feat(server): read device token cookie and pass to GraphQL context

- Read constructive_device_token cookie in auth middleware
- Attach to req.deviceToken for downstream access
- Pass as jwt.claims.device_token to DB procedures
- Enables trusted device recognition in sign-in flows

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: theothersideofgod

graphql/server/src/middleware/auth.ts

@@ -12,6 +12,9 @@ const isDev = () => getNodeEnv() === 'development';
 /** Default cookie name for session tokens. */
 const SESSION_COOKIE_NAME = 'constructive_session';
 
+/** Cookie name for trusted device tracking. */
+const DEVICE_TOKEN_COOKIE_NAME = 'constructive_device_token';
+
 /**
  * Extract a named cookie value from the raw Cookie header.
  * Avoids pulling in cookie-parser as a dependency.
@@ -143,6 +146,13 @@ export const createAuthenticateMiddleware = (
       );
     }
 
+    // Read device token cookie for trusted device tracking
+    const deviceToken = parseCookieToken(req, DEVICE_TOKEN_COOKIE_NAME);
+    if (deviceToken) {
+      req.deviceToken = deviceToken;
+      log.info('[auth] Device token cookie present');
+    }
+
     next();
   };
 };

graphql/server/src/middleware/graphile.ts

@@ -245,6 +245,9 @@ const buildPreset = (
         if (req.get('User-Agent')) {
           context['jwt.claims.user_agent'] = req.get('User-Agent') as string;
         }
+        if (req.deviceToken) {
+          context['jwt.claims.device_token'] = req.deviceToken;
+        }
 
         if (req.token?.user_id) {
           const pgSettings: Record<string, string> = {

graphql/server/src/middleware/types.ts

@@ -18,6 +18,8 @@ declare global {
       databaseId?: string;
       requestId?: string;
       token?: ConstructiveAPIToken;
+      /** Device token from constructive_device_token cookie for trusted device tracking */
+      deviceToken?: string;
     }
   }
 }