security: Add Authentication and Authorization to API Routes

[nik-kale]

Summary

This PR addresses the critical security vulnerability where all API endpoints were completely open without authentication. All mission endpoints now require authentication, enforce role-based access control (RBAC), and implement user ownership checks.

Changes

• Applied requireAuth middleware to all mission endpoints
• Added role-based access control: OPERATOR and ADMIN can create missions, VIEWER can only read
• Implemented user ownership checks: users can only access their own missions
• Switched from in-memory missionService to database-backed missionRepository
• Added GET /api/missions/stats endpoint for user statistics
• Added DELETE /api/missions/:id endpoint with ownership validation
• Updated CreateMissionRequest type to include dashboardUrl, dashboardType, and priority
• Added stub endpoints for authentication (/api/auth/register, /api/auth/login, /api/auth/refresh)
• All endpoints now use structured logging instead of console.log
• Admin users can view all missions, regular users only see their own

Type of Change

• Security patch
• New feature (user-scoped missions, stats, delete)
• Bug fix
• Breaking change
• Documentation update

Testing

• Verified no linting errors in modified files
• Authentication middleware integration:
  • Unauthenticated requests return 401 Unauthorized
  • Users can only access their own missions (403 for unauthorized access)
  • Role enforcement: VIEWER role cannot create missions
  • Admin users can access all missions
  • Ownership validation on mission access and deletion

Security Improvements

• ✅ All mission endpoints now require valid JWT authentication
• ✅ Role-based access control enforced (OPERATOR/ADMIN for creation, all authenticated for read)
• ✅ User ownership validation prevents cross-user data access
• ✅ Admin override capability for support and debugging
• ✅ Structured logging for all authentication events
• ✅ Rate limiting on auth endpoints (authRateLimiter)

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated (inline comments)
• No new warnings introduced
• Proper error handling for all authorization failures

Related Issues

Addresses Feature #2 from FEATURE_OPPORTUNITIES.md - Priority Score: 3.0 ⭐

Notes

• Authentication endpoint implementations (/api/auth/*) are stubbed and return 501
• These will be implemented in a future PR once the auth service is fully integrated
• Mission ownership is now tracked via userId in the database

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Register missions with execution service before running

Missions are now created via missionRepository (lines 34-38) but the executor (browserAgent.executeMission) still updates status and steps through the in-memory missionService. Because the mission is never inserted into missionService, every execution call throws “Mission not found” on the first updateStatus, so the async run fails immediately and no status/steps are persisted for any mission. The change effectively makes all mission executions fail right after creation. Consider adding the mission to the service used by the executor or switching the executor to use the repository-backed storage.

Useful? React with 👍 / 👎.

[nik-kale]

Closing PR - content was implemented but reverted by user preference. Available for reference.