Feat: Implement signed HttpOnly session cookie

app/api/login/route.js

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server';
 import crypto from 'crypto';
+import { signSession } from '../../../lib/auth';
 
 export async function POST(req) {
     try {
@@ -15,8 +16,21 @@ export async function POST(req) {
         }
 
         if (email === process.env.ADMIN_EMAIL && password === process.env.ADMIN_PASS) {
-            // Real implementation would set a JWT or session cookie here
+            // Generate our secure edge-compatible token
-            return NextResponse.json({ success: true, message: 'Welcome back, Master!' });
+            const token = await signSession();
+            
+            const response = NextResponse.json({ success: true, message: 'Welcome back, Master!' });
+            
+            // Set it as an HttpOnly cookie so JavaScript can't touch it
+            response.cookies.set('kalbot_session', token, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === 'production',
+                sameSite: 'strict',
+                path: '/',
+                maxAge: 60 * 60 * 24 // 1 day in seconds
+            });
+
+            return response;
         } else {
             // Trigger NTFY alert for failed login
             if (process.env.NTFY_URL) {