feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.

- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 32 insertions, 0 deletions

diff --git a/backend/api/auth_middleware.go b/backend/api/auth_middleware.go
new file mode 100644
index 0000000..97f8946
--- /dev/null
+++ b/backend/api/auth_middleware.go
@@ -0,0 +1,32 @@
+package api
+
+import (
+	"context"
+
+	"github.com/labstack/echo/v4"
+
+	"albatross-2026-backend/auth"
+)
+
+type contextKey struct{}
+
+func JWTCookieMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		cookie, err := c.Cookie("albatross_token")
+		if err != nil {
+			return next(c)
+		}
+		claims, err := auth.ParseJWT(cookie.Value)
+		if err != nil {
+			return next(c)
+		}
+		ctx := context.WithValue(c.Request().Context(), contextKey{}, claims)
+		c.SetRequest(c.Request().WithContext(ctx))
+		return next(c)
+	}
+}
+
+func GetJWTClaimsFromContext(ctx context.Context) (*auth.JWTClaims, bool) {
+	claims, ok := ctx.Value(contextKey{}).(*auth.JWTClaims)
+	return claims, ok
+}