fix(#97): add auth middleware, rate limiting, and model allowlist to /api/chat

[anshul23102]

Closes #97

Problem

The POST /api/chat route accepted requests from any HTTP client with no authentication check. The model and max_tokens fields were taken directly from the request body with no validation, allowing any caller to substitute an expensive model or inflate token usage to exhaust the platform's OpenRouter API credit.

Changes

src/backend/middlewares/requireAuth.js (new file)

• Reads the Authorization: Bearer <token> header
• Calls supabase.auth.getUser(token) to validate the JWT server-side
• Attaches req.user on success; returns 401 for missing or invalid tokens

src/backend/routers/chatRoutes.js

• Apply requireAuth middleware before the route handler
• Add a per-user in-memory rate limiter (20 requests per minute per user ID); returns 429 when exceeded
• Validate model against an allowlist (openai/gpt-3.5-turbo, openai/gpt-4o-mini); reject unknown models with 400
• Cap max_tokens at 512 server-side regardless of what the caller sends
• Add basic input validation for the message / messages field

Testing

# Unauthenticated request - should return 401
curl -X POST http://localhost:3000/api/chat \
  -H "Content-Type: application/json" \
  -d '{"messages": [{"role": "user", "content": "Hi"}]}'

# Authenticated with disallowed model - should return 400
curl -X POST http://localhost:3000/api/chat \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <valid_token>" \
  -d '{"messages": [{"role": "user", "content": "Hi"}], "model": "anthropic/claude-3-opus"}'

[vercel]

@anshul23102 is attempting to deploy a commit to the durdana3105's projects Team on Vercel.

A member of the Team first needs to authorize it.