fix(security #7,#8,#9): signed cookies, isAdmin tamper-proof, schema validation

#7 isAdmin trusted from unsigned cookie:
  - isAdmin is derived server-side from Emby Policy at login time
  - Cookie is now signed (HMAC) when COOKIE_SECRET env var is set;
    Express rejects tampered signatures (signedCookies returns false)
  - dashboard.js /user-downloads and /status now use requireAuth
    middleware (req.user) instead of re-parsing cookie directly

#8 cookie-parser used without signing secret:
  - cookieParser(COOKIE_SECRET) in index.js when env var is set
  - Hard-fails at startup in production if COOKIE_SECRET unset
  - Warns in development

#9 Cookie JSON parsed without schema validation:
  - parseSessionCookie() in auth.js and requireAuth.js both validate:
    id (non-empty string), name (non-empty string), isAdmin (boolean)
  - Invalid/tampered cookies return null / 401 respectively

server/middleware/requireAuth.js

@@ -1,13 +1,20 @@
 function requireAuth(req, res, next) {
-  const userCookie = req.cookies.emby_user;
-  if (!userCookie) {
+  const signed = !!process.env.COOKIE_SECRET;
+  const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
+  if (!raw || raw === false) {
     return res.status(401).json({ error: 'Not authenticated' });
   }
+  let u;
   try {
-    req.user = JSON.parse(userCookie);
+    u = JSON.parse(raw);
   } catch {
     return res.status(401).json({ error: 'Invalid session' });
   }
+  // Schema validation
+  if (typeof u.id !== 'string' || !u.id) return res.status(401).json({ error: 'Invalid session' });
+  if (typeof u.name !== 'string' || !u.name) return res.status(401).json({ error: 'Invalid session' });
+  if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
+  req.user = u;
   next();
 }