feat(auth): enhance middleware to support Bearer token auth

* Added support for extracting Bearer tokens from Authorization header.
* Updated middleware to prefer explicit header over Bearer token.
* Improved test coverage for authentication scenarios.

internal/auth/middleware.go

@@ -21,7 +21,7 @@ func Middleware(cfg config.AuthConfig, keyring *Keyring, log *slog.Logger) func(
 
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			token := strings.TrimSpace(r.Header.Get(headerName))
+			token := extractToken(r, headerName)
 			if token == "" && cfg.AllowQueryParam {
 				token = strings.TrimSpace(r.URL.Query().Get(cfg.QueryParam))
 			}
@@ -43,6 +43,21 @@ func Middleware(cfg config.AuthConfig, keyring *Keyring, log *slog.Logger) func(
 	}
 }
 
+func extractToken(r *http.Request, headerName string) string {
+	token := strings.TrimSpace(r.Header.Get(headerName))
+	if token != "" {
+		return token
+	}
+
+	authHeader := strings.TrimSpace(r.Header.Get("Authorization"))
+	scheme, credentials, ok := strings.Cut(authHeader, " ")
+	if !ok || !strings.EqualFold(scheme, "Bearer") {
+		return ""
+	}
+
+	return strings.TrimSpace(credentials)
+}
+
 func KeyIDFromContext(ctx context.Context) (string, bool) {
 	value, ok := ctx.Value(keyIDContextKey).(string)
 	return value, ok