refactor: initial frontend wiring for new api

apps/backend/internal/auth/cookies.go

@@ -11,6 +11,10 @@ type CookieConfig struct {
 	// Domain for cross-subdomain cookies (e.g., "app.com" for web.app.com + api.app.com).
 	// Leave empty for same-host cookies (localhost, single domain).
 	Domain string
+	// Secure controls whether cookies are only sent over HTTPS.
+	// If nil, automatically set based on request protocol (true for HTTPS, false for HTTP).
+	// If explicitly set, this value is used regardless of protocol.
+	Secure *bool
 }
 
 // authCookies returns auth cookies from the given fiber context.
@@ -29,28 +33,37 @@ func authCookies(c *fiber.Ctx) map[string]string {
 }
 
 // setAuthCookies sets HTTP-only auth cookies with security settings derived from the request.
-// Secure flag is based on actual protocol (works automatically with proxies/tunnels).
+// Secure flag is based on actual protocol (works automatically with proxies/tunnels),
+// unless explicitly set in cfg.Secure.
 func setAuthCookies(c *fiber.Ctx, accessToken, refreshToken string, cfg CookieConfig) {
 	secure := c.Protocol() == "https"
 
-	c.Cookie(&fiber.Cookie{
+	accessTokenCookie := &fiber.Cookie{
 		Name:     cookieKeyAccessToken,
 		Value:    accessToken,
 		Path:     "/",
-		Domain:   cfg.Domain,
 		Expires:  time.Now().Add(accessTokenValidFor),
 		SameSite: fiber.CookieSameSiteLaxMode,
 		HTTPOnly: true,
 		Secure:   secure,
-	})
-	c.Cookie(&fiber.Cookie{
+	}
+	if cfg.Domain != "" {
+		accessTokenCookie.Domain = cfg.Domain
+	}
+
+	refreshTokenCookie := &fiber.Cookie{
 		Name:     cookieKeyRefreshToken,
 		Value:    refreshToken,
 		Path:     "/",
-		Domain:   cfg.Domain,
 		Expires:  time.Now().Add(refreshTokenValidFor),
 		SameSite: fiber.CookieSameSiteLaxMode,
 		HTTPOnly: true,
 		Secure:   secure,
-	})
+	}
+	if cfg.Domain != "" {
+		refreshTokenCookie.Domain = cfg.Domain
+	}
+
+	c.Cookie(accessTokenCookie)
+	c.Cookie(refreshTokenCookie)
 }