fix: login loop and repeated medication notifications

- Fix login loop: secure cookie detection now uses x-forwarded-proto/origin
  headers to correctly identify HTTPS requests through Tailscale Funnel
- Add credentials: include to login/register fetch calls
- Verify session after login/registration before redirecting to prevent race conditions
- Fix repeated medication reminders: isDue() now matches exact minute instead of
  5-minute tolerance window, preventing duplicate notifications when sender runs
  every minute
- Add tests for cookie security and notification scheduling
- Extract isDue() to separate module for better testability

src/app/login/page.tsx

@@ -24,6 +24,7 @@ function LoginForm() {
       const response = await fetch('/api/auth/login', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
         body: JSON.stringify({ email, password }),
       })
 
@@ -42,6 +43,15 @@ function LoginForm() {
         return
       }
 
+      const sessionResponse = await fetch('/api/auth/me', {
+        credentials: 'include',
+        cache: 'no-store',
+      })
+
+      if (!sessionResponse.ok) {
+        throw new Error('Your session was created but is not available yet. Please try again.')
+      }
+
       showToast('Welcome back!', 'success')
       // If there's a redirect param (e.g., from invite link), go there
       router.push(redirectTo || '/today')