fix: fixes to session storage

backend/internal/interfaces/middleware/auth.go

@@ -20,13 +20,15 @@ const (
 
 // AuthMiddleware verifies JWT tokens
 type AuthMiddleware struct {
-	jwtManager *auth.JWTManager
+	jwtManager     *auth.JWTManager
+	sessionManager *auth.SessionManager
 }
 
 // NewAuthMiddleware creates a new auth middleware
-func NewAuthMiddleware(jwtManager *auth.JWTManager) *AuthMiddleware {
+func NewAuthMiddleware(jwtManager *auth.JWTManager, sessionManager *auth.SessionManager) *AuthMiddleware {
 	return &AuthMiddleware{
-		jwtManager: jwtManager,
+		jwtManager:     jwtManager,
+		sessionManager: sessionManager,
 	}
 }
 
@@ -41,16 +43,23 @@ func (m *AuthMiddleware) Middleware(next http.Handler) http.Handler {
 			return
 		}
 
-		// Extract token from Authorization header.
-		// For GET /files/object, also accept ?token= so markdown images render in-browser.
-		authHeader := r.Header.Get("Authorization")
-		if authHeader == "" && r.Method == http.MethodGet && strings.HasSuffix(r.URL.Path, "/files/object") {
-			if tok := r.URL.Query().Get("token"); tok != "" {
-				authHeader = "Bearer " + tok
+		if sessionCookie, err := r.Cookie("session_id"); err == nil && sessionCookie.Value != "" {
+			sessionData, sessionErr := m.sessionManager.GetSession(r.Context(), sessionCookie.Value)
+			if sessionErr == nil {
+				_ = m.sessionManager.RefreshSession(r.Context(), sessionCookie.Value)
+
+				ctx := context.WithValue(r.Context(), UserIDKey, sessionData.UserID)
+				ctx = context.WithValue(ctx, EmailKey, sessionData.Email)
+				r = r.WithContext(ctx)
+				next.ServeHTTP(w, r)
+				return
 			}
 		}
+
+		// Fall back to Authorization header for backwards compatibility.
+		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" {
-			http.Error(w, "Missing authorization header", http.StatusUnauthorized)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}