feat: implement tenant OAuth flow and guest achievements

docs/prp/13-backend-authentication.md

@@ -7,7 +7,7 @@ This document outlines the authentication requirements and implementation detail
 ## Authentication Flow
 
 ### 1. Authorization Request
-- **Endpoint**: `POST /oauth/authorize`
+- **Endpoint**: `GET /api/v1/oauth/authorize`
 - **Method**: GET (redirect from frontend)
 - **Parameters**:
   - `client_id`: Fixed client ID for tenant-admin-app (`tenant-admin-app`)
@@ -21,7 +21,7 @@ This document outlines the authentication requirements and implementation detail
 **Response**: Redirect to frontend with authorization code and state parameters.
 
 ### 2. Token Exchange
-- **Endpoint**: `POST /oauth/token`
+- **Endpoint**: `POST /api/v1/oauth/token`
 - **Method**: POST
 - **Content-Type**: `application/x-www-form-urlencoded`
 - **Parameters**:
@@ -44,7 +44,7 @@ This document outlines the authentication requirements and implementation detail
 ```
 
 ### 3. Token Refresh
-- **Endpoint**: `POST /oauth/token`
+- **Endpoint**: `POST /api/v1/oauth/token`
 - **Method**: POST
 - **Content-Type**: `application/x-www-form-urlencoded`
 - **Parameters**:
@@ -102,6 +102,19 @@ This document outlines the authentication requirements and implementation detail
 
 ### oauth_clients Table
 ```sql
+CREATE TABLE oauth_clients (
+  id VARCHAR(255) PRIMARY KEY,
+  client_id VARCHAR(255) UNIQUE NOT NULL,
+  client_secret VARCHAR(255),
+  tenant_id BIGINT UNSIGNED NULL,
+  redirect_uris JSON NULL,
+  scopes JSON NULL,
+  is_active TINYINT(1) DEFAULT 1,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  CONSTRAINT oauth_clients_tenant_id_foreign FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE SET NULL
+);
+```sql
 CREATE TABLE oauth_clients (
   id VARCHAR(255) PRIMARY KEY,
   client_id VARCHAR(255) UNIQUE NOT NULL,
@@ -133,6 +146,20 @@ CREATE TABLE oauth_codes (
 
 ### refresh_tokens Table
 ```sql
+CREATE TABLE refresh_tokens (
+  id VARCHAR(255) PRIMARY KEY,
+  tenant_id VARCHAR(255) NOT NULL,
+  client_id VARCHAR(255),
+  token VARCHAR(255) UNIQUE NOT NULL,
+  access_token VARCHAR(255),
+  scope TEXT,
+  ip_address VARCHAR(45),
+  user_agent TEXT,
+  expires_at TIMESTAMP,
+  revoked_at TIMESTAMP NULL,
+  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+```sql
 CREATE TABLE refresh_tokens (
   id VARCHAR(255) PRIMARY KEY,
   tenant_id VARCHAR(255) NOT NULL,
@@ -261,18 +288,22 @@ VITE_OAUTH_CLIENT_ID=tenant-admin-app
 - Revoke old refresh token immediately
 - Limit refresh tokens per tenant to 5 active
 
-### 3. Rate Limiting
+### 3. Key Management
+- RSA key pairs for signing are generated on demand and stored in storage/app/private.key (private) and storage/app/public.key (public).
+- Treat the private key as a secret; rotate it alongside deploys that invalidate tenant tokens.
+
+### 4. Rate Limiting
 - Authorization requests: 10/minute per IP
 - Token exchanges: 5/minute per IP
 - Token validation: 100/minute per tenant
 
-### 4. Logging and Monitoring
+### 5. Logging and Monitoring
 - Log all authentication attempts (success/failure)
 - Monitor token usage patterns
 - Alert on unusual activity (multiple failed attempts, token anomalies)
 - Track refresh token usage for security analysis
 
-### 5. Database Cleanup
+### 6. Database Cleanup
 - Cron job to remove expired authorization codes (daily)
 - Remove expired refresh tokens (weekly)
 - Clean blacklisted tokens after expiry (daily)
@@ -315,4 +346,10 @@ VITE_OAUTH_CLIENT_ID=tenant-admin-app
 - Alert on PKCE validation failures
 - Log all security-related events
 
-This implementation provides secure, scalable authentication for the Fotospiel tenant system, following OAuth2 best practices with PKCE for public clients.
+This implementation provides secure, scalable authentication for the Fotospiel tenant system, following OAuth2 best practices with PKCE for public clients.
+
+
+
+
+
+