Improve tracking UX, archive editing, branding, and proxy-safe auth flow

src/App.php

@@ -27,16 +27,24 @@ final class App
 
         $path = request_path();
         $method = $_SERVER['REQUEST_METHOD'] ?? 'GET';
+        $hasUsers = $this->users->hasAnyUsers();
+        $isAuthenticated = $this->auth->check();
 
-        if (!$this->users->hasAnyUsers()) {
+        if (!$hasUsers) {
-            if ($path !== '/setup') {
+            if ($path === '/login') {
+                $path = '/setup';
+            } elseif ($path !== '/setup') {
                 redirect('/setup');
             }
-        } elseif (!$this->auth->check() && $path !== '/login') {
+        } elseif (!$isAuthenticated) {
+            if ($path === '/setup') {
+                $path = '/login';
+            } elseif ($path !== '/login') {
                 redirect('/login');
             }
+        }
 
-        if ($this->auth->check() && in_array($path, ['/login', '/setup'], true)) {
+        if ($isAuthenticated && in_array($path, ['/login', '/setup'], true)) {
             redirect('/');
         }
 

src/bootstrap.php

@@ -15,7 +15,13 @@ require __DIR__ . '/App.php';
 
 date_default_timezone_set($_ENV['APP_TIMEZONE'] ?? 'Europe/Berlin');
 
-$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
+$forwardedProto = strtolower((string) ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? ''));
+$forwardedSsl = strtolower((string) ($_SERVER['HTTP_X_FORWARDED_SSL'] ?? ''));
+$isSecure = (
+    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
+    || $forwardedProto === 'https'
+    || $forwardedSsl === 'on'
+);
 
 ini_set('session.use_only_cookies', '1');
 ini_set('session.use_strict_mode', '1');