remove dumb auth

api/v1/api.gen.go

@@ -2031,13 +2031,21 @@ type LoginResponseObject interface {
 	VisitLoginResponse(w http.ResponseWriter) error
 }
 
-type Login200JSONResponse LoginResponse
+type Login200ResponseHeaders struct {
+	SetCookie string
+}
+
+type Login200JSONResponse struct {
+	Body    LoginResponse
+	Headers Login200ResponseHeaders
+}
 
 func (response Login200JSONResponse) VisitLoginResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Set-Cookie", fmt.Sprint(response.Headers.SetCookie))
 	w.WriteHeader(200)
 
-	return json.NewEncoder(w).Encode(response)
+	return json.NewEncoder(w).Encode(response.Body)
 }
 
 type Login400JSONResponse ErrorResponse
@@ -2124,13 +2132,21 @@ type RegisterResponseObject interface {
 	VisitRegisterResponse(w http.ResponseWriter) error
 }
 
-type Register201JSONResponse LoginResponse
+type Register201ResponseHeaders struct {
+	SetCookie string
+}
+
+type Register201JSONResponse struct {
+	Body    LoginResponse
+	Headers Register201ResponseHeaders
+}
 
 func (response Register201JSONResponse) VisitRegisterResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Set-Cookie", fmt.Sprint(response.Headers.SetCookie))
 	w.WriteHeader(201)
 
-	return json.NewEncoder(w).Encode(response)
+	return json.NewEncoder(w).Encode(response.Body)
 }
 
 type Register400JSONResponse ErrorResponse

api/v1/auth.go

@@ -41,8 +41,13 @@ func (s *Server) Login(ctx context.Context, request LoginRequestObject) (LoginRe
 	}
 
 	return Login200JSONResponse{
-		Username: user.ID,
-		IsAdmin:  user.Admin,
+		Body: LoginResponse{
+			Username: user.ID,
+			IsAdmin:  user.Admin,
+		},
+		Headers: Login200ResponseHeaders{
+			SetCookie: s.getSetCookieFromContext(ctx),
+		},
 	}, nil
 }
 
@@ -81,8 +86,13 @@ func (s *Server) Register(ctx context.Context, request RegisterRequestObject) (R
 	}
 
 	return Register201JSONResponse{
-		Username: user.ID,
-		IsAdmin:  user.Admin,
+		Body: LoginResponse{
+			Username: user.ID,
+			IsAdmin:  user.Admin,
+		},
+		Headers: Register201ResponseHeaders{
+			SetCookie: s.getSetCookieFromContext(ctx),
+		},
 	}, nil
 }
 
@@ -207,6 +217,14 @@ func (s *Server) getResponseWriterFromContext(ctx context.Context) http.Response
 	return w
 }
 
+func (s *Server) getSetCookieFromContext(ctx context.Context) string {
+	w := s.getResponseWriterFromContext(ctx)
+	if w == nil {
+		return ""
+	}
+	return w.Header().Get("Set-Cookie")
+}
+
 // getSession retrieves auth data from the session cookie
 func (s *Server) getSession(r *http.Request) (auth authData, ok bool) {
 	// Get session from cookie store

api/v1/auth_test.go

@@ -66,6 +66,13 @@ func (suite *AuthTestSuite) createTestUser(username, password string) {
 	suite.Require().NoError(err)
 }
 
+func (suite *AuthTestSuite) assertSessionCookie(cookie *http.Cookie) {
+	suite.Require().NotNil(cookie)
+	suite.Equal("token", cookie.Name)
+	suite.NotEmpty(cookie.Value)
+	suite.True(cookie.HttpOnly)
+}
+
 func (suite *AuthTestSuite) login(username, password string) *http.Cookie {
 	reqBody := LoginRequest{
 		Username: username,
@@ -86,6 +93,7 @@ func (suite *AuthTestSuite) login(username, password string) *http.Cookie {
 
 	cookies := w.Result().Cookies()
 	suite.Require().Len(cookies, 1, "should have session cookie")
+	suite.assertSessionCookie(cookies[0])
 
 	return cookies[0]
 }
@@ -109,6 +117,10 @@ func (suite *AuthTestSuite) TestAPILogin() {
 	var resp LoginResponse
 	suite.Require().NoError(json.Unmarshal(w.Body.Bytes(), &resp))
 	suite.Equal("testuser", resp.Username)
+
+	cookies := w.Result().Cookies()
+	suite.Require().Len(cookies, 1)
+	suite.assertSessionCookie(cookies[0])
 }
 
 func (suite *AuthTestSuite) TestAPILoginInvalidCredentials() {
@@ -146,7 +158,8 @@ func (suite *AuthTestSuite) TestAPIRegister() {
 	suite.True(resp.IsAdmin, "first registered user should mirror legacy admin bootstrap behavior")
 
 	cookies := w.Result().Cookies()
-	suite.Require().NotEmpty(cookies, "register should set a session cookie")
+	suite.Require().Len(cookies, 1, "register should set a session cookie")
+	suite.assertSessionCookie(cookies[0])
 
 	user, err := suite.db.Queries.GetUser(suite.T().Context(), "newuser")
 	suite.Require().NoError(err)
@@ -182,6 +195,10 @@ func (suite *AuthTestSuite) TestAPILogout() {
 	suite.srv.ServeHTTP(w, req)
 
 	suite.Equal(http.StatusOK, w.Code)
+
+	cookies := w.Result().Cookies()
+	suite.Require().Len(cookies, 1)
+	suite.Equal("token", cookies[0].Name)
 }
 
 func (suite *AuthTestSuite) TestAPIGetMe() {

api/v1/openapi.yaml

@@ -626,8 +626,9 @@ components:
 
   securitySchemes:
     BearerAuth:
-      type: http
-      scheme: bearer
+      type: apiKey
+      in: cookie
+      name: token
 
 paths:
   /documents:
@@ -1174,6 +1175,11 @@ paths:
       responses:
         200:
           description: Successful login
+          headers:
+            Set-Cookie:
+              description: HttpOnly session cookie for authenticated requests.
+              schema:
+                type: string
           content:
             application/json:
               schema:
@@ -1212,6 +1218,11 @@ paths:
       responses:
         201:
           description: Successful registration
+          headers:
+            Set-Cookie:
+              description: HttpOnly session cookie for authenticated requests.
+              schema:
+                type: string
           content:
             application/json:
               schema: