Summary
- generate a separate requestee token for the QR login URL while keeping the requester token for status polling
- store and look up the requestee token for browser-side QR authentication and completion
- add a focused regression test that ensures the QR URL does not expose the requester token
Fixes #336
Test plan
cargo test -p gateway qr_login_url_uses_requestee_token_only -- --nocapture
cargo test -p gateway
cargo clippy -p gateway --all-targets --all-features (passes with existing warnings)
cargo test -p api -p gateway
git diff --check
## Summary
- generate a separate requestee token for the QR login URL while keeping the requester token for status polling
- store and look up the requestee token for browser-side QR authentication and completion
- add a focused regression test that ensures the QR URL does not expose the requester token
Fixes #336
## Test plan
- `cargo test -p gateway qr_login_url_uses_requestee_token_only -- --nocapture`
- `cargo test -p gateway`
- `cargo clippy -p gateway --all-targets --all-features` (passes with existing warnings)
- `cargo test -p api -p gateway`
- `git diff --check`
consume_qr_login_session_id returned the post-update NULL from RETURNING, so every completed poll 500'd and lost the session; return the pre-update value via a CTE. Also fetch the auth session before consuming so a transient failure is retry-safe.
Adds tests/e2e/test_qr_login.sh (+ make test-e2e-qr-login) covering the token split, one-shot consumption, and retry-safety. Logs when a completed poll finds the session already consumed.