updated documentation and made the correct changes to .env file

.env

@@ -6,6 +6,6 @@ AUTH_LIFE="86400"
 #The idle time before being logged out
 IDLE_TIME="28800"
 # Version of the app
-APP_VERSION="0.9.0"
+APP_VERSION="0.9.2"
 # Whether to set cookies as secure (requires HTTPS)
 COOKIE_SECURE="false"

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Sprout Track Changelog
 
+## v0.9.2 (Release) - April 2025
+
+### Changes
+
+- Fixed an issue where etc/timezones isn't available in docker images
+- Added the ability to set cookie auth to require HTTPS or not.  This is added to the .env file.  When enabled the cookie will only be valid and sent when the app is accessed over HTTPS.  When set to false the cookie will be valid and sent over HTTP or HTTPS.  IMPORTANT: When setting this to true you must have an SSL certificate in place otherwise all main API's will be blocked.
+
 ## v0.9.0 (Beta Release) - April 2025
 
 The beta release of Sprout Track as a self-hostable baby tracking application.

README.md

@@ -39,6 +39,7 @@ A Next.js application for tracking baby activities, milestones, and development.
   - [Database Scripts](#database-scripts)
   - [Utility Scripts](#utility-scripts)
   - [Updating the Application](#updating-the-application)
+- [Environment Variables](#environment-variables)
 - [Docker Deployment](#docker-deployment)
   - [Prerequisites](#prerequisites-1)
   - [Quick Docker Setup](#quick-docker-setup)
@@ -236,6 +237,29 @@ This will:
 
 Each script can also be run independently for specific operations.
 
+## Environment Variables
+
+The application can be configured using environment variables in the `.env` file. Here are the available options:
+
+| Variable | Description | Default | Example |
+|----------|-------------|---------|---------|
+| `DATABASE_URL` | Path to the SQLite database | `"file:../db/baby-tracker.db"` | `"file:/path/to/custom/db.sqlite"` |
+| `SERVICE_NAME` | Name of the systemd service | `"baby-tracker"` | `"sprout-track"` |
+| `AUTH_LIFE` | Authentication token validity period in seconds | `"86400"` (24 hours) | `"43200"` (12 hours) |
+| `IDLE_TIME` | Idle timeout before automatic logout in seconds | `"28800"` (8 hours) | `"3600"` (1 hour) |
+| `APP_VERSION` | Application version | `"0.9.0"` | `"1.0.0"` |
+| `COOKIE_SECURE` | Whether cookies require HTTPS connections | `"false"` | `"true"` |
+
+### Important Notes:
+
+- **DATABASE_URL**: Changing this after initial setup requires migrating your data manually.
+- **AUTH_LIFE**: Lower values increase security but require more frequent logins.
+- **IDLE_TIME**: Determines how long a user can be inactive before being logged out.
+- **COOKIE_SECURE**: 
+  - Set to `"false"` to allow cookies on non-HTTPS connections (development or initial setup)
+  - Set to `"true"` when you have an SSL certificate in place (recommended for production)
+  - When set to `"true"`, the application will only work over HTTPS connections
+
 ## Docker Deployment
 
 The application can be easily deployed using Docker. This method provides a consistent environment and simplifies the setup process.

app/api/authReadme.md

@@ -158,9 +158,12 @@ Authentication errors return appropriate HTTP status codes:
 
 1. **Cookie Security**:
    - HTTP-only: Prevents JavaScript access to the cookie
-   - Secure: Only sent over HTTPS in production
+   - Secure: Only sent over HTTPS when `COOKIE_SECURE` environment variable is set to `"true"`
    - SameSite: Strict to prevent CSRF attacks
    - Limited expiration: 30 minutes
+   - The `COOKIE_SECURE` environment variable (in `.env` file) controls whether cookies require HTTPS:
+     - Set to `"false"` (default) to allow cookies on non-HTTPS connections
+     - Set to `"true"` when you have an SSL certificate in place and want to enforce secure cookies
 
 2. **Session Management**:
    - Two separate timeout mechanisms are implemented: