Enforce configured token auth prefix on incoming headers

[winhowes]

Motivation

• The incoming token auth previously used strings.TrimPrefix without verifying the prefix existed, allowing bare tokens to authenticate when a prefix was configured.
• This change prevents accidental weakening of the expected header format by enforcing the configured prefix before accepting the token.

Description

• Require the configured prefix to be present on the incoming header by checking strings.HasPrefix before trimming in app/auth/plugins/token/incoming.go.
• Continue to use strings.TrimPrefix after verification and perform the constant-time comparison against loaded secrets to preserve behavior.
• Add a regression test TestTokenIncomingConfiguredPrefixMissingInHeader to app/auth/plugins/token/token_test.go that asserts authentication fails when the header omits a configured prefix.
• Updated tests are added to the existing token plugin test file per repository guidelines.

Testing

• Ran go test ./app/auth/plugins/token and the package tests passed successfully.
• The new regression test TestTokenIncomingConfiguredPrefixMissingInHeader executes as part of the package tests and verifies the fix.

---

Codex Task

[winhowes]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. You're on a roll.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".