Use session_secret for signed auth session tokens

backend/app/dependencies.py

@@ -206,6 +206,7 @@ async def get_pending_recovery(request: Request) -> PendingRecovery | None:
 async def require_auth(
     request: Request,
     db: Annotated[aiosqlite.Connection, Depends(get_db)],
+    settings: Annotated[Settings, Depends(get_settings)],
 ) -> Session:
     """Validate the session token and return the active session.
 
@@ -220,6 +221,7 @@ async def require_auth(
     Args:
         request: The incoming FastAPI request.
         db: Injected aiosqlite connection.
+        settings: Application settings used for signed session token validation.
 
     Returns:
         The active :class:`~app.models.auth.Session`.
@@ -253,7 +255,7 @@ async def require_auth(
         _session_cache.pop(token, None)
 
     try:
-        session = await auth_service.validate_session(db, token)
+        session = await auth_service.validate_session(db, token, settings.session_secret)
     except ValueError as exc:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,