Add token type to JWT claims for access/refresh distinction

- Add TokenType enum and include in Claims struct
- GenerateRefreshToken now creates tokens with TokenRefresh type
- AuthRequired middleware rejects refresh tokens
- AuthService.Refresh validates token type
- Tests verify type validation

internal/auth/jwt_test.go

@@ -34,6 +34,9 @@ func TestParseTokenValid(t *testing.T) {
 	if claims.UserID != "user-1" {
 		t.Errorf("UserID = %q, want %q", claims.UserID, "user-1")
 	}
+	if claims.Type != TokenAccess {
+		t.Errorf("Type = %q, want %q", claims.Type, TokenAccess)
+	}
 }
 
 func TestParseTokenWrongSecret(t *testing.T) {
@@ -78,6 +81,17 @@ func TestGenerateRefreshToken(t *testing.T) {
 	if token == "" {
 		t.Fatal("token is empty")
 	}
+	if !strings.Contains(token, ".") {
+		t.Fatal("token does not look like a JWT")
+	}
+
+	claims, err := ParseToken(token, secret)
+	if err != nil {
+		t.Fatalf("ParseToken = %v", err)
+	}
+	if claims.Type != TokenRefresh {
+		t.Errorf("Type = %q, want %q", claims.Type, TokenRefresh)
+	}
 }
 
 func TestTokenUserIDCarried(t *testing.T) {
@@ -91,3 +105,21 @@ func TestTokenUserIDCarried(t *testing.T) {
 		t.Errorf("UserID = %q, want %q", claims.UserID, "alice-42")
 	}
 }
+
+func TestRefreshTokenRejectedByMiddleware(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := GenerateRefreshToken("user-1", secret, 7*24*time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateRefreshToken = %v", err)
+	}
+
+	// Simulate what the middleware does: parse + check type
+	claims, err := ParseToken(token, secret)
+	if err != nil {
+		t.Fatalf("ParseToken = %v", err)
+	}
+	if claims.Type != TokenRefresh {
+		t.Fatalf("expected refresh token type, got %q", claims.Type)
+	}
+	// The actual middleware rejection is tested in middleware/auth_test.go
+}