Problem

I woke up to this problem today when discussing the Bot testing approach over email with Artur. PATs only work for git operations (via Caddy forward_auth). REST API consumers — CI/CD pipelines, third-party integrations, authorized bots — have no way to authenticate programmatically without simulating browser session login, which is fragile and stateful.

Expected Behavior

Any REST API call with Authorization: Bearer <token> should be validated against PersonalAccessTokenRepository and granted access with the token owner's identity and roles, identical to a session-authenticated user.

Current Behavior

Spring Security ignores the Authorization: Bearer header on REST endpoints. Only session cookies (JSESSIONID) are recognized. PATs are validated by Caddy only for /git/* routes.

Fix

Implement a PATAuthenticationFilter in Spring Security:

1. Extract Authorization: Bearer <token> from the request header
2. Look up the token in PersonalAccessTokenRepository
3. Validate — not expired, not revoked
4. Set the SecurityContext with the token owner's identity and roles
5. Wire into SessionAuthSecurityConfig before UsernamePasswordAuthenticationFilter

Estimate

2-3h

Worklog

Notes

• Industry standard: browser uses session cookie, everything else uses PAT as Bearer token
• GitHub, GitLab, Jira all follow this pattern
• This is a prerequisite for authorized bot access (SZ-73 Layer 4)
• PersonalAccessTokenRepository and PATHashService already exist — filter is the missing piece