SECURITY: JWT Token Leak in All Authenticated Endpoints via URL Query Parameter Fallback

A critical security flaw in the `JWTAuth` middleware allows authentication tokens to be exposed via URL query parameters across all authenticated HTTP endpoints, not just the intended WebSocket connections. This design oversight means any request to a protected route can inadvertently leak sensitive JSON Web Tokens through standard web infrastructure, creating a broad attack surface for credential harvesting.

The vulnerability resides in the middleware's fallback logic at `pkg/middleware/middleware.go:148-155`. While intended to support WebSocket handshakes where custom headers are problematic, the code path is triggered for all requests routed through the `RequireAuth` wrapper. Consequently, a JWT passed as a `?token=` query parameter is accepted as valid authentication. This token is then exposed in multiple vectors: standard HTTP server and reverse proxy access logs, which record full URLs by default; the user's browser history; and outgoing HTTP Referer headers when the user navigates to external sites.

This leakage represents a severe credential exposure risk. Any logged token can be extracted by anyone with access to server logs, potentially compromising user accounts and administrative functions. The silent, systemic nature of the flaw—affecting every authenticated endpoint—amplifies the threat, as developers may be unaware their tokens are being logged. Immediate remediation requires disabling the query parameter fallback for non-WebSocket requests or implementing a strict separation between WebSocket upgrade logic and standard HTTP authentication pathways.