fix for cf compatibility

lib/session.ts

@@ -67,17 +67,15 @@ export async function createSession(payload: Omit<SessionPayload, 'expiresAt'>)
 
 	const cookieStore = await cookies();
 	
-	// In production, always use secure cookies if NEXTAUTH_URL is https
+	// For Cloudflare tunnel: external is HTTPS, internal is HTTP
-	// This handles Cloudflare tunnel scenarios where external URL is https
+	// Use secure cookies when NEXTAUTH_URL is https (external URL)
-	// but internal communication is http
+	const isSecure = process.env.NEXTAUTH_URL?.startsWith('https') ?? false;
-	const isSecure = process.env.NODE_ENV === 'production' && 
-		process.env.NEXTAUTH_URL?.startsWith('https');
 	
 	const cookieOptions = {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expiresAt,
-		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
+		sameSite: isSecure ? 'none' : 'lax', // none required for secure cross-site
 		path: '/',
 	} as const;
 
@@ -103,15 +101,13 @@ export async function updateSession() {
 	const expires = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);
 	const newSession = await encrypt({ ...payload, expiresAt: expires });
 
-	// In production, always use secure cookies if NEXTAUTH_URL is https
+	const isSecure = process.env.NEXTAUTH_URL?.startsWith('https') ?? false;
-	const isSecure = process.env.NODE_ENV === 'production' && 
-		process.env.NEXTAUTH_URL?.startsWith('https');
 
 	cookieStore.set('session', newSession, {
 		httpOnly: true,
 		secure: isSecure,
 		expires: expires,
-		sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
+		sameSite: isSecure ? 'none' : 'lax',
 		path: '/',
 	});
 }