feat: implement skins/capes, profile endpoints, session server

Skins & capes:
- Fix uploadSkin auth: Bearer token instead of user_id form hack
- Add POST /api/web/profile/cape (upload cape)
- Add DELETE /api/web/profile/skin and DELETE /api/web/profile/cape
- Validate skin PNG dimensions (64x32, 64x64, 128x128, 128x64)
- Add size limits: 1 MB for skins, 2 MB for capes
- Add basic email validation on register

Profile & session server:
- Add GET /api/web/profile/{uuid} — public profile with skin/cape hashes
- Add GET /sessionserver/session/minecraft/profile/{uuid} — Mojang-compatible
  texture response for game client
- Add POST /authserver/invalidate and POST /authserver/signout
- Export VerifyPassword and ExtractBearer from auth package
- Remove duplicate verifyPassword from api.go
- Add PlayerTextures model to database.go

internal/admin/admin.go

@@ -17,6 +17,7 @@ import (
 	"strconv"
 	"strings"
 
+	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/auth"
 	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/config"
 	"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/database"
 )
@@ -51,7 +52,7 @@ const ctxKeyUserID ctxKey = 0
 
 func (h *Handler) auth(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		token := extractBearer(r.Header.Get("Authorization"))
+		token := auth.ExtractBearer(r.Header.Get("Authorization"))
 		if token == "" {
 			writeError(w, http.StatusUnauthorized, "Missing authorization token")
 			return
@@ -92,13 +93,6 @@ func (h *Handler) ciToken(next http.HandlerFunc) http.HandlerFunc {
 	}
 }
 
-func extractBearer(h string) string {
-	if strings.HasPrefix(h, "Bearer ") {
-		return h[7:]
-	}
-	return ""
-}
-
 // ── Modpack CRUD ──────────────────────────────────────────────
 
 type modpackRequest struct {