feat(auth): implement cookie-based JWT authentication and logout functionality

.dockerignore

@@ -1,3 +1,7 @@
+andasy.hcl
+config.hcl
+.git/
+
 # Django project
 /media/
 /static/
@@ -13,12 +17,22 @@ __pycache__
 /.vagrant/
 /Vagrantfile.local
 node_modules/
+**/node_modules/
 /npm-debug.log
 /.idea/
 .vscode
 coverage
 .python-version
 
+# Frontend build/cache artifacts (reduce remote build context size)
+frontend/.next/
+**/.next/
+frontend/.turbo/
+**/.turbo/
+frontend/out/
+frontend/coverage/
+frontend/*.tsbuildinfo
+
 # Distribution / packaging
 .Python
 env/

.env.example

@@ -163,12 +163,10 @@ AUDIT_TENANT_ACCESS=true
 # CORS_ALLOW_CREDENTIALS=true   # default true (JWT in header / cookies)
 # CORS_EXTRA_HEADERS=           # optional comma-separated extra allowed request headers
 #
-# Cross-site cookies (HTTPS SPA on another domain — often needs):
-#   SESSION_COOKIE_SAMESITE=None
-#   SESSION_COOKIE_SECURE=true
-#   CSRF_COOKIE_SAMESITE=None
-#   CSRF_COOKIE_SECURE=true
-# (Production settings default SESSION_COOKIE_SECURE / CSRF_COOKIE_SECURE to true unless overridden.)
+# Cross-site JWT cookies (HTTPS SPA on another domain — often needs):
+#   JWT_COOKIE_SAMESITE=None
+#   JWT_COOKIE_SECURE=true
+# (Production settings default JWT_COOKIE_SECURE to true unless overridden.)
 #
 # Trust X-Forwarded-Proto from your edge (load balancer, ingress, PaaS). Default in production is on;
 # set false only if TLS terminates on the app and no proxy sends this header.

.gitignore

@@ -64,6 +64,13 @@ local_settings.py
 db.sqlite3
 db.sqlite3-journal
 
+# Frontend generated artifacts
+frontend/.next/
+frontend/.turbo/
+frontend/out/
+frontend/coverage/
+frontend/*.tsbuildinfo
+
 # Flask stuff:
 instance/
 .webassets-cache

andasy.hcl

@@ -1,8 +1,9 @@
-# andasy.hcl app configuration file generated for theinventory on Wednesday, 18-Mar-26 19:41:50 CAT
+
+# andasy.hcl app configuration file generated for theinventoryapp on Wednesday, 18-Mar-26 19:41:50 CAT
 #
 # See https://github.com/quarksgroup/andasy-cli for information about how to use this file.
 
-app_name = "theinventory"
+app_name = "theinventoryapp"
 
 app {
 
@@ -20,7 +21,7 @@ app {
   }
 
   process {
-    name = "theinventory"
+    name = "theinventoryapp"
   }
 
 }

docs/ARCHITECTURE.md

@@ -826,7 +826,7 @@ Production settings automatically:
 - Set `DEBUG = False` (enforce security)
 - Require `SECRET_KEY` (raises error if missing)
 - Use `ManifestStaticFilesStorage` (hash-based static file caching)
-- Default `SESSION_COOKIE_SECURE` / `CSRF_COOKIE_SECURE` to true
+- Default `JWT_COOKIE_SECURE` to true
 - Set `SECURE_PROXY_SSL_HEADER` when `USE_X_FORWARDED_PROTO` is true (default)
 
 **For full documentation:**