Move auth and permission checks behind plugs and contexts

[nextinfinity]

Summary

This PR continues the controller/context modernization work by thinning the web layer around auth and permission handling, moving more token-sensitive behavior into shared domain modules, and tightening the surrounding tests.

The API shape stays mostly the same. The goal here is to make the current behavior easier to reason about before larger playback or schema work.

Main Changes

• added request-level auth loading in the API pipeline
• introduced shared auth/authorization plugs for:
  • required auth
  • non-anonymous access
  • current-user enforcement
  • admin enforcement
  • room-permission loading and enforcement
• updated controllers to rely on those plugs instead of direct Guardian checks
• moved more auth/session/reset behavior behind Accounts
• moved room-permission updates and related events behind Rooms
• switched permission updates to dispatch normal events rather than broadcasting directly from the controller
• aligned route declarations with the controller actions that are actually supported
• replaced the remaining sleep-based assertions in VideoControllerTest with deterministic polling
• added targeted auth and permission regression coverage

Why

This is meant to cover the remaining Phase 1 / Phase 2 modernization work around:

• reducing web-layer overreach in auth-sensitive flows
• centralizing reusable authorization checks
• making auth and permission behavior more consistent across controllers
• hardening tests around security-sensitive paths and queue behavior

Notable Behavior / Boundary Changes

• authenticated session creation now goes through Accounts.create_authenticated_session/2
• anonymous session creation now goes through Accounts.create_anonymous_session/0
• password reset requests now go through Accounts.request_password_reset/1
• password reset completion now validates against the stored reset token via Accounts.reset_password/3
• verification resend rotates the stored verification token
• reset tokens are now covered as single-use in tests
• room permission updates flow through Rooms.update_permission/3

Testing

Ran locally:

• mix test test/streamshore/accounts_test.exs
• mix test test/streamshore/accounts_test.exs test/streamshore/rooms_test.exs test/streamshore_web/controllers/user_controller_test.exs test/streamshore_web/controllers/permission_controller_test.exs test/streamshore_web/controllers/video_controller_test.exs test/streamshore_web/controllers/favorites_controller_test.exs test/streamshore_web/controllers/friends_controller_test.exs

Follow-up

UserController.update/2 still multiplexes several auth-related actions behind one update route.

That is intentionally left in place for now. We agreed to keep the current shape because it gives us a cleaner path to split those actions into distinct routes later without mixing that API change into this boundary-cleanup PR.

In other words: the sensitive token validation and persistence behavior has already moved down into Accounts, but the route/action split is still outstanding and should come in a follow-up PR.