fix(api): use hash-based token validation instead of JWT

Changed all API endpoints to validate os_xxx tokens via SHA-256 hash
lookup in the database instead of expecting JWT format.

This allows tokens generated in the settings page (Ajustes → Dispositivos)
to work correctly with the Android app.

- /api/auth/device/verify: validates os_xxx tokens via hash
- /api/inbox: uses hash-based auth
- /api/inbox/batch: uses hash-based auth
- No token expiration (tokens valid until revoked)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

app/api/inbox/batch/route.ts

@@ -2,10 +2,10 @@
  * POST /api/inbox/batch
  *
  * Recebe múltiplas notificações do app Android (sync offline).
- * Requer autenticação via API token.
+ * Requer autenticação via API token (formato os_xxx).
  */
 
-import { validateApiToken, extractBearerToken } from "@/lib/auth/api-token";
+import { extractBearerToken, hashToken } from "@/lib/auth/api-token";
 import { db } from "@/lib/db";
 import { apiTokens, inboxItems } from "@/db/schema";
 import { eq, and, isNull } from "drizzle-orm";
@@ -55,34 +55,33 @@ export async function POST(request: Request) {
       );
     }
 
-    // Validar JWT
-    const payload = validateApiToken(token);
-
-    if (!payload) {
+    // Validar token os_xxx via hash
+    if (!token.startsWith("os_")) {
       return NextResponse.json(
-        { error: "Token inválido ou expirado" },
+        { error: "Formato de token inválido" },
         { status: 401 }
       );
     }
 
-    // Verificar se token não foi revogado
+    const tokenHash = hashToken(token);
+
+    // Buscar token no banco
     const tokenRecord = await db.query.apiTokens.findFirst({
       where: and(
-        eq(apiTokens.id, payload.tokenId),
-        eq(apiTokens.userId, payload.sub),
+        eq(apiTokens.tokenHash, tokenHash),
         isNull(apiTokens.revokedAt)
       ),
     });
 
     if (!tokenRecord) {
       return NextResponse.json(
-        { error: "Token revogado ou não encontrado" },
+        { error: "Token inválido ou revogado" },
         { status: 401 }
       );
     }
 
     // Rate limiting
-    if (!checkRateLimit(payload.sub)) {
+    if (!checkRateLimit(tokenRecord.userId)) {
       return NextResponse.json(
         { error: "Limite de requisições excedido", retryAfter: 60 },
         { status: 429 }
@@ -101,10 +100,10 @@ export async function POST(request: Request) {
         const [inserted] = await db
           .insert(inboxItems)
           .values({
-            userId: payload.sub,
+            userId: tokenRecord.userId,
             sourceApp: item.sourceApp,
             sourceAppName: item.sourceAppName,
-            deviceId: item.deviceId || payload.deviceId,
+            deviceId: item.deviceId,
             originalTitle: item.originalTitle,
             originalText: item.originalText,
             notificationTimestamp: item.notificationTimestamp,
@@ -132,13 +131,17 @@ export async function POST(request: Request) {
     }
 
     // Atualizar último uso do token
+    const clientIp = request.headers.get("x-forwarded-for")?.split(",")[0]?.trim()
+      || request.headers.get("x-real-ip")
+      || null;
+
     await db
       .update(apiTokens)
       .set({
         lastUsedAt: new Date(),
-        lastUsedIp: request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip"),
+        lastUsedIp: clientIp,
       })
-      .where(eq(apiTokens.id, payload.tokenId));
+      .where(eq(apiTokens.id, tokenRecord.id));
 
     const successCount = results.filter((r) => r.success).length;
     const failCount = results.filter((r) => !r.success).length;