feat: add jwt_es256 auth type for signed JWT APIs

[donna-matt]

What

New jwt_es256 authentication method type that dynamically generates ES256-signed JWTs for each proxied request.

Why

APIs like Apple's App Store Connect require fresh JWT tokens signed with ECDSA P-256 per request, rather than static bearer tokens. Each JWT must be signed using:

• A private key (PEM-encoded PKCS#8)
• A key ID (kid in JWT header)
• An issuer ID (iss in JWT payload)

Previously, there was no way to handle this authentication pattern in Shellgate.

How It Works

Backend Implementation

1. New JWT utility (src/lib/server/utils/jwt.ts):

   • Pure Web Crypto API implementation (no external dependencies)
   • Signs ES256 JWTs using ECDSA with P-256 curve
   • Configurable audience and expiration time
   • Default: appstoreconnect-v1 audience, 20-minute expiration

2. Updated auth methods service (src/lib/server/services/auth-methods.ts):

   • Added jwt_es256 to valid auth types
   • Credential hint displays key ID: ES256 JWT ••• KEYID123

3. Updated gateway proxy (src/lib/server/services/gateway.ts):

   • Generates fresh JWT for each request when jwt_es256 auth method is configured
   • Injects as Authorization: Bearer <jwt> header

Testing

• Unit tests (tests/unit/jwt.test.ts): 7 tests covering JWT generation, signature verification, custom config
• Integration tests (tests/integration/gateway.test.ts): End-to-end test verifying JWT injection in proxied requests
• All existing tests pass ✅

Usage Example

Creating a Target + Auth Method for App Store Connect

1. Create target:

POST /api/targets
{
  "name": "Apple App Store Connect",
  "slug": "apple-asc",
  "type": "api",
  "base_url": "https://api.appstoreconnect.apple.com"
}

2. Create auth method:

POST /api/targets/{target_id}/auth-methods
{
  "label": "App Store Connect JWT",
  "type": "jwt_es256",
  "credential": "{\"privateKey\":\"-----BEGIN PRIVATE KEY-----\\nMIGHAgEAMB...\",\"keyId\":\"ABC123XYZ\",\"issuerId\":\"69a6de12-b0d3-...\"}"
}

3. Make requests:

GET /gateway/apple-asc/v1/apps
# Shellgate automatically generates and injects fresh JWT

Credential Format

The credential field must be a JSON string with:

{
  "privateKey": "-----BEGIN PRIVATE KEY-----\nMIGH...\n-----END PRIVATE KEY-----",
  "keyId": "ABC123XYZ",
  "issuerId": "69a6de12-b0d3-...",
  "audience": "appstoreconnect-v1",  // optional, defaults to appstoreconnect-v1
  "expiresInSeconds": 1200              // optional, defaults to 1200 (20 minutes)
}

Dashboard UI

Dashboard UI for creating/editing jwt_es256 credentials is intentionally not included in this PR. This keeps the PR focused on backend functionality. Dashboard support will be added in a follow-up PR.

Security Notes

• Private keys are stored encrypted in the database (existing credential encryption)
• JWTs are generated fresh per request (no token reuse)
• Default 20-minute expiration minimizes token lifetime
• Uses Web Crypto API (native, audited implementation)

Breaking Changes

None. This is purely additive — existing auth methods continue to work unchanged.