feat(BA-2825): Implement JWT authentication module for GraphQL Federation

[HyeockJinKim]

This commit implements a JWT-based authentication system to support GraphQL Federation with Hive Router. The traditional HMAC signature verification fails when Hive Router splits queries into subgraph requests with different request bodies.

Key components:

• JWTConfig: Pydantic-based configuration with validation
• JWTSigner: Token generation from authenticated user context
• JWTValidator: Token validation and claims extraction
• JWTClaims/JWTUserContext: Structured dataclasses for type safety
• Custom exceptions inheriting from BackendAIError

Design decisions:

• Algorithm: HS256 (symmetric) for simplicity
• Token TTL: 15 minutes (configurable)
• Custom header: X-BackendAI-Token (avoids conflict with appproxy)
• No replay attack prevention (internal network, short TTL)
• Stateless validation in manager (no Redis dependency)

The module is placed in ai.backend.common for sharing between webserver (token generation) and manager (token validation).

resolves #6405 (BA-2825)

Checklist: (if applicable)

• Milestone metadata specifying the target backport version
• Mention to the original issue
• Installer updates including:
  • Fixtures for db schema changes
  • New mandatory config options
• Update of end-to-end CLI integration tests in ai.backend.test
• API server-client counterparts (e.g., manager API -> client SDK)
• Test case(s) to:
  • Demonstrate the difference of before/after
  • Demonstrate the flow of abstract/conceptual models with a concrete implementation
• Documentation
  • Contents in the docs directory
  • docstrings in public interfaces and type annotations

[Copilot]

Pull Request Overview

This PR implements a JWT-based authentication module to support GraphQL Federation with Hive Router, replacing traditional HMAC signature verification which fails when Hive Router splits queries into subgraph requests.

Key Changes:

• Introduces JWTConfig, JWTSigner, JWTValidator classes for token generation and validation
• Adds JWTClaims and JWTUserContext dataclasses for type-safe data handling
• Implements custom JWT exceptions inheriting from BackendAIError

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/ai/backend/common/jwt/__init__.py	Module entry point with exports and usage documentation
src/ai/backend/common/jwt/config.py	Pydantic-based JWT configuration with validation
src/ai/backend/common/jwt/exceptions.py	Custom JWT exception hierarchy
src/ai/backend/common/jwt/signer.py	Token generation from authenticated user context
src/ai/backend/common/jwt/validator.py	Token validation and claims extraction
src/ai/backend/common/jwt/types.py	Dataclasses for JWT claims and user context
tests/common/jwt/BUILD	Build configuration for test suite
tests/common/jwt/test_signer.py	Comprehensive tests for JWT signer
tests/common/jwt/test_types.py	Tests for JWT types and dataclasses
tests/common/jwt/test_validator.py	Tests for JWT validator

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.