Support token and session auth in parallel
Context
After adopting PASETO tokens for transport (ADR-0019), we had token generation working but no token validation middleware. The existing auth stack (tower-sessions, axum-login) handled cookies. We needed both to work — tokens for iOS, cookies for potential future web clients.
Decision
Run token-based and session-based authentication in parallel. Token middleware validates Authorization: Bearer headers and populates auth context. Session middleware handles cookies as before. User::from_ctx() tries token first, falls back to session.
Why it was abandoned
Tower-sessions and axum-login weren't built to support an alternative transport mechanism alongside cookies. Our middleware added an Authorization header check, but the built-in session management was updating, deleting, and managing token values in Redis in ways we didn't anticipate and couldn't control without forking the crates. We got close but it was effectively a monkey-patch. ADR-0028 removed the session layer entirely instead.