From 577fa9400a902e6c9937060ab19ab384f25d9e74 Mon Sep 17 00:00:00 2001
From: DmitrL-dev <84296377+DmitrL-dev@users.noreply.github.com>
Date: Fri, 27 Mar 2026 18:42:54 +1000
Subject: [PATCH] fix(auth): comprehensive sync of cookie-based sessions across
 register, verify, and middleware

---
 .../infrastructure/auth/tenant_handlers.go    | 30 +++++++++++++++----
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/internal/infrastructure/auth/tenant_handlers.go b/internal/infrastructure/auth/tenant_handlers.go
index 855ec1e..fd5b41c 100644
--- a/internal/infrastructure/auth/tenant_handlers.go
+++ b/internal/infrastructure/auth/tenant_handlers.go
@@ -180,14 +180,32 @@ func HandleVerifyEmail(userStore *UserStore, tenantStore *TenantStore, jwtSecret
 			tenant, _ = tenantStore.GetTenant(tenantID)
 		}
 
+		// SEC: H1 - Use httpOnly Cookies instead of returning JSON tokens
+		http.SetCookie(w, &http.Cookie{
+			Name:     "syntrex_token",
+			Value:    accessToken,
+			Path:     "/",
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			MaxAge:   900,
+		})
+		http.SetCookie(w, &http.Cookie{
+			Name:     "syntrex_refresh",
+			Value:    refreshToken,
+			Path:     "/",
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			MaxAge:   7 * 24 * 3600,
+		})
+
+		// SEC: M2 - Generate stateless CSRF token
+		csrfToken := hmacSign([]byte(accessToken), jwtSecret)[:32]
+
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(map[string]interface{}{
-			"access_token":  accessToken,
-			"refresh_token": refreshToken,
-			"expires_in":    900,
-			"token_type":    "Bearer",
-			"user":          user,
-			"tenant":        tenant,
+			"csrf_token": csrfToken,
+			"user":       user,
+			"tenant":     tenant,
 		})
 	}
 }