feat(auth): family-wide session constants + mint primitive + auth factory

Adds src/constants.ts exporting the family-wide session policy
(SESSION_TTL_DAYS=30, SESSION_TTL_SECONDS=2_592_000,
SESSION_RENEW_THRESHOLD_SECONDS=3600, LOGOUT_PATHS) so every
bchen.dev app shares the same persistence window.

Introduces issueSessionCookie as the single mint site for
fastify-jwt sign + setCookie, replacing inlined jwt.sign +
setCookie calls in pages.ts and api/v1/auth.ts. The cookie now
carries Max-Age=SESSION_TTL_SECONDS so it persists across browser
restarts.

Converts requireAuth into a makeRequireAuth(config) factory; route
plugins build their own preHandler at registration time. Threads
through pages.ts, api/v1/auth.ts, and api/v1/files.ts.

SESSION_COOKIE_NAME stays 'token' in this commit so existing tests
remain green; the rename to 'nanodrop_session' lands in a follow-up.
JWT_EXPIRY env var is still read; its removal also lands in a
follow-up so each commit builds cleanly.

src/routes/api/v1/auth.ts

@@ -4,7 +4,8 @@ import type { Config } from '../../../config.ts';
 import type { Logger } from '../../../middleware/logging.ts';
 import type { LockoutService } from '../../../services/lockout.ts';
 import { attemptLogin } from '../../../services/login-handler.ts';
-import { requireAuth, tokenCookieOptions } from '../../../middleware/auth.ts';
+import { makeRequireAuth, issueSessionCookie } from '../../../middleware/auth.ts';
+import { SESSION_COOKIE_NAME } from '../../../constants.ts';
 
 interface Deps {
   db: Database.Database;
@@ -20,6 +21,7 @@ interface LoginBody {
 
 export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
   const { config } = deps;
+  const requireAuth = makeRequireAuth(config);
 
   app.post<{ Body: LoginBody }>(
     '/login',
@@ -56,15 +58,17 @@ export const authApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { d
         return reply.status(401).send({ error: 'Invalid credentials' });
       }
 
-      const token = app.jwt.sign(
+      issueSessionCookie(
+        reply,
+        app,
         { sub: result.user.id, username: result.user.username },
-        { expiresIn: config.jwtExpiry },
+        config.cookieSecure,
       );
-      reply.setCookie('token', token, tokenCookieOptions(config.cookieSecure)).send({ ok: true });
+      reply.send({ ok: true });
     },
   );
 
   app.post('/logout', { preHandler: requireAuth }, async (_request, reply) => {
-    reply.clearCookie('token', { path: '/' }).send({ ok: true });
+    reply.clearCookie(SESSION_COOKIE_NAME, { path: '/' }).send({ ok: true });
   });
 };

src/routes/api/v1/files.ts

@@ -7,7 +7,7 @@ import type { Logger } from '../../../middleware/logging.ts';
 import type { JwtPayload } from '../../../types.ts';
 import { createFile, getFilesByUserId, getFileById, deleteFile } from '../../../db/files.ts';
 import { saveFile, deleteStoredFile } from '../../../services/storage.ts';
-import { requireAuth } from '../../../middleware/auth.ts';
+import { makeRequireAuth } from '../../../middleware/auth.ts';
 
 interface Deps {
   db: Database.Database;
@@ -17,6 +17,7 @@ interface Deps {
 
 export const filesApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, { deps }) => {
   const { db, config } = deps;
+  const requireAuth = makeRequireAuth(config);
 
   app.get('/', { preHandler: requireAuth }, async (request, reply) => {
     const { sub: userId } = request.user as JwtPayload;