From e560a2faa2313b074dd878b44dfa971dea6733e0 Mon Sep 17 00:00:00 2001
From: chpark <chpark@wace.me>
Date: Fri, 27 Mar 2026 02:25:05 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20=ED=94=84=EB=A1=9C=EB=8D=95=EC=85=98=20?=
 =?UTF-8?q?=EC=BF=A0=ED=82=A4/=EC=84=B8=EC=85=98=20=EB=AC=B8=EC=A0=9C=20?=
 =?UTF-8?q?=ED=95=B4=EA=B2=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- trust proxy 설정 (Traefik 뒤에서 동작)
- 쿠키 secure:false (Traefik이 SSL 처리하므로 내부는 HTTP)
- fetch credentials:'same-origin' 명시
- redirect:manual 제거 (opaqueredirect 문제)
- content-type 체크로 비정상 응답 감지

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/app.js             |  5 ++++-
 views/admin/layout.ejs | 10 +++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/app.js b/src/app.js
index 499a12d..3eb9f19 100644
--- a/src/app.js
+++ b/src/app.js
@@ -17,6 +17,9 @@ const sessions = new Map();
 const SESSION_COOKIE = 'cm_session';
 const SESSION_MAX_AGE = 24 * 60 * 60 * 1000; // 24시간
 
+// ===== Traefik 프록시 신뢰 =====
+app.set('trust proxy', 1);
+
 // ===== 미들웨어 =====
 app.use(express.json({ limit: '50mb' }));
 app.use(express.urlencoded({ extended: true }));
@@ -73,7 +76,7 @@ app.post('/login', (req, res) => {
 
     res.cookie(SESSION_COOKIE, token, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: false,
       sameSite: 'lax',
       maxAge: SESSION_MAX_AGE,
     });
diff --git a/views/admin/layout.ejs b/views/admin/layout.ejs
index 38f7b15..c520743 100644
--- a/views/admin/layout.ejs
+++ b/views/admin/layout.ejs
@@ -121,14 +121,18 @@ tr:hover td{background:rgba(255,255,255,.02)}
 <div class="toast" id="toast"></div>
 <script>
 function api(method, url, data) {
-  const opts = { method, headers: { 'Content-Type': 'application/json' }, redirect: 'manual' };
+  const opts = { method, headers: { 'Content-Type': 'application/json' }, credentials: 'same-origin' };
   if (data) opts.body = JSON.stringify(data);
   return fetch(url, opts).then(r => {
-    if (r.status === 401 || r.type === 'opaqueredirect' || r.status === 0) {
+    const ct = r.headers.get('content-type') || '';
+    if (r.status === 401) {
       window.location.href = '/login?redirect=' + encodeURIComponent(window.location.pathname);
       return [];
     }
-    if (!r.ok) return r.json().then(j => { throw new Error(j.error || 'API Error'); });
+    if (!ct.includes('application/json')) {
+      console.error('API returned non-JSON:', r.status, ct);
+      return [];
+    }
     return r.json();
   }).catch(err => {
     console.error('API Error:', err);