fix: transparent proxy authentication and token expiration handling

- Remove broken JellyfinAuthFilter that was checking non-existent CLIENT_USERNAME
- Clients now authenticate directly with Jellyfin (transparent proxy model)
- Improved token expiration detection and session cleanup
- Better logging with reduced verbosity (removed emoji spam)
- Added support for X-Emby-Token header format
- Added detection of public endpoints that don't require auth
- SessionManager now properly detects 401 responses and removes expired sessions
- Clarified .env.example comments about server-side vs client-side auth
- All functionality preserved: Spotify injection, external providers, playback tracking

.env.example

@@ -18,13 +18,17 @@ SUBSONIC_URL=http://localhost:4533
 # Server URL (required if using Jellyfin backend)
 JELLYFIN_URL=http://localhost:8096
 
-# API key for authentication (get from Jellyfin Dashboard > API Keys)
+# API key for SERVER-SIDE operations only (get from Jellyfin Dashboard > API Keys)
+# This is used by Allstarr to query Jellyfin's library on behalf of the server
+# CLIENT authentication is handled transparently - clients authenticate directly with Jellyfin
 JELLYFIN_API_KEY=
 
-# User ID (get from Jellyfin Dashboard > Users > click user > check URL)
+# User ID for SERVER-SIDE library queries (get from Jellyfin Dashboard > Users > click user > check URL)
+# This determines which user's library Allstarr queries when searching/browsing
 JELLYFIN_USER_ID=
 
 # Music library ID (optional, auto-detected if not set)
+# If you have multiple libraries, set this to filter to music only
 JELLYFIN_LIBRARY_ID=
 
 # ===== MUSIC SOURCE SELECTION =====