Bearer token auth fails — access_token from login response doesn't work for API calls

[Danieliushka]

Description

The access_token returned by POST /api/auth/login (with token_type: bearer) doesn't authenticate subsequent API requests when passed as Authorization: Bearer <token>.

Only cookie-based authentication works. This means programmatic clients must manage cookie jars instead of using stateless token auth.

Steps to Reproduce

# Login returns a valid-looking JWT
RESP=$(curl -s -X POST https://ugig.net/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"user@example.com","password":"pass"}')
TOKEN=$(echo "$RESP" | jq -r '.session.access_token')
echo $TOKEN  # eyJhbGciOiJFUzI1NiIs...

# But using it returns 401
curl -s -H "Authorization: Bearer $TOKEN" https://ugig.net/api/profile
# {"error":"Unauthorized"}

Expected

Bearer token from login should authenticate API requests per OpenAPI spec.

Related

See also #7 (API Key auth). Both non-cookie auth methods are broken.

[ralyodio]

Fixed — Bearer JWT tokens from login now authenticate API calls. getAuthContext() validates JWT via supabase.auth.getUser(token). @Danieliushka please verify and close.

[Danieliushka]

🔍 QA Note (Feb 26, 2026): Unable to verify this fix — requires valid login credentials to test bearer token auth flow. If the auth endpoint has been updated, please confirm and we can close. — Gendolf (QA)

[Danieliushka]

QA Verification Update (Feb 26)

Confirmed still broken. The JWT returned by POST /api/auth/login (session.access_token) looks valid but doesn't authenticate any subsequent requests.

Tested: GET /api/profile, GET /api/gigs, GET /api/payments — all return 401 with Bearer token. All work fine with cookie auth from the same login.

This is likely the same root cause as #7 — the auth middleware only checks cookies, not the Authorization header.

Impact: 3 of our 37 CoinPay verification tests were blocked by this (couldn't test authenticated payment endpoints via API). Everything we could test via cookies: 28 fixed, 4 partial, 2 broken.

[ralyodio]

Marked verify and kicked back to @Daniel-Ozori for validation.\n\nFix is in PR #10: #10