Refactor auth routes: explicit dependency injection

- Updated all auth route modules to use destructured dependencies
- Added JSDoc comments for factory functions
- Replaced ctx. references with direct parameter access
- Updated auth/index.js to extract and pass explicit dependencies
- sso-gate.js maintains session helper exports from session-handlers
- All files pass syntax validation

Files refactored:
- routes/auth/keys.js
- routes/auth/session-handlers.js
- routes/auth/sso-gate.js
- routes/auth/totp.js
- routes/auth/index.js (orchestrator)

dashcaddy-api/routes/auth/keys.js

@@ -1,7 +1,15 @@
 const express = require('express');
 const { ValidationError, ForbiddenError, NotFoundError } = require('../../errors');
+/**
+ * Auth API keys routes factory
+ * @param {Object} deps - Explicit dependencies
+ * @param {Object} deps.authManager - Auth manager
+ * @param {Function} deps.asyncHandler - Async route handler wrapper
+ * @param {Object} deps.log - Logger instance
+ * @returns {express.Router}
+ */
 
-module.exports = function(ctx) {
+module.exports = function({ authManager, asyncHandler, log }) {
   const router = express.Router();
 
   // Helper function to parse expiration strings to milliseconds
@@ -24,18 +32,18 @@ module.exports = function(ctx) {
   }
 
   // List all API keys
-  router.get('/auth/keys', ctx.asyncHandler(async (req, res) => {
+  router.get('/auth/keys', asyncHandler(async (req, res) => {
     // Require session authentication (not API key - can't manage keys with key itself)
     if (!req.auth || req.auth.type !== 'session') {
       throw new ForbiddenError('API key management requires TOTP session authentication');
     }
 
-    const keys = await ctx.authManager.listAPIKeys();
+    const keys = await authManager.listAPIKeys();
     res.json({ success: true, keys });
   }, 'auth-keys-list'));
 
   // Generate new API key
-  router.post('/auth/keys', ctx.asyncHandler(async (req, res) => {
+  router.post('/auth/keys', asyncHandler(async (req, res) => {
     // Require session authentication
     if (!req.auth || req.auth.type !== 'session') {
       throw new ForbiddenError('API key generation requires TOTP session authentication');
@@ -53,7 +61,7 @@ module.exports = function(ctx) {
       throw new ValidationError(`Invalid scopes. Valid options: ${validScopes.join(', ')}`, 'scopes');
     }
 
-    const keyData = await ctx.authManager.generateAPIKey(
+    const keyData = await authManager.generateAPIKey(
       name.trim(),
       scopes || ['read', 'write']
     );
@@ -70,7 +78,7 @@ module.exports = function(ctx) {
   }, 'auth-keys-generate'));
 
   // Revoke API key
-  router.delete('/auth/keys/:keyId', ctx.asyncHandler(async (req, res) => {
+  router.delete('/auth/keys/:keyId', asyncHandler(async (req, res) => {
     // Require session authentication
     if (!req.auth || req.auth.type !== 'session') {
       throw new ForbiddenError('API key revocation requires TOTP session authentication');
@@ -82,7 +90,7 @@ module.exports = function(ctx) {
       throw new ValidationError('Key ID is required', 'keyId');
     }
 
-    const success = await ctx.authManager.revokeAPIKey(keyId);
+    const success = await authManager.revokeAPIKey(keyId);
 
     if (success) {
       res.json({ success: true, message: 'API key revoked successfully' });
@@ -92,7 +100,7 @@ module.exports = function(ctx) {
   }, 'auth-keys-revoke'));
 
   // Generate JWT from TOTP session
-  router.post('/auth/jwt', ctx.asyncHandler(async (req, res) => {
+  router.post('/auth/jwt', asyncHandler(async (req, res) => {
     // Require session authentication
     if (!req.auth || req.auth.type !== 'session') {
       throw new ForbiddenError('JWT generation requires TOTP session authentication');
@@ -106,7 +114,7 @@ module.exports = function(ctx) {
       throw new ValidationError('Invalid expiresIn format. Use: 60s, 15m, 24h, 7d, 1y', 'expiresIn');
     }
 
-    const token = await ctx.authManager.generateJWT(
+    const token = await authManager.generateJWT(
       {
         sub: userId || 'dashcaddy-admin',
         scope: ['admin'] // Session-generated JWTs have admin scope