fix(auth): sign session cookie store with sessionSecret, not clientId

cookie-parser was initialized with settings.clientId (the Plex client
UUID), but express-session signs connect.sid with settings.sessionSecret.
The secrets differ, so cookie-parser's signature check on connect.sid
fails, the cookie is dropped from req.cookies, and the OpenAPI validator
rejects every authenticated request with "cookie 'connect.sid' required"
even though the browser is sending it correctly.

This also matches the signing secret used by the OIDC code-verifier and
state cookies that are stored via res.cookie(..., {signed: true}), which
read back through req.signedCookies during the callback.

server/index.ts

@@ -162,7 +162,7 @@ app
     if (settings.network.trustProxy) {
       server.enable('trust proxy');
     }
-    server.use(cookieParser(settings.clientId));
+    server.use(cookieParser(settings.sessionSecret));
     server.use(express.json());
     server.use(express.urlencoded({ extended: true }));
     server.use((req, _res, next) => {