feat: impl cookie-based auth tokens exchange

implement access/refresh token exchange via cookies as well as automatic
access token refresh

apps/backend/internal/auth/cookies.go

@@ -0,0 +1,56 @@
+package auth
+
+import (
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+// CookieConfig controls auth cookie behavior.
+type CookieConfig struct {
+	// Domain for cross-subdomain cookies (e.g., "app.com" for web.app.com + api.app.com).
+	// Leave empty for same-host cookies (localhost, single domain).
+	Domain string
+}
+
+// authCookies returns auth cookies from the given fiber context.
+// Returns a map with the cookie names as keys and the cookie values as values.
+func authCookies(c *fiber.Ctx) map[string]string {
+	m := make(map[string]string)
+	at := c.Cookies(cookieKeyAccessToken)
+	if at != "" {
+		m[cookieKeyAccessToken] = at
+	}
+	rt := c.Cookies(cookieKeyRefreshToken)
+	if rt != "" {
+		m[cookieKeyRefreshToken] = rt
+	}
+	return m
+}
+
+// setAuthCookies sets HTTP-only auth cookies with security settings derived from the request.
+// Secure flag is based on actual protocol (works automatically with proxies/tunnels).
+func setAuthCookies(c *fiber.Ctx, accessToken, refreshToken string, cfg CookieConfig) {
+	secure := c.Protocol() == "https"
+
+	c.Cookie(&fiber.Cookie{
+		Name:     cookieKeyAccessToken,
+		Value:    accessToken,
+		Path:     "/",
+		Domain:   cfg.Domain,
+		Expires:  time.Now().Add(accessTokenValidFor),
+		SameSite: fiber.CookieSameSiteLaxMode,
+		HTTPOnly: true,
+		Secure:   secure,
+	})
+	c.Cookie(&fiber.Cookie{
+		Name:     cookieKeyRefreshToken,
+		Value:    refreshToken,
+		Path:     "/",
+		Domain:   cfg.Domain,
+		Expires:  time.Now().Add(refreshTokenValidFor),
+		SameSite: fiber.CookieSameSiteLaxMode,
+		HTTPOnly: true,
+		Secure:   secure,
+	})
+}