export async function handleAdminLoginPost(
     );
   }
   const session = createSession(db, { userId: user.id });
-  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000), {
+    secure: isHttpsRequest(req),
+  });
   return redirect(next, { "set-cookie": cookie });
 }
 
@@ -164,5 +167,7 @@ export async function handleAdminLogoutPost(db: Database, req: Request): Promise
   }
   const sid = parseSessionCookie(req.headers.get("cookie"));
   if (sid) deleteSession(db, sid);
-  return redirect("/login", { "set-cookie": buildSessionClearCookie() });
+  return redirect("/login", {
+    "set-cookie": buildSessionClearCookie({ secure: isHttpsRequest(req) }),
+  });
 }

package/src/csrf.ts

@@ -23,14 +23,24 @@
  * server-rendered HTML form (cookie + embedded value, classic double-submit)
  * or via the JSON body of `/api/me` (cookie alongside body — same pattern,
  * just JSON instead of HTML). Neither path needs JS to read the cookie
- * directly. SameSite=Lax (matches the session cookie), Secure, and Path=/
- * (covers every admin form, OAuth flow, and `/api/me` consumer).
+ * directly. SameSite=Lax (matches the session cookie), Secure conditional
+ * on the request protocol (see below), and Path=/ (covers every admin
+ * form, OAuth flow, and `/api/me` consumer).
+ *
+ * `Secure` is set when the request arrived over HTTPS (direct or behind a
+ * reverse proxy that set `X-Forwarded-Proto: https`) — `isHttpsRequest` in
+ * `request-protocol.ts` is the single source of truth. On
+ * `http://localhost:1939` the attribute is omitted so the browser actually
+ * keeps the cookie; setting `Secure` unconditionally silently drops it on
+ * HTTP and breaks the double-submit handshake on the very next POST
+ * ("Invalid form submission" page on the wizard, etc.).
  *
  * Token entropy: 32 random bytes, base64url-encoded — same shape as session
  * IDs. No HMAC needed: the value is opaque to the client and only ever
  * compared to itself across the cookie/form boundary.
  */
 import { randomBytes, timingSafeEqual } from "node:crypto";
+import { isHttpsRequest } from "./request-protocol.ts";
 
 export const CSRF_COOKIE_NAME = "parachute_hub_csrf";
 export const CSRF_FIELD_NAME = "__csrf";
@@ -42,15 +52,18 @@ export function generateCsrfToken(): string {
   return randomBytes(32).toString("base64url");
 }
 
-export function buildCsrfCookie(token: string): string {
-  return [
-    `${CSRF_COOKIE_NAME}=${token}`,
-    "HttpOnly",
-    "Secure",
-    "SameSite=Lax",
-    "Path=/",
-    `Max-Age=${CSRF_TTL_SECONDS}`,
-  ].join("; ");
+/**
+ * Build a Set-Cookie header value for a CSRF token. `secure` defaults to
+ * true (the production posture behind a TLS terminator); callers that
+ * mint the cookie for a known-HTTP request — `ensureCsrfToken` does
+ * this via `isHttpsRequest` — pass `secure: false` to omit the
+ * attribute so the browser keeps the cookie on plain HTTP.
+ */
+export function buildCsrfCookie(token: string, opts: { secure?: boolean } = {}): string {
+  const parts = [`${CSRF_COOKIE_NAME}=${token}`, "HttpOnly"];
+  if (opts.secure !== false) parts.push("Secure");
+  parts.push("SameSite=Lax", "Path=/", `Max-Age=${CSRF_TTL_SECONDS}`);
+  return parts.join("; ");
 }
 
 export function parseCsrfCookie(cookieHeader: string | null): string | null {
@@ -72,12 +85,17 @@ export interface EnsuredCsrf {
  * Ensure the request carries a CSRF token cookie; mint and return one if not.
  * Callers embed `result.token` in the rendered form and attach
  * `result.setCookie` (if defined) to the response.
+ *
+ * Protocol-aware: when the request is plain HTTP (`http://localhost:1939`
+ * during local dev / on-box CLI), the minted cookie omits the `Secure`
+ * attribute so the browser keeps it. When the request is HTTPS (or
+ * forwarded via `X-Forwarded-Proto: https`), `Secure` is set.
  */
 export function ensureCsrfToken(req: Request): EnsuredCsrf {
   const existing = parseCsrfCookie(req.headers.get("cookie"));
   if (existing && existing.length > 0) return { token: existing };
   const token = generateCsrfToken();
-  return { token, setCookie: buildCsrfCookie(token) };
+  return { token, setCookie: buildCsrfCookie(token, { secure: isHttpsRequest(req) }) };
 }
 
 /**

package/src/hub-server.ts

@@ -1013,14 +1013,34 @@ export function hubFetch(
       return new Response("not found", { status: 404 });
     }
 
+    // Fresh-hub redirect: on a hub with no admin row yet, the discovery
+    // page (`/`, `/hub.html`) funnels straight to the wizard. The static
+    // portal isn't useful pre-setup — nothing's installed, the
+    // "Signed in" affordance has no session to surface — and the
+    // operator landing on `/` in a browser otherwise has to manually
+    // type `/admin/setup` to escape. 302 (not 301) so the redirect
+    // disappears the moment the wizard finishes.
+    //
+    // Sits before the JSON-shaped 503 gate below because `/` is an
+    // HTML surface — a JSON 503 there would render as raw text in the
+    // operator's browser tab. The 503 gate handles API + admin SPA +
+    // OAuth callers that branch on the structured body.
+    if (getDb && (pathname === "/" || pathname === "/hub.html") && userCount(getDb()) === 0) {
+      return new Response(null, {
+        status: 302,
+        headers: { location: "/admin/setup" },
+      });
+    }
+
     // Pre-admin lockout. When the hub has booted with no admin row (the
     // fresh-container case before PARACHUTE_INITIAL_ADMIN_* is set or
     // /admin/setup is walked), every operator-facing surface that requires
     // identity is meaningless — auth flows can't validate, the SPA can't
     // mint a host-admin token, OAuth can't issue codes. Route those to a
     // 503 that points at /admin/setup. Health, well-known, /admin/setup
-    // itself, and the static discovery page (/) ran above and are
-    // unaffected; OAuth + admin + api endpoints fall here.
+    // itself, OAuth third-party endpoints, and content proxies pass
+    // through; the fresh-hub `/` and `/hub.html` redirect above handled
+    // the discovery-page case.
     //
     // `shouldGateForSetup` runs first so non-gated paths (well-known, /,
     // /health, /admin/setup) never touch getDb — keeping the

package/src/oauth-handlers.ts

@@ -63,6 +63,7 @@ import {
   renderLogin,
 } from "./oauth-ui.ts";
 import { isSameOriginRequest } from "./origin-check.ts";
+import { isHttpsRequest } from "./request-protocol.ts";
 import { isNonRequestableScope, isRequestableScope } from "./scope-explanations.ts";
 import { findUnknownScopes, loadDeclaredScopes } from "./scope-registry.ts";
 import {
@@ -717,7 +718,7 @@ export async function handleAuthorizePost(
 
 async function handleLoginSubmit(
   db: Database,
-  _req: Request,
+  req: Request,
   form: Awaited<ReturnType<Request["formData"]>>,
   _deps: OAuthDeps,
   csrfToken: string,
@@ -746,7 +747,9 @@ async function handleLoginSubmit(
     );
   }
   const session = createSession(db, { userId: user.id });
-  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+  const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000), {
+    secure: isHttpsRequest(req),
+  });
   // Redirect back to GET /oauth/authorize with the original query string so
   // the user lands on the consent screen with full params re-validated.
   const u = new URL("/oauth/authorize", "http://placeholder");

package/src/request-protocol.ts

@@ -0,0 +1,48 @@
+/**
+ * Detect whether an incoming `Request` arrived over HTTPS — the signal
+ * cookie-mint helpers (`buildCsrfCookie`, `buildSessionCookie`,
+ * `buildSessionClearCookie`) use to decide whether to set the `Secure`
+ * attribute. Browsers DROP `Secure` cookies on `http://` connections; on
+ * `http://localhost:1939` (the normal local-dev / on-box-CLI shape)
+ * unconditionally setting `Secure` means the browser silently swallows
+ * the cookie, the next POST has no cookie to double-submit against, and
+ * CSRF verification fails with a "reload and try again" page.
+ *
+ * Signals checked, in priority order:
+ *
+ *   1. `new URL(req.url).protocol === "https:"` — direct HTTPS. Hub
+ *      itself binds 127.0.0.1:1939 over plain HTTP, but a downstream
+ *      caller (a test, an internal proxy) may rewrite the URL.
+ *
+ *   2. `X-Forwarded-Proto: https` — the standard reverse-proxy header.
+ *      Tailscale Serve, cloudflared, and Render all terminate TLS at the
+ *      edge and forward HTTP to the hub with this header set. Without
+ *      this check, every cookie minted behind a reverse proxy would
+ *      drop `Secure` and downgrade the security posture.
+ *
+ *   3. Otherwise: HTTP. The cookie is minted without `Secure` so the
+ *      browser keeps it on `http://localhost:1939`.
+ *
+ * The pattern matches the standard double-submit / session-cookie
+ * convention: secure-by-default unless explicit evidence the connection
+ * is plain HTTP. We do NOT default to "secure" when the protocol is
+ * ambiguous — an ambiguous request is one we can't prove is HTTPS, and
+ * setting `Secure` on it would re-create the original bug. A real
+ * MITM-able HTTP connection is a different problem (operators on
+ * untrusted networks should expose the hub through tailnet/funnel, not
+ * raw HTTP); the cookie-Secure attribute isn't the defense against it.
+ */
+export function isHttpsRequest(req: Request): boolean {
+  // 1. Direct protocol on the parsed URL.
+  try {
+    if (new URL(req.url).protocol === "https:") return true;
+  } catch {
+    // Malformed URL on req — fall through to header sniffing.
+  }
+  // 2. Reverse-proxy header. The forwarded-proto header is a single
+  //    token in practice ("http" or "https"); we lowercase + trim before
+  //    compare so a stray "HTTPS" or " https" doesn't slip past.
+  const xfp = req.headers.get("x-forwarded-proto");
+  if (xfp && xfp.split(",")[0]?.trim().toLowerCase() === "https") return true;
+  return false;
+}

package/src/sessions.ts

@@ -83,26 +83,38 @@ export function deleteSession(db: Database, id: string): void {
 
 /**
  * Build a `Set-Cookie` header value for the given session id. HttpOnly +
- * SameSite=Lax + Secure (we always assume a TLS terminator; localhost dev
- * still sets Secure because Tailscale serves with HTTPS even on the tailnet
- * mount). Path=/ covers the whole hub origin: the operator's session is "logged
- * into this hub", and admin pages outside /oauth/ (config portal, etc.) ride
- * the same session. State-changing admin POSTs require a CSRF token (see
- * src/csrf.ts) since SameSite=Lax alone doesn't prevent same-site CSRF.
+ * SameSite=Lax + Secure (conditional) + Path=/.
+ *
+ * Path=/ covers the whole hub origin: the operator's session is "logged
+ * into this hub", and admin pages outside /oauth/ (config portal, etc.)
+ * ride the same session. State-changing admin POSTs require a CSRF token
+ * (see src/csrf.ts) since SameSite=Lax alone doesn't prevent same-site
+ * CSRF.
+ *
+ * `Secure` defaults to true (production behind a TLS terminator).
+ * Callers minting the cookie for a known-HTTP request — `/login` POST
+ * over `http://localhost:1939`, the wizard's account POST same — pass
+ * `secure: false` (computed from `isHttpsRequest(req)`) so the
+ * browser actually keeps the cookie. Setting `Secure` unconditionally
+ * over plain HTTP silently drops the cookie and breaks the very next
+ * authenticated request.
  */
-export function buildSessionCookie(sessionId: string, maxAgeSeconds: number): string {
-  return [
-    `${SESSION_COOKIE_NAME}=${sessionId}`,
-    "HttpOnly",
-    "Secure",
-    "SameSite=Lax",
-    "Path=/",
-    `Max-Age=${maxAgeSeconds}`,
-  ].join("; ");
+export function buildSessionCookie(
+  sessionId: string,
+  maxAgeSeconds: number,
+  opts: { secure?: boolean } = {},
+): string {
+  const parts = [`${SESSION_COOKIE_NAME}=${sessionId}`, "HttpOnly"];
+  if (opts.secure !== false) parts.push("Secure");
+  parts.push("SameSite=Lax", "Path=/", `Max-Age=${maxAgeSeconds}`);
+  return parts.join("; ");
 }
 
-export function buildSessionClearCookie(): string {
-  return `${SESSION_COOKIE_NAME}=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0`;
+export function buildSessionClearCookie(opts: { secure?: boolean } = {}): string {
+  const parts = [`${SESSION_COOKIE_NAME}=`, "HttpOnly"];
+  if (opts.secure !== false) parts.push("Secure");
+  parts.push("SameSite=Lax", "Path=/", "Max-Age=0");
+  return parts.join("; ");
 }
 
 export function parseSessionCookie(cookieHeader: string | null): string | null {

package/src/setup-wizard.ts

@@ -47,6 +47,7 @@ import {
   verifyCsrfToken,
 } from "./csrf.ts";
 import { escapeHtml } from "./oauth-ui.ts";
+import { isHttpsRequest } from "./request-protocol.ts";
 import { findService, readManifest } from "./services-manifest.ts";
 import {
   SESSION_TTL_MS,
@@ -551,7 +552,9 @@ export async function handleSetupAccountPost(
   try {
     const user = await createUser(deps.db, username, password);
     const session = createSession(deps.db, { userId: user.id });
-    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000));
+    const cookie = buildSessionCookie(session.id, Math.floor(SESSION_TTL_MS / 1000), {
+      secure: isHttpsRequest(req),
+    });
     return redirect("/admin/setup", { "set-cookie": cookie });
   } catch (err) {
     // Log the raw error server-side for the operator's debugging, but