refactor: unify authentication state and improve middleware efficiency

- Introduce AuthInfo struct for shared auth state.
- Populate AuthInfo in rate_limit_middleware and store in request extensions.
- Update AuthenticatedClient extractor to use pre-resolved AuthInfo.
- Simplify chat_completions by removing redundant DB lookups.

src/rate_limiting/mod.rs

@@ -299,6 +299,7 @@ pub mod middleware {
     use super::*;
     use crate::errors::AppError;
     use crate::state::AppState;
+    use crate::auth::AuthInfo;
     use axum::{
         extract::{Request, State},
         middleware::Next,
@@ -309,20 +310,24 @@ pub mod middleware {
     /// Rate limiting middleware
     pub async fn rate_limit_middleware(
         State(state): State<AppState>,
-        request: Request,
+        mut request: Request,
         next: Next,
     ) -> Result<Response, AppError> {
         // Extract token synchronously from headers (avoids holding &Request across await)
         let token = extract_bearer_token(&request);
 
-        // Resolve client_id: DB token lookup, then prefix fallback
-        let client_id = resolve_client_id(token, &state).await;
+        // Resolve client_id and populate AuthInfo: DB token lookup, then prefix fallback
+        let auth_info = resolve_auth_info(token, &state).await;
+        let client_id = auth_info.client_id.clone();
 
         // Check rate limits
         if !state.rate_limit_manager.check_client_request(&client_id).await? {
             return Err(AppError::RateLimitError("Rate limit exceeded".to_string()));
         }
 
+        // Store AuthInfo in request extensions for extractors and downstream handlers
+        request.extensions_mut().insert(auth_info);
+
         Ok(next.run(request).await)
     }
 
@@ -334,26 +339,39 @@ pub mod middleware {
             .map(|t| t.to_string())
     }
 
-    /// Resolve client ID: try DB token first, then fall back to token-prefix derivation
-    async fn resolve_client_id(token: Option<String>, state: &AppState) -> String {
+    /// Resolve auth info: try DB token first, then fall back to token-prefix derivation
+    async fn resolve_auth_info(token: Option<String>, state: &AppState) -> AuthInfo {
         if let Some(token) = token {
             // Try DB token lookup first
-            if let Ok(Some(cid)) = sqlx::query_scalar::<_, String>(
-                "SELECT client_id FROM client_tokens WHERE token = ? AND is_active = TRUE",
+            match sqlx::query_scalar::<_, String>(
+                "UPDATE client_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE token = ? AND is_active = TRUE RETURNING client_id",
             )
             .bind(&token)
             .fetch_optional(&state.db_pool)
             .await
             {
-                return cid;
+                Ok(Some(cid)) => {
+                    return AuthInfo {
+                        token,
+                        client_id: cid,
+                    };
+                }
+                Err(e) => {
+                    warn!("DB error during token lookup: {}", e);
+                }
+                _ => {}
             }
 
             // Fallback to token-prefix derivation (env tokens / permissive mode)
-            return format!("client_{}", &token[..8.min(token.len())]);
+            let client_id = format!("client_{}", &token[..8.min(token.len())]);
+            return AuthInfo { token, client_id };
         }
 
         // No token — anonymous
-        "anonymous".to_string()
+        AuthInfo {
+            token: String::new(),
+            client_id: "anonymous".to_string(),
+        }
     }
 
     /// Circuit breaker middleware for provider requests