Remove /api/qr and /api/v1/qr from exempt_paths in auth middleware so
the QR endpoint can no longer be hit without a valid session. Previously
any network-reachable client could GET /api/qr, decode the PNG, and
extract a fully valid 1-hour session token — a complete auth bypass
(OWASP A01 — Broken Access Control).
Changes:
- Remove /api/qr and /api/v1/qr from exempt_paths in dashboard_auth.py
- Reduce QR pairing token TTL from 1 hour to 60 seconds
- Add ttl_seconds param to create_session_token() for short-lived tokens
- Add audit log event on QR code generation
- Update v1 QR endpoint (/api/v1/auth.py) with matching fix
- Update tests: unauthenticated /api/qr now returns 401
- Update docs to reflect auth requirement
Fixes#854
ee64be4fc8