feat(bookings): restrict management to assigned PIC or super admin

Secure API endpoints with requireBookingManager authorization check
Update confirmation page to prompt for login if unauthorized
Add safe redirect handling to login and guest middleware

server/api/public/bookings/[token]/transaction-document.post.ts

@@ -2,6 +2,7 @@ import type { UpdateBookingDetailsResponse } from '~~/shared/booking'
 
 import { getHeader, readMultipartFormData } from 'h3'
 
+import { requireBookingManager } from '../../../../utils/auth'
 import {
   getBookingByConfirmationToken,
   replaceBookingTransactionDocumentByConfirmationToken
@@ -22,6 +23,8 @@ export default defineEventHandler(async (event): Promise<UpdateBookingDetailsRes
     httpError(404, 'Booking not found')
   }
 
+  await requireBookingManager(event, booking)
+
   if (booking.status !== 'pending') {
     httpError(409, 'Transaction document can only be changed before confirmation')
   }