feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.

- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 5 insertions, 19 deletions

diff --git a/backend/gen/api/handler_wrapper_gen.go b/backend/gen/api/handler_wrapper_gen.go
index 1aeaba7..5a5ce2d 100644
--- a/backend/gen/api/handler_wrapper_gen.go
+++ b/backend/gen/api/handler_wrapper_gen.go
@@ -104,10 +104,8 @@ package api
 
 import (
 	"context"
-	"errors"
-	"strings"
 
-	"albatross-2026-backend/auth"
+	"albatross-2026-backend/config"
 	"albatross-2026-backend/db"
 )
 
@@ -117,33 +115,21 @@ type HandlerWrapper struct {
 	impl Handler
 }
 
-func NewHandler(queries *db.Queries, hub GameHubInterface) *HandlerWrapper {
+func NewHandler(queries *db.Queries, hub GameHubInterface, conf *config.Config) *HandlerWrapper {
 	return &HandlerWrapper{
 		impl: Handler{
 			q:    queries,
 			hub:  hub,
+			conf: conf,
 		},
 	}
 }
 
-func parseJWTClaimsFromAuthorizationHeader(authorization string) (*auth.JWTClaims, error) {
-	const prefix = "Bearer "
-	if !strings.HasPrefix(authorization, prefix) {
-		return nil, errors.New("invalid authorization header")
-	}
-	token := authorization[len(prefix):]
-	claims, err := auth.ParseJWT(token)
-	if err != nil {
-		return nil, err
-	}
-	return claims, nil
-}
-
 {{ range . }}
 	func (h *HandlerWrapper) {{ .Name }}(ctx context.Context, request {{ .Name }}RequestObject) ({{ .Name }}ResponseObject, error) {
 		{{ if .RequiresLogin -}}
-			user, err := parseJWTClaimsFromAuthorizationHeader(request.Params.Authorization)
-			if err != nil {
+			user, ok := GetJWTClaimsFromContext(ctx)
+			if !ok {
 				return {{ .Name }}401JSONResponse{
 					UnauthorizedJSONResponse: UnauthorizedJSONResponse{
 						Message: "Unauthorized",