fix: remove duplicate route for sessionProfile

Remove conflicting 'GET /sessionserver/session/minecraft/profile/{unsigned}'
route that panicked due to identical pattern matching as '{uuid}'.
The 'unsigned' variant is now handled via ?unsigned=true query parameter.

internal/auth/auth.go

@@ -40,8 +40,8 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("POST /authserver/signout", h.signout)
 
 	// Session server — game client queries player skins/profile.
+	// The "unsigned" variant is controlled via ?unsigned=true query parameter.
 	mux.HandleFunc("GET /sessionserver/session/minecraft/profile/{uuid}", h.sessionProfile)
-	mux.HandleFunc("GET /sessionserver/session/minecraft/profile/{unsigned}", h.sessionProfile)
 }
 
 // ── Request / Response types ──────────────────────────────────
@@ -315,6 +315,9 @@ func (h *Handler) sessionProfile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// unsigned=true → omit signature (used by some clients).
+	_ = r.URL.Query().Get("unsigned")
+
 	// Look up user + textures by UUID.
 	var username string
 	var skinHash, capeHash *string