enh: Improve `auth.token` security

[nfebe]

The auth.token cookie in composables/useAuth.ts should have httpOnly: true to prevent client-side script access, which is a critical security measure against XSS attacks.

[Lantum-Brendan]

Resolved in pr: #33

[nfebe]

Reverted change due to bug in main:

See:

API Error: 
Object { success: false, message: "Unauthenticated. Please log in to access this resource.", errors: [] }
[BJssQ0rr.js:23:37680](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
Failed to fetch user: FetchError: [GET] "https://api.dev.trakli.app/api/v1/user": 401 Unauthorized
    NuxtJS 43
[BJssQ0rr.js:23:59035](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
✅ All shared data cleared for logout [BJssQ0rr.js:23:46856](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
Cookie “auth.token” has been rejected because there is already an HTTP-Only cookie but script tried to store a new one. 3 [login](https://dashboard.trakli.app/login)

[Lantum-Brendan]

Reverted change due to bug in main:

See:

API Error: 
Object { success: false, message: "Unauthenticated. Please log in to access this resource.", errors: [] }
[BJssQ0rr.js:23:37680](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
Failed to fetch user: FetchError: [GET] "https://api.dev.trakli.app/api/v1/user": 401 Unauthorized
    NuxtJS 43
[BJssQ0rr.js:23:59035](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
✅ All shared data cleared for logout [BJssQ0rr.js:23:46856](https://dashboard.trakli.app/_nuxt/BJssQ0rr.js)
Cookie “auth.token” has been rejected because there is already an HTTP-Only cookie but script tried to store a new one. 3 [login](https://dashboard.trakli.app/login)

After extensive research and attempts at implementation with httpOnly: true, the issue identified a critical architectural mismatch in our HTTP-only cookie handling. The tradeoff here would be functionality over the ideal security model

The Problem

The original code attempted to:

1. Define auth tokens as HTTP-only cookies in useAuth.ts
2. Manage these cookies from client-side JavaScript
3. This is architecturally impossible — HTTP-only cookies cannot be accessed by JavaScript

Root Cause: An architectural mismatch — the browser explicitly prevents JavaScript from accessing HTTP-only cookies.

Impact:

• Tokens failed to persist after login
• Subsequent API requests returned 401 Unauthorized
• User couldn’t access protected resources

Suggestion

Since I don’t have backend access, I changed the token cookie setting from httpOnly: true to httpOnly: false to allow client-side handling. This enables:

• ✅ Client-side access and management of tokens
• ✅ Persistent token storage in the browser
• ✅ Tokens to be included in Authorization headers for API requests
• ✅ A fully functional login and data-loading flow end-to-end

Recommendation

While this change restores full functionality, the ideal solution should be implemented at the backend level.
The backend should handle token storage and validation securely — for instance, by maintaining session tokens in HTTP-only cookies and providing APIs for secure token renewal or validation.