From 96fad1a4e78c7209e5a0f3496e8b59d591fbe500 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 15 Feb 2026 11:12:50 +0900
Subject: refactor(auth): replace JWT authentication with server-side sessions

Migrate from stateless JWT tokens to server-side session management
backed by PostgreSQL. Sessions are hashed with SHA-256 before storage,
cleaned up periodically, and invalidated on logout. This removes the
need for JWT_SECRET/COOKIE_SECRET environment variables and the
golang-jwt dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/api/handler_wrapper.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'backend/api/handler_wrapper.go')

diff --git a/backend/api/handler_wrapper.go b/backend/api/handler_wrapper.go
index 5feaac7..8e3e8cd 100644
--- a/backend/api/handler_wrapper.go
+++ b/backend/api/handler_wrapper.go
@@ -26,7 +26,7 @@ func NewHandler(queries *db.Queries, hub GameHubInterface, conf *config.Config)
 }
 
 func (h *HandlerWrapper) GetGame(ctx context.Context, request GetGameRequestObject) (GetGameResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetGame401JSONResponse{
 			Message: "Unauthorized",
@@ -36,7 +36,7 @@ func (h *HandlerWrapper) GetGame(ctx context.Context, request GetGameRequestObje
 }
 
 func (h *HandlerWrapper) GetGamePlayLatestState(ctx context.Context, request GetGamePlayLatestStateRequestObject) (GetGamePlayLatestStateResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetGamePlayLatestState401JSONResponse{
 			Message: "Unauthorized",
@@ -46,7 +46,7 @@ func (h *HandlerWrapper) GetGamePlayLatestState(ctx context.Context, request Get
 }
 
 func (h *HandlerWrapper) GetGameWatchLatestStates(ctx context.Context, request GetGameWatchLatestStatesRequestObject) (GetGameWatchLatestStatesResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetGameWatchLatestStates401JSONResponse{
 			Message: "Unauthorized",
@@ -56,7 +56,7 @@ func (h *HandlerWrapper) GetGameWatchLatestStates(ctx context.Context, request G
 }
 
 func (h *HandlerWrapper) GetGameWatchRanking(ctx context.Context, request GetGameWatchRankingRequestObject) (GetGameWatchRankingResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetGameWatchRanking401JSONResponse{
 			Message: "Unauthorized",
@@ -66,7 +66,7 @@ func (h *HandlerWrapper) GetGameWatchRanking(ctx context.Context, request GetGam
 }
 
 func (h *HandlerWrapper) GetGames(ctx context.Context, request GetGamesRequestObject) (GetGamesResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetGames401JSONResponse{
 			Message: "Unauthorized",
@@ -76,7 +76,7 @@ func (h *HandlerWrapper) GetGames(ctx context.Context, request GetGamesRequestOb
 }
 
 func (h *HandlerWrapper) GetMe(ctx context.Context, request GetMeRequestObject) (GetMeResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetMe401JSONResponse{
 			Message: "Unauthorized",
@@ -86,7 +86,7 @@ func (h *HandlerWrapper) GetMe(ctx context.Context, request GetMeRequestObject)
 }
 
 func (h *HandlerWrapper) GetTournament(ctx context.Context, request GetTournamentRequestObject) (GetTournamentResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return GetTournament401JSONResponse{
 			Message: "Unauthorized",
@@ -96,7 +96,7 @@ func (h *HandlerWrapper) GetTournament(ctx context.Context, request GetTournamen
 }
 
 func (h *HandlerWrapper) PostGamePlayCode(ctx context.Context, request PostGamePlayCodeRequestObject) (PostGamePlayCodeResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return PostGamePlayCode401JSONResponse{
 			Message: "Unauthorized",
@@ -106,7 +106,7 @@ func (h *HandlerWrapper) PostGamePlayCode(ctx context.Context, request PostGameP
 }
 
 func (h *HandlerWrapper) PostGamePlaySubmit(ctx context.Context, request PostGamePlaySubmitRequestObject) (PostGamePlaySubmitResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return PostGamePlaySubmit401JSONResponse{
 			Message: "Unauthorized",
@@ -120,7 +120,7 @@ func (h *HandlerWrapper) PostLogin(ctx context.Context, request PostLoginRequest
 }
 
 func (h *HandlerWrapper) PostLogout(ctx context.Context, request PostLogoutRequestObject) (PostLogoutResponseObject, error) {
-	user, ok := GetJWTClaimsFromContext(ctx)
+	user, ok := GetUserFromContext(ctx)
 	if !ok {
 		return PostLogout401JSONResponse{
 			Message: "Unauthorized",
-- 
cgit v1.3.1