1e5c8b5ab7
sessionTokenFromHTTP now matches extractBearerToken's trimming behavior. Without this, a bearer header with trailing whitespace (e.g. a buggy client or proxy) authenticates via RequireUser but hashes the padded value on logout, silently no-oping and leaving the server-side session alive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>