refactor(auth): migrate fully to HTTP-only cookie sessions

Remove client-side token storage and Authorization header injection
Backend login now only returns user data, omitting the session token
Remove Authorization from backend CORS allowed headers
Clean up obsolete VITE_* environment variable fallbacks
Update Modal component to use Vue useId() instead of Math.random()

frontend/nuxt.config.ts

@@ -12,13 +12,11 @@ export default defineNuxtConfig({
   runtimeConfig: {
     serverApiBaseUrl:
       process.env.NUXT_SERVER_API_BASE_URL ??
-      process.env.NUXT_API_BASE_URL ??
       process.env.NUXT_PUBLIC_API_BASE_URL ??
-      process.env.VITE_API_BASE_URL ??
       'http://localhost:3001',
     public: {
-      apiBaseUrl: process.env.NUXT_PUBLIC_API_BASE_URL ?? process.env.VITE_API_BASE_URL ?? 'http://localhost:3001',
-      siteUrl: normalizeSiteUrl(process.env.NUXT_PUBLIC_SITE_URL ?? process.env.VITE_SITE_URL)
+      apiBaseUrl: process.env.NUXT_PUBLIC_API_BASE_URL ?? 'http://localhost:3001',
+      siteUrl: normalizeSiteUrl(process.env.NUXT_PUBLIC_SITE_URL)
     }
   },
   app: {