feat: auth system hardening with token revocation, password management, and error sanitization

- Add token revocation with in-memory blacklist and periodic cleanup (SEC-M1)
- Add POST /api/auth/logout endpoint
- Fix OIDC auth_token cookie to HttpOnly with exchange endpoint (SEC-H3)
- Add password complexity validation (min 8 chars) (SEC-M2)
- Prevent admin self-deletion (SEC-M3)
- Add PUT /api/auth/users/{uid} for role/email updates (FUNC-M1)
- Add PUT /api/auth/users/{uid}/password for password changes (FUNC-H1)
- Sanitize error messages in auth handlers (SEC-M4)

internal/auth/middleware.go

@@ -18,7 +18,7 @@ const claimsKey contextKey = "auth_claims"
 func Middleware(la *LocalAuth) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			tokenStr := extractToken(r)
+			tokenStr := ExtractToken(r)
 			if tokenStr == "" {
 				http.Error(w, `{"success":false,"error":"authentication required"}`, http.StatusUnauthorized)
 				return
@@ -30,6 +30,11 @@ func Middleware(la *LocalAuth) func(http.Handler) http.Handler {
 				return
 			}
 
+			if la.IsRevoked(tokenStr) {
+				http.Error(w, `{"success":false,"error":"token has been revoked"}`, http.StatusUnauthorized)
+				return
+			}
+
 			ctx := context.WithValue(r.Context(), claimsKey, claims)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
@@ -55,8 +60,8 @@ func ClaimsFromContext(ctx context.Context) (Claims, bool) {
 	return claims, ok
 }
 
-// extractToken gets the JWT from the Authorization header or "token" query param.
-func extractToken(r *http.Request) string {
+// ExtractToken gets the JWT from the Authorization header or "token" query param.
+func ExtractToken(r *http.Request) string {
 	// Try Authorization: Bearer <token>
 	authHeader := r.Header.Get("Authorization")
 	if strings.HasPrefix(authHeader, "Bearer ") {