Use encrypted cookie sessions

README.md

@@ -39,6 +39,7 @@ Optional live Forgejo configuration:
 
 ```bash
 export APP_BASE_URL="http://kacper-dev-pod:8800"
+export AUTH_SECRET_KEY="$(openssl rand -hex 32)"
 export FORGEJO_BASE_URL="https://aksal.cloud"
 export FORGEJO_OAUTH_CLIENT_ID="your-forgejo-oauth-client-id"
 export FORGEJO_OAUTH_CLIENT_SECRET="your-forgejo-oauth-client-secret"
@@ -52,7 +53,9 @@ export CALENDAR_FEED_URLS="webcal://example.com/calendar.ics,https://example.com
 http://kacper-dev-pod:8800/api/auth/forgejo/callback
 ```
 
-`FORGEJO_TOKEN` is optional. When set, it is a read fallback for local development. Browser OAuth requests only identity scopes, then the backend uses the signed-in user's Forgejo identity for public repo reads and public issue replies. The backend must verify repositories are public before reading discussion data or writing comments.
+`AUTH_SECRET_KEY` is required for Forgejo OAuth sign-in. It encrypts the `HttpOnly` browser session cookie that carries the signed-in user's Forgejo token and identity. Set `AUTH_COOKIE_SECURE=true` when serving over HTTPS.
+
+`FORGEJO_TOKEN` is optional. When set, it is a read fallback for local development. Browser OAuth requests only identity scopes, then the backend uses the signed-in user's Forgejo identity from the encrypted session cookie for public repo reads and public issue replies. The backend must verify repositories are public before reading discussion data or writing comments.
 
 Or put those values in `.env`:
 
@@ -60,7 +63,7 @@ Or put those values in `.env`:
 cp .env.example .env
 ```
 
-Sign in through `/signin` using Forgejo OAuth, or query the API directly with:
+Use the site `Sign in` button for Forgejo OAuth, or query the API directly with:
 
 ```bash
 curl -H "Authorization: token your-forgejo-api-token" http://127.0.0.1:8800/api/prototype