feat: bearer token auth, pairing, wifi config, ssh toggle, remove /cmd

adacam_api/auth.py

@@ -0,0 +1,30 @@
+"""Authentication helpers for adacam-api."""
+import hashlib
+from functools import wraps
+from flask import request, jsonify
+
+
+def get_device_serial():
+    """Get device serial from liberate.sh-generated file."""
+    try:
+        return open('/data/adacam/device_serial').read().strip()
+    except:
+        return 'unknown'
+
+
+def get_api_token():
+    """Derive API token from device serial (matches liberate.sh output)."""
+    serial = get_device_serial()
+    return hashlib.sha256(f"adacam-api-{serial}-token".encode()).hexdigest()[:32]
+
+
+def require_auth(f):
+    """Decorator: require valid Bearer token for protected endpoints."""
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        auth = request.headers.get('Authorization', '')
+        token = auth.replace('Bearer ', '').strip()
+        if token != get_api_token():
+            return jsonify({'error': 'unauthorized'}), 401
+        return f(*args, **kwargs)
+    return decorated