Add token type to JWT claims for access/refresh distinction

- Add TokenType enum and include in Claims struct
- GenerateRefreshToken now creates tokens with TokenRefresh type
- AuthRequired middleware rejects refresh tokens
- AuthService.Refresh validates token type
- Tests verify type validation

internal/middleware/auth_test.go

@@ -96,6 +96,24 @@ func TestAuthRequiredValidToken(t *testing.T) {
 	}
 }
 
+func TestAuthRequiredRefreshTokenRejected(t *testing.T) {
+	secret := []byte("test-secret")
+	token, err := auth.GenerateRefreshToken("user-1", secret, 7*24*time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateRefreshToken = %v", err)
+	}
+
+	r := setupTestRouter(secret)
+	req := httptest.NewRequest(http.MethodGet, "/protected", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	rec := httptest.NewRecorder()
+	r.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusUnauthorized {
+		t.Errorf("status = %d, want %d (refresh token should be rejected)", rec.Code, http.StatusUnauthorized)
+	}
+}
+
 func TestGetUserID(t *testing.T) {
 	secret := []byte("test-secret")
 	token, err := auth.GenerateAccessToken("alice-42", secret, 15*time.Minute)