fix(middleware): correct order - Auth runs BEFORE RBAC

In Axum, layers are applied bottom-to-top (last added runs first).
So Auth middleware must be added AFTER RBAC in the chain to run BEFORE it.

Previous order (wrong): RBAC -> Auth -> Handler
New order (correct): Auth -> RBAC -> Handler

Author: rodrigorodriguez

src/main.rs

@@ -500,18 +500,19 @@ async fn run_axum_server(
         .layer(rate_limit_extension)
         // Request ID tracking for all requests
         .layer(middleware::from_fn(request_id_middleware))
-        // RBAC middleware - checks permissions AFTER authentication
+        // Authentication middleware using provider registry
+        // NOTE: In Axum, layers are applied bottom-to-top, so this runs BEFORE RBAC
         .layer(middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
-            let rbac = Arc::clone(&rbac_manager_for_middleware);
+            let state = auth_middleware_state.clone();
             async move {
-                botserver::security::rbac_middleware_fn(req, next, rbac).await
+                botserver::security::auth_middleware_with_providers(req, next, state).await
             }
         }))
-        // Authentication middleware using provider registry
+        // RBAC middleware - checks permissions AFTER authentication
         .layer(middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
-            let state = auth_middleware_state.clone();
+            let rbac = Arc::clone(&rbac_manager_for_middleware);
             async move {
-                botserver::security::auth_middleware_with_providers(req, next, state).await
+                botserver::security::rbac_middleware_fn(req, next, rbac).await
             }
         }))
         // Panic handler catches panics and returns safe 500 responses