fix(auth): Address high and medium priority security and build findings

backend/src/ea_chatbot/api/dependencies.py

@@ -39,6 +39,14 @@ async def get_current_user(request: Request, token: str = Depends(oauth2_scheme)
     payload = decode_access_token(token)
     if payload is None:
         raise credentials_exception
+    
+    # Security Fix: Reject refresh tokens for standard API access
+    if payload.get("type") == "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Cannot use refresh token for this endpoint",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
         
     user_id: str | None = payload.get("sub")
     if user_id is None:

backend/src/ea_chatbot/api/utils.py

@@ -1,3 +1,4 @@
+import uuid
 from datetime import datetime, timedelta, timezone
 from typing import Optional, Any, List
 from jose import JWTError, jwt
@@ -56,7 +57,9 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -
     to_encode.update({
         "exp": expire,
         "iat": now,
-        "iss": "ea-chatbot-api"
+        "iss": "ea-chatbot-api",
+        "type": "access",
+        "jti": str(uuid.uuid4())
     })
     encoded_jwt = jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
     return encoded_jwt
@@ -84,7 +87,8 @@ def create_refresh_token(data: dict, expires_delta: Optional[timedelta] = None)
         "exp": expire,
         "iat": now,
         "iss": "ea-chatbot-api",
-        "type": "refresh"
+        "type": "refresh",
+        "jti": str(uuid.uuid4())
     })
     encoded_jwt = jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
     return encoded_jwt