fix: Query parameter conflict in require_auth_flexible

Root Cause Analysis:
- FastAPI cannot distinguish between endpoint Query params and Dependency Query params
- When endpoint has Query(...), dependency Query(default=None, name='token') is ignored
- Token went to endpoint, not to require_auth_flexible

Solution:
- Renamed internal parameter to auth_token with alias='token'
- Now FastAPI correctly routes ?token=XXX to the dependency
- Uses Query(default=None, alias='token') to maintain API compatibility

Testing:
- Header auth: Works (X-Auth-Token)
- Query auth: Now works (?token=XXX)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/auth.py

@@ -76,11 +76,12 @@ def require_auth(x_auth_token: Optional[str] = Header(default=None)):
     return session
 
 
-def require_auth_flexible(x_auth_token: Optional[str] = Header(default=None), token: Optional[str] = Query(default=None)):
+def require_auth_flexible(x_auth_token: Optional[str] = Header(default=None), auth_token: Optional[str] = Query(default=None, alias="token")):
     """
     FastAPI dependency - auth via header OR query parameter.
 
     Used for endpoints accessed by <img> tags that can't send headers.
+    Query parameter is 'token' (via alias) to avoid conflicts with endpoint parameters.
 
     Usage:
         @app.get("/api/photos/{id}")
@@ -90,9 +91,7 @@ def require_auth_flexible(x_auth_token: Optional[str] = Header(default=None), to
     Raises:
         HTTPException 401 if not authenticated
     """
-    print(f"[DEBUG] require_auth_flexible: x_auth_token={x_auth_token!r}, token={token!r}")
-    session = get_session(x_auth_token or token)
-    print(f"[DEBUG] get_session returned: {session!r}")
+    session = get_session(x_auth_token or auth_token)
     if not session:
         raise HTTPException(401, "Nicht eingeloggt")
     return session