tryBearerAuth validated the bearer token but never looked up the
associated user or set it on the request context. This meant
downstream handlers calling GetCurrentUser would get nil even
with a valid token.
Changes:
- Add ContextWithUser/UserFromContext helpers in auth package
- tryBearerAuth now looks up the user by token's UserID and
sets it on the request context via auth.ContextWithUser
- GetCurrentUser checks context first before falling back to
session cookie
- Add integration tests for bearer auth user context
96eea71c54