fix: 프로덕션 쿠키/세션 문제 해결

- trust proxy 설정 (Traefik 뒤에서 동작)
- 쿠키 secure:false (Traefik이 SSL 처리하므로 내부는 HTTP)
- fetch credentials:'same-origin' 명시
- redirect:manual 제거 (opaqueredirect 문제)
- content-type 체크로 비정상 응답 감지

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/app.js

@@ -17,6 +17,9 @@ const sessions = new Map();
 const SESSION_COOKIE = 'cm_session';
 const SESSION_MAX_AGE = 24 * 60 * 60 * 1000; // 24시간
 
+// ===== Traefik 프록시 신뢰 =====
+app.set('trust proxy', 1);
+
 // ===== 미들웨어 =====
 app.use(express.json({ limit: '50mb' }));
 app.use(express.urlencoded({ extended: true }));
@@ -73,7 +76,7 @@ app.post('/login', (req, res) => {
 
     res.cookie(SESSION_COOKIE, token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: false,
       sameSite: 'lax',
       maxAge: SESSION_MAX_AGE,
     });

views/admin/layout.ejs

@@ -121,14 +121,18 @@ tr:hover td{background:rgba(255,255,255,.02)}
 <div class="toast" id="toast"></div>
 <script>
 function api(method, url, data) {
-  const opts = { method, headers: { 'Content-Type': 'application/json' }, redirect: 'manual' };
+  const opts = { method, headers: { 'Content-Type': 'application/json' }, credentials: 'same-origin' };
   if (data) opts.body = JSON.stringify(data);
   return fetch(url, opts).then(r => {
-    if (r.status === 401 || r.type === 'opaqueredirect' || r.status === 0) {
+    const ct = r.headers.get('content-type') || '';
+    if (r.status === 401) {
       window.location.href = '/login?redirect=' + encodeURIComponent(window.location.pathname);
       return [];
     }
-    if (!r.ok) return r.json().then(j => { throw new Error(j.error || 'API Error'); });
+    if (!ct.includes('application/json')) {
+      console.error('API returned non-JSON:', r.status, ct);
+      return [];
+    }
     return r.json();
   }).catch(err => {
     console.error('API Error:', err);