fix: improve error handling and session management in various handlers and middleware

backend/internal/api/middleware/auth.go

@@ -43,15 +43,13 @@ func AuthMiddleware(authService *services.AuthService) gin.HandlerFunc {
 }
 
 func extractAuthToken(c *gin.Context) (string, bool) {
-	authHeader := ""
-
-	// Try cookie first for browser flows (including WebSocket upgrades)
-	if cookieToken := extractAuthCookieToken(c); cookieToken != "" {
-		authHeader = "Bearer " + cookieToken
-	}
+	authHeader := c.GetHeader("Authorization")
 
+	// Fall back to cookie for browser flows (including WebSocket upgrades)
 	if authHeader == "" {
-		authHeader = c.GetHeader("Authorization")
+		if cookieToken := extractAuthCookieToken(c); cookieToken != "" {
+			authHeader = "Bearer " + cookieToken
+		}
 	}
 
 	// DEPRECATED: Query parameter authentication for WebSocket connections