From 96fad1a4e78c7209e5a0f3496e8b59d591fbe500 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 15 Feb 2026 11:12:50 +0900
Subject: refactor(auth): replace JWT authentication with server-side sessions

Migrate from stateless JWT tokens to server-side session management
backed by PostgreSQL. Sessions are hashed with SHA-256 before storage,
cleaned up periodically, and invalidated on logout. This removes the
need for JWT_SECRET/COOKIE_SECRET environment variables and the
golang-jwt dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/auth/session.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 backend/auth/session.go

(limited to 'backend/auth/session.go')

diff --git a/backend/auth/session.go b/backend/auth/session.go
new file mode 100644
index 0000000..a0d5aa4
--- /dev/null
+++ b/backend/auth/session.go
@@ -0,0 +1,21 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+)
+
+func GenerateSessionID() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generate session ID: %w", err)
+	}
+	return hex.EncodeToString(b), nil
+}
+
+func HashSessionID(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
-- 
cgit v1.3.1