Add customer lookup for phone app, add fallback mysql search for new products in product editor

inventory-server/dashboard/acot-server/utils/phoneAuth.js

@@ -0,0 +1,28 @@
+// Shared-secret auth for customer-lookup endpoints that expose PII.
+// The acot-phone-server sends `x-acot-api-key` on every request; we compare
+// against ACOT_PHONE_API_KEY from the environment using timing-safe comparison.
+
+const crypto = require('crypto');
+
+function requirePhoneApiKey(req, res, next) {
+  const expected = process.env.ACOT_PHONE_API_KEY;
+  if (!expected) {
+    console.error('ACOT_PHONE_API_KEY not configured; rejecting all requests');
+    return res.status(503).json({ success: false, error: 'auth_not_configured' });
+  }
+
+  const provided = req.get('x-acot-api-key') || '';
+  const expectedBuf = Buffer.from(expected);
+  const providedBuf = Buffer.from(provided);
+
+  if (
+    providedBuf.length !== expectedBuf.length ||
+    !crypto.timingSafeEqual(providedBuf, expectedBuf)
+  ) {
+    return res.status(401).json({ success: false, error: 'unauthorized' });
+  }
+
+  next();
+}
+
+module.exports = { requirePhoneApiKey };