From e5565327ec03d87b3e206e82fdcd643e36d1d86b Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Sun, 15 Mar 2026 14:22:20 -0700
Subject: [PATCH] Feat: Implement signed HttpOnly session cookie

---
 app/api/login/route.js | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/api/login/route.js b/app/api/login/route.js
index 80e9f73..c75eecf 100644
--- a/app/api/login/route.js
+++ b/app/api/login/route.js
@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server';
 import crypto from 'crypto';
+import { signSession } from '../../../lib/auth';
 
 export async function POST(req) {
     try {
@@ -15,8 +16,21 @@ export async function POST(req) {
         }
 
         if (email === process.env.ADMIN_EMAIL && password === process.env.ADMIN_PASS) {
-            // Real implementation would set a JWT or session cookie here
-            return NextResponse.json({ success: true, message: 'Welcome back, Master!' });
+            // Generate our secure edge-compatible token
+            const token = await signSession();
+            
+            const response = NextResponse.json({ success: true, message: 'Welcome back, Master!' });
+            
+            // Set it as an HttpOnly cookie so JavaScript can't touch it
+            response.cookies.set('kalbot_session', token, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === 'production',
+                sameSite: 'strict',
+                path: '/',
+                maxAge: 60 * 60 * 24 // 1 day in seconds
+            });
+
+            return response;
         } else {
             // Trigger NTFY alert for failed login
             if (process.env.NTFY_URL) {