BizGaze Connect: chat, meetings, recordings, mobile, directory + UI fixes

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/session.js

@@ -1,5 +1,6 @@
 // Session/auth helpers: resolve the current user from the cookie, write audit rows.
 const R = require('./repos');
+const A = require('./auth');
 const { parseCookies, now } = require('./lib');
 
 function audit(entry) {
@@ -35,4 +36,19 @@ function currentUser(req, { requireMfa = true } = {}) {
   return { ...u, _session: s };
 }
 
-module.exports = { audit, currentUser, tokenFromReq };
+// Resolve a third-party API key from `X-API-Key` or `Authorization: Bearer bzc_...`.
+// Returns { id, teamId, scopes:[], name } or null. Keys are prefixed `bzc_` and stored hashed.
+function apiKeyFromReq(req) {
+  let raw = req.headers && req.headers['x-api-key'];
+  if (!raw) {
+    const h = req.headers && (req.headers.authorization || req.headers.Authorization);
+    if (h && /^Bearer\s+bzc_/i.test(h)) raw = h.replace(/^Bearer\s+/i, '').trim();
+  }
+  if (!raw || !/^bzc_/.test(raw)) return null;
+  const row = R.apiKeys.byHash(A.hashToken(raw));
+  if (!row || row.revoked) return null;
+  return { id: row.id, teamId: row.team_id, scopes: String(row.scopes || '').split(',').map((s) => s.trim()).filter(Boolean), name: row.name };
+}
+function keyHasScope(key, scope) { return !!key && (key.scopes.includes(scope) || key.scopes.includes('*')); }
+
+module.exports = { audit, currentUser, tokenFromReq, apiKeyFromReq, keyHasScope };