feat(auth): refactor token resolution into shared TokenResolution and centralize in middleware; simplify AuthenticatedClient to carry resolved DB ID

src/server/mod.rs

@@ -121,6 +121,7 @@ async fn chat_completions(
     auth: AuthenticatedClient,
     Json(mut request): Json<ChatCompletionRequest>,
 ) -> Result<axum::response::Response, AppError> {
+<<<<<<< HEAD
     let client_id = auth.client_id.clone();
     let token = auth.token.clone();
 
@@ -131,6 +132,28 @@ async fn chat_completions(
              return Err(AppError::AuthError("Invalid authentication token".to_string()));
         }
     }
+=======
+    // Use the db_client_id from the AuthenticatedClient (already resolved by middleware)
+    let db_client_id = auth.db_client_id.clone();
+
+    let client_id = if let Some(cid) = db_client_id {
+        // Update last_used_at in background (fire-and-forget) for DB tokens
+        let pool = state.db_pool.clone();
+        let token = auth.token.clone();
+        tokio::spawn(async move {
+            let _ = sqlx::query("UPDATE client_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE token = ?")
+                .bind(&token)
+                .execute(&pool)
+                .await;
+        });
+        cid
+    } else if state.auth_tokens.is_empty() || state.auth_tokens.contains(&auth.token) {
+        // Env token match or permissive mode (no env tokens configured)
+        auth.client_id.clone()
+    } else {
+        return Err(AppError::AuthError("Invalid authentication token".to_string()));
+    };
+>>>>>>> 76e5b9f (perf(auth): eliminate duplicate token resolution database queries)
 
     let start_time = std::time::Instant::now();
     let model = request.model.clone();