Three tests were also implemented to check initial implementation that now invalidates expired access and refresh tokens and also rotating refresh tokens.
Since I introduced wrapper functions for create_oauth_token to distinguish between access and refresh token there is no need to set the token type in the data dict, since the type is now enforced in the wrapper functions create_access_token and create_refresh_token.
By convention I renamed create_oauth_token to _create_oauth_token as it is considered a private helper function now.
Change allow_existing default to True so duplicate fingerprint matches
return the existing device (200) instead of 409 Conflict. Add model
validator to force allow_existing=False when allow_duplicate is set.
Add tests for duplicate device registration scenarios (409 conflict,
allow_existing, allow_duplicate, reset_syncs). Fix compute_file_hash
function references after relocation to assets_handler.
Implement device registration and save sync tracking to enable
multi-device save management with conflict detection.
- Device CRUD endpoints (POST/GET/PUT/DELETE /api/devices)
- Save sync state tracking per device
- Conflict detection on upload (409 when device has stale sync)
- Download sync tracking (optimistic and confirmed modes)
- Track/untrack saves per device
- DEVICES_READ/WRITE scopes for authorization
