Auth: Login, refresh, logout endpoints

[EricGrill]

Auth System — Step 3 (Backend)

Core auth API routes.

Endpoints:

• POST /api/auth/login — email/phone + password → access token + refresh token + user roles
• POST /api/auth/refresh — rotate refresh token, issue new token pair
• POST /api/auth/logout — revoke refresh token
• GET /api/auth/me — return current user + all farm roles
• POST /api/auth/change-password — requires active session

Implementation:

• backend/src/routes/auth.js — auth route handler
• Login: validate credentials, issue tokens, update last_login_at
• Refresh: validate hash, check expiry/revocation, rotate, detect reuse
• Logout: mark refresh token as revoked
• Me: return user profile + roles array
• Mount routes: app.use('/api/auth', authRoutes)

Depends on: JWT middleware
Design doc: docs/AUTH.md