refactor: Replace header based identity with verified token identity

[paradyo]

Description

1 insecure identity mechanism currently allows clients to provide identity through custom request headers without server side verification. This must be replaced so that authenticated user identity is derived exclusively from validated Clerk tokens issued during authentication. All backend endpoints currently reading identity from manual headers must instead rely on the verified user identity extracted by the authentication middleware to prevent impersonation and unauthorized access.

Ownership, Timeline, and Effort

Owner: @cenkerenozbek
Given Date: 04-03-2026
Deadline: 08-03-2026 24:00 (end of day, explicitly stated)
Hours: 1
Value: 1
Week: 10

Deliverables

• Existing header based identity handling removed from backend services.
• Backend endpoints updated to retrieve user identity exclusively from validated Clerk token context.
• Authentication middleware user identity propagation available to protected endpoints.
• Verification that all protected endpoints operate using middleware provided user identity.
• Pull request containing refactor changes merged into the main branch.

Scope Definition

In Scope

• Remove logic that trusts client provided identity headers.
• Identify backend endpoints currently relying on manual identity headers.
• Update endpoints to use authenticated identity extracted from Clerk token verification middleware.
• Ensure authenticated identity is passed through the request lifecycle to protected handlers.
• Validate endpoint behavior using middleware provided identity context.
• Submit pull request implementing the refactor.

Out of Scope

• Changes to frontend authentication flows.
• Implementation of the Clerk authentication middleware itself.
• Role based authorization or permission logic.
• Changes to external API integrations.
• User account management logic.

Acceptance Criteria

• Client provided identity headers are no longer used by backend endpoints.
• Backend identity is derived exclusively from validated Clerk tokens.
• All protected endpoints successfully retrieve identity from authentication middleware.
• Requests with invalid or missing authentication tokens cannot impersonate another user.
• Backend behavior remains functional for valid authenticated requests.
• Pull request implementing the refactor is merged into the main branch.

Domain Specific Notes

Engineering considerations:

• Identity extraction must rely only on the verified authentication context established by the Clerk token validation middleware.
• All previously trusted identity headers must be fully removed to eliminate impersonation risk.

Assumption: Authentication middleware that validates Clerk tokens and provides verified user identity to request handlers has already been implemented.

Validation and Review Requirements

• Reviewer verifies removal of all header based identity handling.
• Reviewer confirms endpoints correctly obtain identity from middleware context.
• Reviewer validates that unauthorized requests cannot inject identity headers.
• Reviewer verifies existing functionality remains operational for authenticated users.
• Issue is considered Done only when the refactor pull request is merged into the main branch.