feat(auth): store JWT in HTTP-only cookie instead of JS-accessible cookie

Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.

- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 0 insertions, 10 deletions

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index cd06b43..b4799d1 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -12,7 +12,6 @@
 				"@fortawesome/react-fontawesome": "^0.2.2",
 				"hast-util-to-jsx-runtime": "^2.3.6",
 				"jotai": "^2.12.1",
-				"jwt-decode": "^4.0.0",
 				"openapi-fetch": "^0.13.4",
 				"react": "^19.0.0",
 				"react-dom": "^19.0.0",
@@ -5364,15 +5363,6 @@
 				"node": ">=4.0"
 			}
 		},
-		"node_modules/jwt-decode": {
-			"version": "4.0.0",
-			"resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz",
-			"integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==",
-			"license": "MIT",
-			"engines": {
-				"node": ">=18"
-			}
-		},
 		"node_modules/keyv": {
 			"version": "4.5.4",
 			"resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",