Refactor auth middleware

Description

The current auth middleware is doing too much. Split into separate concerns: token validation, role check, rate limit.