OAuth 2.0 authorize/token flow

## Summary

Add a shared OAuth 2.0 authorization and token exchange flow to JSS. This is the missing piece that unlocks three ecosystems:

- **Mastodon clients** (Elk, Phanpy, Ice Cubes) — need OAuth to complete login after client registration (#158, landed in #159)
- **remoteStorage apps** (Litewrite, Groovebasin, 100+ apps) — need OAuth implicit/code flow (#106)
- **Third-party pane auth** — any losos pane that needs to authenticate external users

## What exists

- **Solid-OIDC** — full DPoP-bound token verification, JWKS caching, replay prevention (`src/auth/solid-oidc.js`)
- **Client registration** — `POST /api/v1/apps` with in-memory store (`src/ap/routes/mastodon.js`)
- **Token extraction** — supports DPoP, Bearer, Nostr NIP-98, WebID-TLS (`src/auth/token.js`)

OIDC already provides 90% of the OAuth 2.0 foundation. The gap is small.

## What's needed

### 1. Authorization endpoint — `GET /oauth/authorize`

```
GET /oauth/authorize
  ?client_id=<registered_client_id>
  &redirect_uri=https://app.example.com/callback
  &response_type=code
  &scope=read+write
```

Shows consent dialog, redirects with authorization code.

### 2. Token endpoint — `POST /oauth/token`

```
POST /oauth/token
  grant_type=authorization_code
  &code=<auth_code>
  &client_id=<client_id>
  &client_secret=<client_secret>
  &redirect_uri=https://app.example.com/callback
```

Returns Bearer token:

```json
{
  "access_token": "...",
  "token_type": "Bearer",
  "scope": "read write",
  "created_at": 1710000000
}
```

### 3. Bearer token validation in auth middleware

Add Bearer token verification to the existing token extraction pipeline in `src/auth/token.js`.

## Consumers

| Consumer | Flow | Scope format |
|----------|------|-------------|
| Mastodon clients | Authorization code | `read`, `write`, `follow` |
| remoteStorage apps | Implicit (token) | `photos:rw`, `documents:r` |
| losos panes | Authorization code | `read`, `write` |

## Implementation notes

- Reuse existing OIDC session if user is already logged in (no double login)
- Store tokens with HMAC signature (like existing simple bearer in token.js)
- Auth skip already established for `/api/v1/*` pattern — add `/oauth/*`
- Consent dialog can be minimal HTML (no React/framework needed)

## References

- #158 — Mastodon-compatible OAuth + API endpoints
- #159 — Mastodon API Step 1 (merged)
- #106 — remoteStorage protocol support (needs OAuth Phase 2)
- [Mastodon OAuth docs](https://docs.joinmastodon.org/methods/oauth/)
- [remoteStorage OAuth](https://remotestorage.io/spec/draft-dejong-remotestorage-26#authorization)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OAuth 2.0 authorize/token flow #160

Summary

What exists

What's needed

1. Authorization endpoint — `GET /oauth/authorize`

2. Token endpoint — `POST /oauth/token`

3. Bearer token validation in auth middleware

Consumers

Implementation notes

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Consumer	Flow	Scope format
Mastodon clients	Authorization code	`read`, `write`, `follow`
remoteStorage apps	Implicit (token)	`photos:rw`, `documents:r`
losos panes	Authorization code	`read`, `write`

OAuth 2.0 authorize/token flow #160

Description

Summary

What exists

What's needed

1. Authorization endpoint — GET /oauth/authorize

2. Token endpoint — POST /oauth/token

3. Bearer token validation in auth middleware

Consumers

Implementation notes

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions

1. Authorization endpoint — `GET /oauth/authorize`

2. Token endpoint — `POST /oauth/token`