feat(backend): mount API routes + cookie-parser + CORS with credentials

- index.ts: mount /api/auth, /api/videos, /api/playlists; add cookie-parser; CORS with credentials + FRONTEND_URL env
- auth.middleware: read token from Bearer header OR od_token httpOnly cookie
- routes: auth (session/logout/me), videos (level-gated), playlists (CRUD + share management)
- deps: cookie-parser + @types/cookie-parser

backend/src/routes/auth.routes.ts

@@ -0,0 +1,76 @@
+import { Router, Request, Response } from "express";
+import { requireAuth, AuthenticatedRequest } from "../middleware/auth.middleware";
+
+const router = Router();
+
+const COOKIE_NAME = "od_token";
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === "production",
+  sameSite: "strict" as const,
+  maxAge: 15 * 60 * 1000, // 15 min — durée de vie du token SuperOAuth
+};
+
+/**
+ * POST /api/auth/session
+ * Reçoit le token depuis le callback SuperOAuth,
+ * le valide, puis le pose en httpOnly cookie.
+ */
+router.post("/session", async (req: Request, res: Response): Promise<void> => {
+  const { token } = req.body as { token?: string };
+
+  if (!token) {
+    res.status(400).json({ success: false, error: "MISSING_TOKEN" });
+    return;
+  }
+
+  const superOAuthUrl = process.env.SUPER_OAUTH_URL;
+  if (!superOAuthUrl) {
+    res.status(500).json({ success: false, error: "INTERNAL_ERROR" });
+    return;
+  }
+
+  try {
+    const response = await fetch(`${superOAuthUrl}/api/auth/token/validate`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ token }),
+    });
+
+    const data = await response.json() as {
+      success: boolean;
+      data?: { valid: boolean; user?: object };
+      error?: string;
+    };
+
+    if (!response.ok || !data.data?.valid) {
+      res.status(401).json({ success: false, error: "INVALID_TOKEN" });
+      return;
+    }
+
+    res.cookie(COOKIE_NAME, token, COOKIE_OPTIONS);
+    res.json({ success: true, data: { user: data.data.user } });
+  } catch {
+    res.status(500).json({ success: false, error: "AUTH_SERVICE_UNAVAILABLE" });
+  }
+});
+
+/**
+ * POST /api/auth/logout
+ * Supprime le cookie de session.
+ */
+router.post("/logout", (_req: Request, res: Response): void => {
+  res.clearCookie(COOKIE_NAME);
+  res.json({ success: true });
+});
+
+/**
+ * GET /api/auth/me
+ * Retourne l'utilisateur courant (cookie ou Bearer).
+ */
+router.get("/me", requireAuth, (req: Request, res: Response): void => {
+  const { user } = req as AuthenticatedRequest;
+  res.json({ success: true, data: { user } });
+});
+
+export default router;