feat(auth): enhance token validation and internal access control

Refactor the `Whoami` handler to validate token metadata (status, expiration,
revocation) against Redis before database lookup, ensuring consistency with
balancer logic. Add `allow_ips`, `deny_ips`, and `expires_at` fields to
authentication responses.

Update internal middleware to support explicit anonymous access configuration
and harden security for unconfigured tokens.

Remove legacy fallback logic for master keys without digests.

BREAKING CHANGE: Internal endpoints now reject requests by default if no stats token is configured. To allow unauthenticated access, set `internal.allow_anonymous` to true.
BREAKING CHANGE: Support for legacy master keys without stored digests has been removed.

internal/service/master.go

@@ -68,25 +68,6 @@ func (s *MasterService) ValidateMasterKey(masterKey string) (*model.Master, erro
 
 	var master model.Master
 	if err := s.db.Where("master_key_digest = ?", digest).First(&master).Error; err != nil {
-		if !errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, err
-		}
-
-		// Backward compatibility: look for legacy rows without digest.
-		var masters []model.Master
-		if err := s.db.Where("master_key_digest = '' OR master_key_digest IS NULL").Find(&masters).Error; err != nil {
-			return nil, err
-		}
-		for _, m := range masters {
-			if bcrypt.CompareHashAndPassword([]byte(m.MasterKey), []byte(masterKey)) == nil {
-				master = m
-				// Opportunistically backfill digest for next time.
-				if strings.TrimSpace(m.MasterKeyDigest) == "" {
-					_ = s.db.Model(&m).Update("master_key_digest", digest).Error
-				}
-				goto verified
-			}
-		}
 		return nil, errors.New("invalid master key")
 	}
 
@@ -94,7 +75,6 @@ func (s *MasterService) ValidateMasterKey(masterKey string) (*model.Master, erro
 		return nil, errors.New("invalid master key")
 	}
 
-verified:
 	if master.Status != "active" {
 		return nil, fmt.Errorf("master is not active")
 	}