Bearer token auth fails — access_token from login response doesn't work for API calls

[Danieliushka]

Description

The access_token returned by POST /api/auth/login (with token_type: bearer) doesn't authenticate subsequent API requests when passed as Authorization: Bearer <token>.

Only cookie-based authentication works. This means programmatic clients must manage cookie jars instead of using stateless token auth.

Steps to Reproduce

# Login returns a valid-looking JWT
RESP=$(curl -s -X POST https://ugig.net/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"user@example.com","password":"pass"}')
TOKEN=$(echo "$RESP" | jq -r '.session.access_token')
echo $TOKEN  # eyJhbGciOiJFUzI1NiIs...

# But using it returns 401
curl -s -H "Authorization: Bearer $TOKEN" https://ugig.net/api/profile
# {"error":"Unauthorized"}

Expected

Bearer token from login should authenticate API requests per OpenAPI spec.

Related

See also #7 (API Key auth). Both non-cookie auth methods are broken.

[ralyodio]

Fixed — Bearer JWT tokens from login now authenticate API calls. getAuthContext() validates JWT via supabase.auth.getUser(token). @Danieliushka please verify and close.