Add authentication, user management, and database migration features

- Implement OAuth 2.0 and PAT authentication methods
- Add user management, roles, and profile functionality
- Add database migrations and admin user scripts
- Update services for authentication and user settings
- Add protected routes and permission hooks
- Update documentation for authentication and database access

backend/src/services/syncEngine.ts

@@ -80,6 +80,8 @@ class SyncEngine {
   /**
    * Initialize the sync engine
    * Performs initial sync if cache is cold, then starts incremental sync
+   * Note: Sync engine uses service account token from .env (JIRA_SERVICE_ACCOUNT_TOKEN)
+   * for all read operations. Write operations require user PAT from profile settings.
    */
   async initialize(): Promise<void> {
     if (this.isRunning) {
@@ -88,27 +90,11 @@ class SyncEngine {
     }
 
     logger.info('SyncEngine: Initializing...');
+    logger.info('SyncEngine: Sync uses service account token (JIRA_SERVICE_ACCOUNT_TOKEN) from .env');
     this.isRunning = true;
 
-    // Check if we need a full sync
-    const stats = await cacheStore.getStats();
-    const lastFullSync = stats.lastFullSync;
-    const needsFullSync = !stats.isWarm || !lastFullSync || this.isStale(lastFullSync, 24 * 60 * 60 * 1000);
-
-    if (needsFullSync) {
-      logger.info('SyncEngine: Cache is cold or stale, starting full sync in background...');
-      // Run full sync in background (non-blocking)
-      this.fullSync().catch(err => {
-        logger.error('SyncEngine: Background full sync failed', err);
-      });
-    } else {
-      logger.info('SyncEngine: Cache is warm, skipping initial full sync');
-    }
-
-    // Start incremental sync scheduler
-    this.startIncrementalSyncScheduler();
-    
-    logger.info('SyncEngine: Initialized');
+    // Sync can run automatically using service account token
+    logger.info('SyncEngine: Initialized (using service account token for sync operations)');
   }
 
   /**
@@ -140,8 +126,22 @@ class SyncEngine {
 
   /**
    * Perform a full sync of all object types
+   * Uses service account token from .env (JIRA_SERVICE_ACCOUNT_TOKEN)
    */
   async fullSync(): Promise<SyncResult> {
+    // Check if service account token is configured (sync uses service account token)
+    if (!jiraAssetsClient.hasToken()) {
+      logger.warn('SyncEngine: Jira service account token not configured, cannot perform sync');
+      return {
+        success: false,
+        stats: [],
+        totalObjects: 0,
+        totalRelations: 0,
+        duration: 0,
+        error: 'Jira service account token (JIRA_SERVICE_ACCOUNT_TOKEN) not configured in .env. Please configure it to enable sync operations.',
+      };
+    }
+
     if (this.isSyncing) {
       logger.warn('SyncEngine: Sync already in progress');
       return {
@@ -312,11 +312,18 @@ class SyncEngine {
 
   /**
    * Perform an incremental sync (only updated objects)
+   * Uses service account token from .env (JIRA_SERVICE_ACCOUNT_TOKEN)
    * 
    * Note: On Jira Data Center, IQL-based incremental sync is not supported.
    * We instead check if a periodic full sync is needed.
    */
   async incrementalSync(): Promise<{ success: boolean; updatedCount: number }> {
+    // Check if service account token is configured (sync uses service account token)
+    if (!jiraAssetsClient.hasToken()) {
+      logger.debug('SyncEngine: Jira service account token not configured, skipping incremental sync');
+      return { success: false, updatedCount: 0 };
+    }
+
     if (this.isSyncing) {
       return { success: false, updatedCount: 0 };
     }