feat: implement authenticated feed support across worker and web app

Wire up the full authenticated feeds pipeline:
- Worker resolves credentials from Supabase Vault for authenticated feeds
- Worker sets owner_id on entries for per-user dedup
- query_param auth now parses name=value format
- Add-feed dialog shows auth type + credential fields for pro/developer
- Subscribe mutation passes credentials to RPC
- Sidebar and settings show [auth] indicator for authenticated feeds

1 files changed, 8 insertions, 1 deletions

diff --git a/services/worker/internal/fetcher/authentication.go b/services/worker/internal/fetcher/authentication.go
index ba10196..9ee4539 100644
--- a/services/worker/internal/fetcher/authentication.go
+++ b/services/worker/internal/fetcher/authentication.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 )
 
 type AuthenticationConfiguration struct {
@@ -21,6 +22,12 @@ func ApplyAuthentication(request *http.Request, authenticationConfig Authenticat
 
 		request.Header.Set("Authorization", "Basic "+encodedCredentials)
 	case "query_param":
+		parts := strings.SplitN(authenticationConfig.AuthenticationValue, "=", 2)
+
+		if len(parts) != 2 {
+			return fmt.Errorf("query_param credential must be in format 'param_name=value', got: %s", authenticationConfig.AuthenticationValue)
+		}
+
 		existingURL, parseError := url.Parse(request.URL.String())
 
 		if parseError != nil {
@@ -29,7 +36,7 @@ func ApplyAuthentication(request *http.Request, authenticationConfig Authenticat
 
 		queryParameters := existingURL.Query()
 
-		queryParameters.Set("key", authenticationConfig.AuthenticationValue)
+		queryParameters.Set(parts[0], parts[1])
 
 		existingURL.RawQuery = queryParameters.Encode()
 		request.URL = existingURL