Authentication Implementation Plan

Project Restructure

Move the entrypoint to cmd/server/main.go and create internal/server for router, middleware, and session bootstrap logic.
Add internal/auth for credential hashing, validation helpers, and user/session abstractions.
Relocate templates and static assets to web/ and embed them with embed.FS so the binary stays self-contained.

Adopt github.com/go-chi/chi/v5 with recovery, request logging, and session-loading middleware.
Maintain an in-memory session store backed by HTTP-only cookies; compare secrets with crypto/subtle and rotate session IDs on login/logout.

Implement password hashing with per-user random salts (crypto/rand, sha256) and base64 encoding for storage.
Define a user repository interface seeded with an in-memory implementation until persistence is added.
Generate CSRF tokens tied to session state and validate them for every mutating request.
Externalize session secrets via configuration so environments use predictable/rotatable keys.
Add integration tests covering login/logout flows and CSRF protections to prevent regressions.

Replace static HTML with html/template views built on semantic markup and Pico.css styling.
Enhance forms using htmx for progressive submission and Alpine.js for light client interactivity (loading states, error visibility).
Serve embedded assets via helper endpoints or template functions using the embedded filesystem.

Create GET /signin, POST /signin, GET /signup, POST /signup, POST /signout, and protected dashboard routes.
Return precise HTTP status codes and htmx-compatible fragments for validation errors.
Guard authenticated routes with middleware that checks session validity before rendering protected pages.

Cover hashing and CSRF helpers with table-driven unit tests.
Use net/http/httptest to verify happy-path login, signup, logout, invalid credential handling, CSRF failures, and session persistence.
Run go test -cover ./... to ensure the new logic maintains regression coverage.