Use session_secret for signed auth session tokens

backend/app/routers/auth.py

@@ -63,15 +63,19 @@ async def login(
             detail=str(exc),
         ) from exc
 
+    signed_token = auth_service.sign_session_token(
+        session.token,
+        settings.session_secret,
+    )
     response.set_cookie(
         key=_COOKIE_NAME,
-        value=session.token,
+        value=signed_token,
         httponly=True,
         samesite="lax",
         secure=False,  # Set to True in production behind HTTPS
         max_age=settings.session_duration_minutes * 60,
     )
-    return LoginResponse(token=session.token, expires_at=session.expires_at)
+    return LoginResponse(token=signed_token, expires_at=session.expires_at)
 
 
 @router.post(
@@ -83,6 +87,7 @@ async def logout(
     request: Request,
     response: Response,
     db: DbDep,
+    settings: SettingsDep,
 ) -> LogoutResponse:
     """Invalidate the active session.
 
@@ -94,14 +99,17 @@ async def logout(
         request: FastAPI request (used to extract the token).
         response: FastAPI response (used to clear the cookie).
         db: Injected aiosqlite connection.
+        settings: Application settings (used to unwrap signed tokens).
 
     Returns:
         :class:`~app.models.auth.LogoutResponse`.
     """
     token = _extract_token(request)
     if token:
-        await auth_service.logout(db, token)
-        invalidate_session_cache(token)
+        raw_token = await auth_service.logout(db, token, settings.session_secret)
+        if raw_token:
+            invalidate_session_cache(raw_token)
+            invalidate_session_cache(token)
     response.delete_cookie(key=_COOKIE_NAME)
     return LogoutResponse()