Remove server API key fallback for client requests

SECURITY FIX: Stop using server API key when clients don't provide auth

Before: If client sent no auth → proxy used server API key → gave them access
After: If client sends no auth → proxy sends no auth → Jellyfin rejects (401)

This ensures:
- Unauthenticated users can't piggyback on server credentials
- All actions are properly attributed to the actual user
- Jellyfin's auth system works as intended
- Server API key only used for internal operations (images, library detection)

Updated test to reflect new behavior: GetJsonAsync without client headers
should NOT add any authentication.

allstarr.Tests/JellyfinProxyServiceTests.cs

@@ -85,7 +85,7 @@ public class JellyfinProxyServiceTests
     }
 
     [Fact]
-    public async Task GetJsonAsync_IncludesAuthHeader()
+    public async Task GetJsonAsync_WithoutClientHeaders_SendsNoAuth()
     {
         // Arrange
         HttpRequestMessage? captured = null;
@@ -102,13 +102,10 @@ public class JellyfinProxyServiceTests
         // Act
         await _service.GetJsonAsync("Items");
 
-        // Assert
+        // Assert - Should NOT include auth when no client headers provided
         Assert.NotNull(captured);
-        Assert.True(captured!.Headers.Contains("Authorization"));
-        var authHeader = captured.Headers.GetValues("Authorization").First();
-        Assert.Contains("MediaBrowser", authHeader);
-        Assert.Contains(_settings.ApiKey!, authHeader);
-        Assert.Contains(_settings.ClientName!, authHeader);
+        Assert.False(captured!.Headers.Contains("Authorization"));
+        Assert.False(captured.Headers.Contains("X-Emby-Authorization"));
     }
 
     [Fact]