Integrate New Backend Dual level Authentication

[dappsar]

🧠 Context

The frontend must implement dual-layer authentication:

1. Infrastructure-Level Auth (GCP): uses Google Identity to authenticate calls to chatterpay-backend (Cloud Run service with authentication required).
2. Application-Level Auth (JWE): uses a signed and encrypted token obtained from /auth/sign, which encodes the user's role/permissions.

This ensures secure and role-based access control at both the transport and business logic levels.

---

🔐 Headers Required

Each request to chatterpay-backend must include:

Authorization: Bearer <google_id_token>
x-app-authorization: Bearer <jwe_token>
auth-infra-type: gcp | environment | hardcoded | none
auth-app-type: environment | hardcoded | none

• Authorization: handled by GCP, contains the identity token used for infra-level auth.
• x-app-authorization: JWE issued by backend, defines role-based access at app level.

---

✅ Tasks

chatterpay-frontend

• Call POST /auth/sign after successful login to obtain the user's JWE.
• Store the JWE securely (preferably in an HttpOnly cookie or in memory).
• Send both tokens in every request to chatterpay-backend:

Authorization: Bearer <google_id_token>
x-app-authorization: Bearer <jwe_token>
auth-infra-type: gcp
auth-app-type: environment

• In development mode (local), allow fallbacks:

  Authorization: Bearer <env_token>
  x-app-authorization: Bearer <env_token>
  auth-infra-type: environment
  auth-app-type: environment

• Implement token refresh strategy (either silent refresh or re-authentication when expired).

---

🔍 Notes

• This task assumes GCP service-to-service identity is enabled and chatterpay-backend is deployed with "Require authentication" turned ON.
• You can fetch Google ID tokens using google-auth-library from your Node.js frontend if hosted in GCP.