Add support API scaffold

app/Http/Middleware/EnsureSupportToken.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Support\ApiError;
+use Closure;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Laravel\Sanctum\PersonalAccessToken;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureSupportToken
+{
+    /**
+     * Handle an incoming request.
+     */
+    public function handle(Request $request, Closure $next): JsonResponse|Response
+    {
+        $user = $request->user();
+
+        if (! $user) {
+            return $this->unauthorizedResponse('Unauthenticated request.');
+        }
+
+        $accessToken = $user->currentAccessToken();
+
+        if (! $accessToken instanceof PersonalAccessToken) {
+            return $this->unauthorizedResponse('Missing personal access token context.');
+        }
+
+        if (! $user->isSuperAdmin()) {
+            return $this->forbiddenResponse('Only super administrators may access support APIs.');
+        }
+
+        if (! $accessToken->can('support-admin') && ! $accessToken->can('super-admin')) {
+            return $this->forbiddenResponse('Access token does not include the support-admin ability.');
+        }
+
+        $request->attributes->set('support_token_id', $accessToken->id);
+
+        Auth::shouldUse('sanctum');
+
+        return $next($request);
+    }
+
+    private function unauthorizedResponse(string $message): JsonResponse
+    {
+        return ApiError::response(
+            'unauthenticated',
+            'Unauthenticated',
+            $message,
+            Response::HTTP_UNAUTHORIZED
+        );
+    }
+
+    private function forbiddenResponse(string $message): JsonResponse
+    {
+        return ApiError::response(
+            'support_forbidden',
+            'Forbidden',
+            $message,
+            Response::HTTP_FORBIDDEN
+        );
+    }
+}