Changed all API endpoints to validate os_xxx tokens via SHA-256 hash
lookup in the database instead of expecting JWT format.
This allows tokens generated in the settings page (Ajustes → Dispositivos)
to work correctly with the Android app.
- /api/auth/device/verify: validates os_xxx tokens via hash
- /api/inbox: uses hash-based auth
- /api/inbox/batch: uses hash-based auth
- No token expiration (tokens valid until revoked)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Implement JWT-based authentication system for device access
- Access tokens (7 day expiry) and refresh tokens (90 day expiry)
- HMAC-SHA256 signing with timing-safe comparison
- Token hashing with SHA-256 for secure storage
- Add device authentication endpoints:
- POST /api/auth/device/token - Login with email/password, get tokens
- POST /api/auth/device/refresh - Refresh access token
- POST /api/auth/device/verify - Verify token validity
- GET /api/auth/device/tokens - List user's API tokens
- DELETE /api/auth/device/tokens/[id] - Revoke specific token
- Track token usage (last used timestamp and IP)
