Implement lightweight auth system with SQLite

Added SQLite database for session management and user preferences storage,
allowing users to have consistent settings across different sessions and devices.

Backend changes:
- Added SQLite database with users, sessions, and preferences tables
- Implemented session-based authentication alongside JWT tokens
- Created preference storage/retrieval API endpoints
- Database migrations for schema setup
- Session validation and cleanup functionality

Frontend changes:
- Added "Remember server" and "Remember username" checkboxes to login
- Created preferences service for syncing settings with backend
- Updated auth flow to handle session tokens and preferences
- Store remembered values in LocalStorage (not database) for convenience

Key features:
- User preferences persist across sessions and devices
- CalDAV passwords never stored, only passed through
- Sessions expire after 24 hours
- Remember checkboxes only affect local browser storage

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

backend/src/handlers/auth.rs

@@ -46,41 +46,12 @@ pub async fn login(
     println!("  Username: {}", request.username);
     println!("  Password length: {}", request.password.len());
 
-    // Basic validation
-    if request.username.is_empty() || request.password.is_empty() || request.server_url.is_empty() {
-        return Err(ApiError::BadRequest(
-            "Username, password, and server URL are required".to_string(),
-        ));
-    }
+    // Use the auth service login method which now handles database, sessions, and preferences
+    let response = state.auth_service.login(request).await?;
 
-    println!("✅ Input validation passed");
+    println!("✅ Login successful with session management");
 
-    // Create a token using the auth service
-    println!("📝 Created CalDAV config");
-
-    // First verify the credentials are valid by attempting to discover calendars
-    let config = CalDAVConfig::new(
-        request.server_url.clone(),
-        request.username.clone(),
-        request.password.clone(),
-    );
-    let client = CalDAVClient::new(config);
-    client
-        .discover_calendars()
-        .await
-        .map_err(|e| ApiError::Unauthorized(format!("Authentication failed: {}", e)))?;
-
-    let token = state
-        .auth_service
-        .generate_token(&request.username, &request.server_url)?;
-
-    println!("🔗 Created CalDAV client, attempting to discover calendars...");
-
-    Ok(Json(AuthResponse {
-        token,
-        username: request.username,
-        server_url: request.server_url,
-    }))
+    Ok(Json(response))
 }
 
 pub async fn verify_token(

backend/src/handlers/preferences.rs

@@ -0,0 +1,123 @@
+use axum::{
+    extract::State,
+    http::{HeaderMap, StatusCode},
+    response::IntoResponse,
+    Json,
+};
+use std::sync::Arc;
+
+use crate::{
+    db::PreferencesRepository,
+    models::{ApiError, UpdatePreferencesRequest, UserPreferencesResponse},
+    AppState,
+};
+
+/// Get user preferences
+pub async fn get_preferences(
+    State(state): State<Arc<AppState>>,
+    headers: HeaderMap,
+) -> Result<impl IntoResponse, ApiError> {
+    // Extract session token from headers
+    let session_token = headers
+        .get("X-Session-Token")
+        .and_then(|h| h.to_str().ok())
+        .ok_or_else(|| ApiError::Unauthorized("Missing session token".to_string()))?;
+
+    // Validate session and get user ID
+    let user_id = state.auth_service.validate_session(session_token).await?;
+
+    // Get preferences from database
+    let prefs_repo = PreferencesRepository::new(&state.db);
+    let preferences = prefs_repo
+        .get_or_create(&user_id)
+        .await
+        .map_err(|e| ApiError::Database(format!("Failed to get preferences: {}", e)))?;
+
+    Ok(Json(UserPreferencesResponse {
+        calendar_selected_date: preferences.calendar_selected_date,
+        calendar_time_increment: preferences.calendar_time_increment,
+        calendar_view_mode: preferences.calendar_view_mode,
+        calendar_theme: preferences.calendar_theme,
+        calendar_colors: preferences.calendar_colors,
+    }))
+}
+
+/// Update user preferences
+pub async fn update_preferences(
+    State(state): State<Arc<AppState>>,
+    headers: HeaderMap,
+    Json(request): Json<UpdatePreferencesRequest>,
+) -> Result<impl IntoResponse, ApiError> {
+    // Extract session token from headers
+    let session_token = headers
+        .get("X-Session-Token")
+        .and_then(|h| h.to_str().ok())
+        .ok_or_else(|| ApiError::Unauthorized("Missing session token".to_string()))?;
+
+    // Validate session and get user ID
+    let user_id = state.auth_service.validate_session(session_token).await?;
+
+    // Update preferences in database
+    let prefs_repo = PreferencesRepository::new(&state.db);
+    
+    let mut preferences = prefs_repo
+        .get_or_create(&user_id)
+        .await
+        .map_err(|e| ApiError::Database(format!("Failed to get preferences: {}", e)))?;
+
+    // Update only provided fields
+    if request.calendar_selected_date.is_some() {
+        preferences.calendar_selected_date = request.calendar_selected_date;
+    }
+    if request.calendar_time_increment.is_some() {
+        preferences.calendar_time_increment = request.calendar_time_increment;
+    }
+    if request.calendar_view_mode.is_some() {
+        preferences.calendar_view_mode = request.calendar_view_mode;
+    }
+    if request.calendar_theme.is_some() {
+        preferences.calendar_theme = request.calendar_theme;
+    }
+    if request.calendar_colors.is_some() {
+        preferences.calendar_colors = request.calendar_colors;
+    }
+
+    prefs_repo
+        .update(&preferences)
+        .await
+        .map_err(|e| ApiError::Database(format!("Failed to update preferences: {}", e)))?;
+
+    Ok((
+        StatusCode::OK,
+        Json(UserPreferencesResponse {
+            calendar_selected_date: preferences.calendar_selected_date,
+            calendar_time_increment: preferences.calendar_time_increment,
+            calendar_view_mode: preferences.calendar_view_mode,
+            calendar_theme: preferences.calendar_theme,
+            calendar_colors: preferences.calendar_colors,
+        }),
+    ))
+}
+
+/// Logout user
+pub async fn logout(
+    State(state): State<Arc<AppState>>,
+    headers: HeaderMap,
+) -> Result<impl IntoResponse, ApiError> {
+    // Extract session token from headers
+    let session_token = headers
+        .get("X-Session-Token")
+        .and_then(|h| h.to_str().ok())
+        .ok_or_else(|| ApiError::Unauthorized("Missing session token".to_string()))?;
+
+    // Delete session
+    state.auth_service.logout(session_token).await?;
+
+    Ok((
+        StatusCode::OK,
+        Json(serde_json::json!({
+            "success": true,
+            "message": "Logged out successfully"
+        })),
+    ))
+}