feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.

- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/backend/main.go b/backend/main.go
index 40fb8f0..29edfdb 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -73,8 +73,9 @@ func main() {
 
 	apiGroup := e.Group(conf.BasePath + "api")
 	apiGroup.Use(ratelimit.LoginRateLimitMiddleware(loginRL))
+	apiGroup.Use(api.JWTCookieMiddleware)
 	apiGroup.Use(oapimiddleware.OapiRequestValidator(openAPISpec))
-	apiHandler := api.NewHandler(queries, gameHub)
+	apiHandler := api.NewHandler(queries, gameHub, conf)
 	api.RegisterHandlers(apiGroup, api.NewStrictHandler(apiHandler, nil))
 
 	adminHandler := admin.NewHandler(queries, conf)
@@ -97,7 +98,10 @@ func main() {
 		})
 
 		// Allow access from dev server.
-		e.Use(middleware.CORS())
+		e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
+			AllowOrigins:     []string{"http://localhost:5173"},
+			AllowCredentials: true,
+		}))
 	}
 
 	go gameHub.Run()