feat(auth): user session isolation with JWT auth and RBAC (closes #13)

[mudassaralichouhan]

Adds an authentication subsystem (users, password hashing, JWT) and
enforces per-user ownership on crawl sessions, with role-based
access control (USER, ADMIN). Sessions created by user A are
invisible to user B; admins see everyone's.

Closes #13

Acceptance criteria (from the issue)

• Users can register and log in (JWT-based authentication)
• Each CrawlSession is linked to a userId
• Only the session owner (or admin) can access session data
• Role-based access control is enforced (admin, user)
• Unit tests for user session isolation

Architecture

New module: search_engine/auth

File	Role
User.h	User struct, Role enum (USER / ADMIN), AuthContext value type
UserStore.h	IUserStore interface + thread-safe InMemoryUserStore
PasswordHasher.{h,cpp}	PBKDF2-HMAC-SHA256 via OpenSSL. Encoded format: iter$saltB64$hashB64. 100k iterations by default; verify embeds the iteration count so existing hashes keep working
Base64Url.h	Header-only RFC 4648 §5 URL-safe base64 (no padding)
Jwt.{h,cpp}	HS256 JwtIssuer / verify backed by OpenSSL HMAC-SHA256. Claims: sub, username, role, iat, exp. Constant-time signature compare. Secret from JWT_SECRET env var with a noisy dev fallback

API endpoints (AuthController)

Method	Path	Purpose
POST	/api/auth/register	{username, password, role?} → 201 {id, username, role} (409 on duplicate; 8+ char password)
POST	/api/auth/login	{username, password} → {token, tokenType, user} (same 401 for unknown user or bad password to prevent enumeration)
GET	/api/auth/me	Bearer required → current user

AuthController::extractAuth(req) static helper reads the
Authorization: Bearer … header and resolves it to an AuthContext
for use by other controllers.

SearchController gating

• POST /api/crawl/add-site — requires Bearer; authenticated user
  becomes the session owner. stopPreviousSessions only affects
  sessions visible to the caller.
• GET /api/crawl/status — requires Bearer; non-admin callers see
  only their own sessions.

Examples

# Register
curl -X POST http://localhost:3000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"username":"alice","password":"alice-strong-pw"}'

# Login → get JWT
TOKEN=$(curl -s -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"alice","password":"alice-strong-pw"}' | jq -r .token)

# Start a crawl as alice
curl -X POST http://localhost:3000/api/crawl/add-site \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com","maxPages":5}'

# bob can't see alice's session
curl -H "Authorization: Bearer $BOB_TOKEN" \
  "http://localhost:3000/api/crawl/status?sessionId=<alice_session_id>"
# → 404 (not_found)