Add Current user/sessions plumbing

**Epic:** Auth

**Description**
Introduce request-scoped access to the current user and its session.

**Acceptance criteria**

- `Current.user` and `Current.session` set per request
- `authenticate!` helper blocks unauthenticated access and expired tokens/sessions.
- Protected endpoint returns 401 when unauthenticated
- Request tests included