feat(auth): add "Remember me" checkbox to extend session lifetime (#1189)

Adds a "Remember me" checkbox to the login form (single responsive page,
covers mobile + desktop). Unchecked (default) issues the existing
SESSION_DURATION JWT with a browser-session cookie (no maxAge); checked
issues a longer-lived JWT plus a persistent cookie sized by the new
SESSION_DURATION_REMEMBER env var (default 30d). The choice is threaded
through the MFA verify leg so it survives the step-up.

Register/demo logins keep their current persistent behaviour.

server/tests/e2e/auth.e2e.test.ts

@@ -98,6 +98,28 @@ describe('Auth e2e (real auth guard + real cookie service + temp SQLite)', () =>
     expect(setCookie.some((c) => c.startsWith('trek_session=') && /HttpOnly/i.test(c))).toBe(true);
   }, 10000);
 
+  it('POST /login with remember_me sets a persistent cookie (Max-Age present)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: true });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw', remember_me: true });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).toMatch(/Max-Age=\d+/i);
+    // 30d default — well above the 24h (86400s) non-remember window.
+    const maxAge = Number(/Max-Age=(\d+)/i.exec(cookie)?.[1]);
+    expect(maxAge).toBeGreaterThan(86_400);
+  }, 10000);
+
+  it('POST /login without remember_me sets a session cookie (no Max-Age)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: false });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw' });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).not.toMatch(/Max-Age/i);
+    expect(cookie).not.toMatch(/Expires/i);
+  }, 10000);
+
   it('POST /logout clears the session cookie', async () => {
     const res = await request(server).post('/api/auth/logout');
     expect(res.status).toBe(200);

server/tests/unit/nest/auth.controller.test.ts

@@ -82,9 +82,10 @@ describe('AuthPublicController', () => {
     const setAuthCookie = vi.fn();
     const mfa = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt' }) } as Partial<AuthService>), rl());
     expect(await mfa.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
-    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user }), setAuthCookie } as Partial<AuthService>), rl());
+    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user, remember: true }), setAuthCookie } as Partial<AuthService>), rl());
     expect(await ok.login({}, req, res)).toEqual({ token: 'tk', user });
-    expect(setAuthCookie).toHaveBeenCalled();
+    // The "remember me" flag from the service rides through to the cookie service.
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req, true);
     const bad = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ error: 'Bad creds', status: 401, auditAction: 'user.login_fail' }) } as Partial<AuthService>), rl());
     expect(await thrownAsync(() => bad.login({}, req, res))).toEqual({ status: 401, body: { error: 'Bad creds' } });
   }, 10000);

server/tests/unit/services/cookie.test.ts

@@ -1,6 +1,7 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
 import { cookieOptions } from '../../../src/services/cookie';
+import { SESSION_DURATION_MS, SESSION_DURATION_REMEMBER_MS } from '../../../src/config';
 
 describe('cookieOptions', () => {
   afterEach(() => {
@@ -53,4 +54,16 @@ describe('cookieOptions', () => {
     const opts = cookieOptions(true);
     expect(opts).not.toHaveProperty('maxAge');
   });
+
+  it('keeps the default SESSION_DURATION maxAge when remember is undefined', () => {
+    expect(cookieOptions(false, undefined)).toHaveProperty('maxAge', SESSION_DURATION_MS);
+  });
+
+  it('uses the longer SESSION_DURATION_REMEMBER maxAge when remember is true', () => {
+    expect(cookieOptions(false, undefined, true)).toHaveProperty('maxAge', SESSION_DURATION_REMEMBER_MS);
+  });
+
+  it('omits maxAge (session cookie) when remember is false', () => {
+    expect(cookieOptions(false, undefined, false)).not.toHaveProperty('maxAge');
+  });
 });