Use encrypted cookie sessions

app.py

@@ -43,7 +43,7 @@ def create_app() -> FastAPI:
     @app.get("/api/prototype")
     async def prototype(request: Request) -> JSONResponse:
         settings = get_settings()
-        session_user = current_session_user(request)
+        session_user = current_session_user(request, settings)
         forgejo_token, auth_source = resolve_forgejo_token(request, settings)
         return JSONResponse(
             await build_live_prototype_payload(
@@ -56,11 +56,11 @@ def create_app() -> FastAPI:
 
     @app.get("/api/auth/session")
     async def auth_session(request: Request) -> JSONResponse:
-        session_user = current_session_user(request)
+        settings = get_settings()
+        session_user = current_session_user(request, settings)
         if session_user:
             return JSONResponse(_auth_payload(session_user, "session"))
 
-        settings = get_settings()
         forgejo_token, auth_source = resolve_forgejo_token(request, settings)
         if not forgejo_token or auth_source == "server":
             return JSONResponse(_auth_payload(None, "none"))
@@ -131,7 +131,7 @@ def create_app() -> FastAPI:
             return _signin_error_redirect(str(exchange_error))
 
         response = RedirectResponse(oauth_state.return_to, status_code=303)
-        create_login_session(response, access_token, user)
+        create_login_session(response, settings, access_token, user)
         return response
 
     @app.delete("/api/auth/session")
@@ -255,7 +255,11 @@ def _auth_payload(user: dict[str, Any] | None, source: str) -> dict[str, object]
 
 
 def _oauth_configured(settings: Settings) -> bool:
-    return bool(settings.forgejo_oauth_client_id and settings.forgejo_oauth_client_secret)
+    return bool(
+        settings.auth_secret_key
+        and settings.forgejo_oauth_client_id
+        and settings.forgejo_oauth_client_secret
+    )
 
 
 def _oauth_redirect_uri(request: Request, settings: Settings) -> str: