Add secure OAuth2-based mobile authentication

- Replace API keys with OAuth2 tokens for mobile apps
- Add device tracking and management for mobile sessions
- Implement 30-day token expiration with refresh tokens
- Add MFA/2FA support for mobile login
- Create dedicated auth endpoints (signup/login/refresh)
- Skip CSRF protection for API endpoints
- Return plaintext tokens (not hashed) in responses
- Track devices with unique IDs and metadata
- Enable seamless native mobile experience without OAuth redirects

This provides enterprise-grade security for the iOS/Android apps while maintaining a completely native authentication flow.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

app/models/api_key.rb

@@ -4,12 +4,16 @@ class ApiKey < ApplicationRecord
   # Use Rails built-in encryption for secure storage
   encrypts :display_key, deterministic: true
 
+  # Constants
+  SOURCES = [ "web", "mobile" ].freeze
+
   # Validations
   validates :display_key, presence: true, uniqueness: true
   validates :name, presence: true
   validates :scopes, presence: true
+  validates :source, presence: true, inclusion: { in: SOURCES }
   validate :scopes_not_empty
-  validate :one_active_key_per_user, on: :create
+  validate :one_active_key_per_user_per_source, on: :create
 
   # Callbacks
   before_validation :set_display_key
@@ -82,9 +86,9 @@ class ApiKey < ApplicationRecord
       end
     end
 
-    def one_active_key_per_user
-      if user&.api_keys&.active&.where&.not(id: id)&.exists?
-        errors.add(:user, "can only have one active API key")
+    def one_active_key_per_user_per_source
+      if user&.api_keys&.active&.where(source: source)&.where&.not(id: id)&.exists?
+        errors.add(:user, "can only have one active API key per source (#{source})")
       end
     end
 end