feat: Implement Session Token System with /api/v1 base path

- Add migration 000004 for sessions table and performance indexes
- Create session.sql queries for CRUD operations
- Generate session repository code with sqlc
- Create token auth middleware for Echo framework
- Create token handler with create/delete/cleanup endpoints
- Add /api/v1 router with token authentication infrastructure
- Update dbHelper.go to use Up() instead of Migrate(2)
- Update server.go to initialize token handler
- Existing endpoints remain functional (to be deprecated)

New endpoints:
- POST /api/v1/token - Create new session token
- DELETE /api/v1/token - Invalidate token
- POST /api/v1/token/cleanup - Remove expired sessions

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>

internal/server/routes.go

@@ -2,13 +2,16 @@ package server
 
 import (
 	"music-server/cmd/web"
+	"music-server/internal/db"
+	"music-server/internal/logging"
+	"music-server/internal/server/middleware"
 	"net/http"
 	"sort"
 	"strings"
 
 	"github.com/a-h/templ"
 	"github.com/labstack/echo/v5"
-	"github.com/labstack/echo/v5/middleware"
+	echoMiddleware "github.com/labstack/echo/v5/middleware"
 	echoSwagger "github.com/swaggo/echo-swagger/v2"
 	"go.uber.org/zap"
 	"music-server/internal/logging"
@@ -36,9 +39,9 @@ func (s *Server) RegisterRoutes() http.Handler {
 		http.ServeFile(w, r, "cmd/docs/swagger.json")
 	})))
 	e.Use(logging.RequestLogger())
-	e.Use(middleware.Recover())
+	e.Use(echoMiddleware.Recover())
 
-	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
+	e.Use(echoMiddleware.CORSWithConfig(echoMiddleware.CORSConfig{
 		AllowOrigins:     []string{"https://*", "http://*"},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"},
 		AllowHeaders:     []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
@@ -103,6 +106,33 @@ func (s *Server) RegisterRoutes() http.Handler {
 	musicGroup.GET("/addQue", music.AddLatestToQue)
 	musicGroup.GET("/addPlayed", music.AddLatestPlayed)
 
+	// ============================================
+	// API v1 Routes with Token Authentication
+	// ============================================
+	
+	// Create /api/v1 group
+	apiV1 := e.Group("/api/v1")
+	
+	// Public endpoints - no token required
+	apiV1.POST("/token", func(c *echo.Context) error {
+		return s.tokenHandler.CreateTokenHandler(c)
+	})
+	apiV1.DELETE("/token", func(c *echo.Context) error {
+		return s.tokenHandler.DeleteTokenHandler(c)
+	})
+	apiV1.POST("/token/cleanup", func(c *echo.Context) error {
+		return s.tokenHandler.CleanupExpiredSessionsHandler(c)
+	})
+
+	// Protected endpoints - require valid token
+	// Create token auth middleware with pool access
+	tokenAuthMiddleware := middleware.TokenAuthMiddleware(db.Dbpool)
+
+	// Protected group with token authentication - will be used by VGMQ and Statistics API
+	_ = apiV1.Group("", tokenAuthMiddleware)
+
+	// Note: Future protected endpoints (VGMQ, Statistics) will be added here
+
 	routes := e.Router().Routes()
 	sort.Slice(routes, func(i, j int) bool {
 		return routes[i].Path < routes[j].Path