From 7258ca81812a24edd382438ce6e9ebc538549427 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Fri, 13 Feb 2026 23:46:16 +0900
Subject: feat(auth): store JWT in HTTP-only cookie instead of JS-accessible
 cookie

Prevent XSS-based token theft by making the JWT inaccessible to
JavaScript. The backend now sets/clears the cookie via Set-Cookie
headers, and the frontend retrieves user info from /api/me instead
of decoding the JWT directly.

- Add JWTCookieMiddleware to parse cookie and inject claims into context
- Add /me and /logout endpoints to OpenAPI spec and handlers
- Update PostLogin to return user object + Set-Cookie header
- Replace Authorization header auth with cookie-based auth throughout
- Rewrite frontend auth to use /api/me instead of jwt-decode
- Remove jwt-decode dependency
- Configure CORS with credentials for local dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 frontend/app/pages/GolfWatchPage.tsx | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

(limited to 'frontend/app/pages/GolfWatchPage.tsx')

diff --git a/frontend/app/pages/GolfWatchPage.tsx b/frontend/app/pages/GolfWatchPage.tsx
index 317f860..519a030 100644
--- a/frontend/app/pages/GolfWatchPage.tsx
+++ b/frontend/app/pages/GolfWatchPage.tsx
@@ -3,7 +3,6 @@ import { useEffect, useMemo, useState } from "react";
 import { useLocation } from "wouter";
 import { ApiClientContext, createApiClient } from "../api/client";
 import type { components } from "../api/schema";
-import { getToken } from "../auth";
 import GolfWatchApp from "../components/GolfWatchApp";
 import { APP_NAME } from "../config";
 import { usePageTitle } from "../hooks/usePageTitle";
@@ -31,9 +30,7 @@ export default function GolfWatchPage({ gameId }: { gameId: string }) {
 	);
 
 	useEffect(() => {
-		const token = getToken();
-		if (!token) return;
-		const apiClient = createApiClient(token);
+		const apiClient = createApiClient();
 		Promise.all([
 			apiClient.getGame(gameIdNum),
 			apiClient.getGameWatchRanking(gameIdNum),
@@ -61,11 +58,9 @@ export default function GolfWatchPage({ gameId }: { gameId: string }) {
 		);
 	}
 
-	const token = getToken()!;
-
 	return (
 		<JotaiProvider store={store}>
-			<ApiClientContext.Provider value={createApiClient(token)}>
+			<ApiClientContext.Provider value={createApiClient()}>
 				<GolfWatchApp
 					key={game.game_id}
 					game={game}
-- 
cgit v1.3.1