pub async fn bearer_auth(req: Request, next: Next) -> ResponseExpand description
Bearer-token authentication middleware.
If the allowlist is empty the request passes through (dev mode — already
warned at startup) and a synthetic AuthContext::dev is inserted into
the request extensions. Otherwise the Authorization: Bearer <token>
header must match one of the allowlisted tokens; missing or mismatched
headers produce 401 Unauthorized with the standard error envelope and
kind: "unauthorized". On success an AuthContext keyed by the
stable crate::rate_limit::TokenId derived from the bearer token is
inserted into the request extensions for downstream middleware (rate
limiting, audit) to consume.