refactor: replace Bearer token auth with HttpOnly cookies

- Remove POST /api/v1/register endpoint entirely
- Session creation (POST /api/v1/session) now sets neoirc_auth HttpOnly
  cookie instead of returning token in JSON body
- Login (POST /api/v1/login) now sets neoirc_auth HttpOnly cookie
  instead of returning token in JSON body
- Add PASS IRC command for setting session password (enables multi-client
  login via POST /api/v1/login)
- All per-request auth reads from neoirc_auth cookie instead of
  Authorization: Bearer header
- Cookie properties: HttpOnly, SameSite=Strict, Secure when behind TLS
- Logout and QUIT clear the auth cookie
- Update CORS to AllowCredentials:true with origin reflection
- Remove Authorization from CORS AllowedHeaders
- Update CLI client to use cookie jar (net/http/cookiejar)
- Remove Token field from SessionResponse
- Add SetPassword to DB layer, remove RegisterUser
- Comprehensive test updates for cookie-based auth
- Add tests: TestPassCommand, TestPassCommandShortPassword,
  TestPassCommandEmpty, TestSessionCookie
- Update README extensively: auth model, API reference, curl examples,
  security model, design principles, roadmap

closes #83

internal/db/auth.go

@@ -16,80 +16,28 @@ var errNoPassword = errors.New(
 	"account has no password set",
 )
 
-// RegisterUser creates a session with a hashed password
-// and returns session ID, client ID, and token.
-func (database *Database) RegisterUser(
+// SetPassword sets a bcrypt-hashed password on a session,
+// enabling multi-client login via POST /api/v1/login.
+func (database *Database) SetPassword(
 	ctx context.Context,
-	nick, password string,
-) (int64, int64, string, error) {
+	sessionID int64,
+	password string,
+) error {
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
 	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"hash password: %w", err,
-		)
+		return fmt.Errorf("hash password: %w", err)
 	}
 
-	sessionUUID := uuid.New().String()
-	clientUUID := uuid.New().String()
-
-	token, err := generateToken()
+	_, err = database.conn.ExecContext(ctx,
+		"UPDATE sessions SET password_hash = ? WHERE id = ?",
+		string(hash), sessionID)
 	if err != nil {
-		return 0, 0, "", err
+		return fmt.Errorf("set password: %w", err)
 	}
 
-	now := time.Now()
-
-	transaction, err := database.conn.BeginTx(ctx, nil)
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"begin tx: %w", err,
-		)
-	}
-
-	res, err := transaction.ExecContext(ctx,
-		`INSERT INTO sessions
-		 (uuid, nick, password_hash,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		sessionUUID, nick, string(hash), now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create session: %w", err,
-		)
-	}
-
-	sessionID, _ := res.LastInsertId()
-
-	tokenHash := hashToken(token)
-
-	clientRes, err := transaction.ExecContext(ctx,
-		`INSERT INTO clients
-		 (uuid, session_id, token,
-		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
-	if err != nil {
-		_ = transaction.Rollback()
-
-		return 0, 0, "", fmt.Errorf(
-			"create client: %w", err,
-		)
-	}
-
-	clientID, _ := clientRes.LastInsertId()
-
-	err = transaction.Commit()
-	if err != nil {
-		return 0, 0, "", fmt.Errorf(
-			"commit registration: %w", err,
-		)
-	}
-
-	return sessionID, clientID, token, nil
+	return nil
 }
 
 // LoginUser verifies a nick/password and creates a new