feat(backend): add OAuth2/JWT authentication support

- Add OAuth2 client for Authentik integration
- Implement JWT token generation and validation
- Add refresh token support with database storage
- Update database schema with oauth_subject, oauth_provider, and refresh_tokens table
- Create auth package with config, jwt, oauth, and token management
- Add OAuth endpoints: /auth/login, /auth/callback, /auth/refresh, /auth/logout
- Update AuthMiddleware to support both JWT and API key authentication
- Add user helper functions for OAuth user creation and retrieval
- Add .env.example with OAuth configuration template

API keys still work for CLI compatibility while JWT tokens support web/mobile clients.

opal-task/internal/engine/database.go

@@ -132,6 +132,8 @@ func runMigrations() error {
 					id INTEGER PRIMARY KEY AUTOINCREMENT,
 					username TEXT UNIQUE NOT NULL,
 					email TEXT,
+					oauth_subject TEXT UNIQUE,
+					oauth_provider TEXT DEFAULT 'authentik',
 					created_at INTEGER NOT NULL
 				);
 
@@ -183,6 +185,20 @@ func runMigrations() error {
 				-- Default: keep change log for 30 days
 				INSERT INTO sync_config (key, value) VALUES ('change_log_retention_days', '30');
 
+				-- Refresh tokens for OAuth
+				CREATE TABLE refresh_tokens (
+					id INTEGER PRIMARY KEY AUTOINCREMENT,
+					user_id INTEGER NOT NULL,
+					token_hash TEXT UNIQUE NOT NULL,
+					expires_at INTEGER NOT NULL,
+					created_at INTEGER NOT NULL,
+					revoked INTEGER DEFAULT 0,
+					FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+				);
+
+				CREATE INDEX idx_refresh_tokens_hash ON refresh_tokens(token_hash);
+				CREATE INDEX idx_refresh_tokens_user ON refresh_tokens(user_id);
+
 				-- Triggers to populate change_log
 				CREATE TRIGGER track_task_create AFTER INSERT ON tasks
 				BEGIN

opal-task/internal/engine/users.go

@@ -0,0 +1,84 @@
+package engine
+
+import (
+	"database/sql"
+	"fmt"
+	"time"
+)
+
+type User struct {
+	ID            int
+	Username      string
+	Email         string
+	OAuthSubject  string
+	OAuthProvider string
+	CreatedAt     int64
+}
+
+func FindOrCreateOAuthUser(subject, username, email string) (*User, error) {
+	db := GetDB()
+	if db == nil {
+		return nil, fmt.Errorf("database not initialized")
+	}
+
+	// Try to find existing user
+	var user User
+	err := db.QueryRow(`
+		SELECT id, username, COALESCE(email, ''), COALESCE(oauth_subject, ''), COALESCE(oauth_provider, ''), created_at
+		FROM users
+		WHERE oauth_subject = ?
+	`, subject).Scan(&user.ID, &user.Username, &user.Email, &user.OAuthSubject, &user.OAuthProvider, &user.CreatedAt)
+
+	if err == nil {
+		// User exists
+		return &user, nil
+	}
+
+	if err != sql.ErrNoRows {
+		return nil, err
+	}
+
+	// Create new user
+	result, err := db.Exec(`
+		INSERT INTO users (username, email, oauth_subject, oauth_provider, created_at)
+		VALUES (?, ?, ?, ?, ?)
+	`, username, email, subject, "authentik", time.Now().Unix())
+
+	if err != nil {
+		return nil, err
+	}
+
+	id, err := result.LastInsertId()
+	if err != nil {
+		return nil, err
+	}
+
+	user.ID = int(id)
+	user.Username = username
+	user.Email = email
+	user.OAuthSubject = subject
+	user.OAuthProvider = "authentik"
+	user.CreatedAt = time.Now().Unix()
+
+	return &user, nil
+}
+
+func GetUser(id int) (*User, error) {
+	db := GetDB()
+	if db == nil {
+		return nil, fmt.Errorf("database not initialized")
+	}
+
+	var user User
+	err := db.QueryRow(`
+		SELECT id, username, COALESCE(email, ''), COALESCE(oauth_subject, ''), COALESCE(oauth_provider, ''), created_at
+		FROM users
+		WHERE id = ?
+	`, id).Scan(&user.ID, &user.Username, &user.Email, &user.OAuthSubject, &user.OAuthProvider, &user.CreatedAt)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &user, nil
+}