fix: require auth on /api/contracts endpoint

[Miracle656]

Summary

Fixes #299 — GET /api/contracts was returning all 17 Soroban contract addresses to any unauthenticated caller. Added
requireAuth middleware to gate the endpoint behind a valid Bearer token.

Change

backend/src/api/routes.ts

// Before — no auth, open to anyone
router.get("/contracts", (_req: Request, res: Response) => {
  res.json({ contracts: CONTRACT_IDS });
});

// After — valid Bearer token required
router.get("/contracts", requireAuth, (_req: Request, res: Response) => {
  res.json({ contracts: CONTRACT_IDS });
});

Also added the missing import:
import { requireAuth } from "../middleware/auth";

How requireAuth Works

requireAuth is already implemented in middleware/auth.ts. It:
- Checks for a valid Authorization: Bearer <token> header
- Decodes and verifies the JWT signature using HMAC-SHA256
- Returns 401 if the header is missing, malformed, or the token is expired

No new code was written — the middleware already existed and was used on other endpoints.

Test Plan

- GET /api/contracts without a token returns 401 Unauthorized
- GET /api/contracts with a valid Bearer token returns contract addresses as before
- Other endpoints (/health, /network, /account/:address) are unaffected

Closes #299 

[drips-wave]

@Miracle656 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits