fix: Secure unauthenticated proof status update

[LSUDOKO]

Description

This PR addresses a critical security vulnerability where the POST /update-proof-status endpoint (and other sensitive state-mutating endpoints) in the lensmint-public-server lacked any form of authentication.

Previously, a malicious actor could bypass the Zero-Knowledge proof generation process by calling the endpoint and marking an unverified image's claim ID as "verified" with a fake transaction hash.

Changes Made:

1. lensmint-public-server/server.js: Added a requireAuth middleware based on a Shared Secret Webhook method. This middleware checks for a valid Authorization: Bearer <API_SECRET> header and rejects unauthorized requests with a 401 Unauthorized error.
2. hardware-web3-service/claimClient.js: Updated the Axios client constructor to automatically attach the Authorization header containing the API_SECRET to all outgoing requests.

Impact & Security Gains

• Completely prevents malicious manipulation of the ZK proof verification status.
• State-mutating routes like /create-claim, /update-proof-status, /update-claim-status, and others are now fully protected.
• Note: This change requires setting the API_SECRET environment variable in both the server's .env and the client's .env files.

Proof of Fix

When a malicious actor attempts to send a forged request without the Authorization header, the server now correctly blocks the payload:

Malicious Request:

curl -X POST http://localhost:5001/update-proof-status \
  -H "Content-Type: application/json" \
  -d '{
    "claim_id": "test_claim_123",
    "verification_status": "verified",
    "proof_tx_hash": "0xFakeTransactionHash12345"
  }'

Server Response (Successfully Blocked):

When an authorized client (like our hardware-web3-service) sends a request with the correct secret, it processes correctly.

fixes #11