Auth: JWT middleware + utilities (authenticate/authorize)

## Auth System — Step 2 (Backend)

Replace static API key middleware with JWT-based auth.

**New middleware:**
- `authenticate(req, res, next)` — verify JWT, attach `req.user`
- `authorize(...roles)` — check user has required role for the farm
- Dev mode bypass: if `JWT_SECRET` unset and `NODE_ENV !== 'production'`, inject synthetic admin

**JWT strategy:**
- Access token: HS256, 15min lifetime, in-memory only
- Refresh token: 48 random bytes, bcrypt-hashed in DB, 30-day lifetime
- Token rotation with reuse detection

**Dependencies:** `jsonwebtoken`, `bcrypt` (or `bcryptjs`)

**Implementation:**
- [ ] Rewrite `backend/src/middleware/auth.js`
- [ ] JWT sign/verify utilities
- [ ] Refresh token hashing + rotation logic
- [ ] Dev mode bypass preserved
- [ ] Production startup error if `JWT_SECRET` missing
- [ ] Auth-specific rate limiters (login: 10/15min, register: 5/hr)

**Depends on:** DB migration
**Design doc:** `docs/AUTH.md`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth: JWT middleware + utilities (authenticate/authorize) #121

Auth System — Step 2 (Backend)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Auth: JWT middleware + utilities (authenticate/authorize) #121

Description

Auth System — Step 2 (Backend)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions