🔒 Fix: Migrate token storage to HttpOnly cookies

[projectedanx]

🎯 What: The application was storing authentication tokens in sessionStorage in app/public/app.js and reading them on the frontend.
⚠️ Risk: Storing sensitive tokens in sessionStorage exposes them to Cross-Site Scripting (XSS) attacks, as any malicious JavaScript injected into the application can access them.
🛡️ Solution: The application was updated to use HttpOnly cookies for token storage. We added cookie-parser to the Express backend in app/server.js, updated cabpMiddleware to read the token directly from req.cookies.token (while keeping Authorization header checking as a fallback), and configured CORS credentials: true. On the frontend, we removed sessionStorage lookups, instead enabling credentials: "include" on StreamableHTTPClientTransport so that HttpOnly cookies are seamlessly included with the request securely. All redundant token-checking frontend tests were pruned, and a backend cookie authorization test was introduced to ensure strict safety validations.

---

PR created automatically by Jules for task 9967362965505343792 started by @projectedanx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request transitions the authentication mechanism from token-based authorization headers stored in session storage to HttpOnly cookies. It introduces the cookie-parser dependency, configures CORS to support credentials, and updates the cabpMiddleware to read the JWT token from cookies with a fallback to the Authorization header. On the client side, token checks and manual header injection are replaced with credentials: "include" on the transport layer. Relevant tests have been updated or added to verify the cookie-based authentication middleware. There are no review comments, and I have no further feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.