feat(api): POST /api/auth/login

Verifies bcrypt password hash, mints a session token, stores its
sha256 in the sessions table, and returns the token in both the
response body (for Flutter) and an httpOnly/SameSite=Strict
cookie (for the web SPA).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-04-20 21:25:52 -04:00
parent dc43921bcc
commit 2f2dfa86df
4 changed files with 268 additions and 4 deletions
+1 -4
View File
@@ -35,10 +35,7 @@ type handlers struct {
}
// Stub handlers so Mount() compiles. Real implementations in later tasks
// replace these in place (Task 6 login, Task 7 logout, Task 8 me).
func (h *handlers) handleLogin(w http.ResponseWriter, r *http.Request) {
writeErr(w, http.StatusNotImplemented, "not_implemented", "login not wired")
}
// replace these in place (Task 7 logout, Task 8 me).
func (h *handlers) handleLogout(w http.ResponseWriter, r *http.Request) {
writeErr(w, http.StatusNotImplemented, "not_implemented", "logout not wired")