refactor: deduplicate cache, pagination, and OAuth error helpers

[appleboy]

Summary

• Consolidate three identical cache type constant sets (MetricsCacheType*, UserCacheType*, ClientCountCacheType*) into a single CacheType* set with a shared validateCacheType helper, reducing ~80 lines of duplicated validation logic
• Create generic initializeCache[T any] in bootstrap/cache.go to replace three nearly identical cache init functions (~160 lines removed)
• Eliminate redundant DB lookup in RequireAdmin middleware by reading the user already cached in gin context by RequireAuth (saves one DB query per admin request)
• Add parsePaginationParams, respondOAuthError, and getUserFromContext handler helpers to replace repeated patterns across 6+ handler files
• Extract defaultTokenType in token/http_api.go to deduplicate token type defaulting

Net result: 350 insertions, 478 deletions (−128 lines)

Test plan

• make generate — templates and swagger compile
• make test — all existing tests pass
• make lint — zero lint issues
• Manual: verify admin pages still load (RequireAdmin middleware change)
• Manual: verify OAuth token endpoints still return correct error shapes

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 37.66234% with 144 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/handlers/token.go	25.71%	78 Missing ⚠️
internal/bootstrap/cache.go	34.14%	27 Missing ⚠️
internal/handlers/client.go	0.00%	15 Missing ⚠️
internal/handlers/user_client.go	0.00%	10 Missing ⚠️
internal/handlers/docs.go	0.00%	4 Missing ⚠️
internal/handlers/session.go	0.00%	3 Missing ⚠️
internal/token/http_api.go	50.00%	2 Missing and 1 partial ⚠️
internal/handlers/authorization.go	0.00%	2 Missing ⚠️
internal/bootstrap/router.go	0.00%	1 Missing ⚠️
internal/handlers/audit.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR refactors repeated logic across handlers and bootstrap code by introducing small shared helpers (pagination parsing, OAuth error responses, user retrieval), simplifying admin middleware by relying on RequireAuth’s cached user, and consolidating cache-type constants plus cache initialization/validation logic.

Changes:

• Centralize handler utilities: pagination param parsing, OAuth error JSON responses, and user extraction from gin.Context.
• Simplify RequireAdmin to rely on RequireAuth-loaded user in context rather than re-fetching via UserService.
• Unify cache-type constants and deduplicate cache init + config validation logic for metrics/user/client-count caches.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/token/http_api.go	Extracts token-type defaulting into a helper for reuse.
internal/middleware/auth.go	Updates RequireAdmin to use the cached user from context.
internal/handlers/utils.go	Adds shared helper functions for pagination, OAuth errors, and user lookup.
internal/handlers/user_client.go	Switches to shared pagination/user-context helpers.
internal/handlers/token.go	Switches repeated OAuth error responses to respondOAuthError.
internal/handlers/session.go	Switches pagination parsing to shared helper.
internal/handlers/docs.go	Uses shared user-context helper for optional navbar user info.
internal/handlers/client.go	Switches to shared pagination/user-context helpers.
internal/handlers/authorization.go	Uses shared user-context helper (fallbacking to DB lookup).
internal/handlers/audit.go	Uses shared user-context helper.
internal/config/config.go	Consolidates cache-type constants; deduplicates cache-type validation.
internal/config/config_test.go	Updates tests to use unified cache-type constants and expectations.
internal/bootstrap/cache.go	Deduplicates cache initialization via a generic helper and shared options struct.
internal/bootstrap/bootstrap_test.go	Updates bootstrap test to use unified cache-type constants.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the refresh_token grant error mapping, client authentication failures are returned as 400 invalid_client. Per RFC 6749 §5.2, invalid_client should be a 401 response and include a WWW-Authenticate header (similar to the client_credentials grant handling below). Consider switching this branch to 401 and setting the header to keep behavior consistent and standards-compliant.

Suggested change

	respondOAuthError(
	c,
	http.StatusBadRequest,
	// Per RFC 6749 §5.2, invalid_client should use 401 and include WWW-Authenticate
	c.Header("WWW-Authenticate", `Basic realm="token"`)
	respondOAuthError(
	c,
	http.StatusUnauthorized,

[Copilot]

RequireAdmin no longer uses the provided UserService, but the parameter is still part of the API (now named _). This is misleading for callers and suggests a dependency that no longer exists. Consider removing the parameter entirely and updating call sites, or (if you need to keep the signature) document why the argument is intentionally unused.

Suggested change

	// and caches the user in the gin context via loadUserFromSession.
	// and caches the user in the gin context via loadUserFromSession.
	//
	// The *services.UserService parameter is intentionally unused and retained
	// only for backward compatibility with existing call sites. RequireAdmin
	// no longer depends on UserService and instead reads the user from context.