From f02d41901d5cb10902616b52fff6856c496bdc7d Mon Sep 17 00:00:00 2001
From: Ruidy <ruidy.nemausat@gmail.com>
Date: Sat, 20 Sep 2025 01:10:14 +0200
Subject: [PATCH] chore: note remaining auth tasks

---
 AUTH_PLAN.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/AUTH_PLAN.md b/AUTH_PLAN.md
index 3b9ff6e..c6fbef3 100644
--- a/AUTH_PLAN.md
+++ b/AUTH_PLAN.md
@@ -16,6 +16,8 @@
 - Implement password hashing with per-user random salts (`crypto/rand`, `sha256`) and base64 encoding for storage.
 - Define a user repository interface seeded with an in-memory implementation until persistence is added.
 - Generate CSRF tokens tied to session state and validate them for every mutating request.
+- Externalize session secrets via configuration so environments use predictable/rotatable keys.
+- Add integration tests covering login/logout flows and CSRF protections to prevent regressions.
 
 ## Templates & Frontend