fix: accept base64url in auth header validation (browser uploads return 400)

[jaschadub]

Summary

Every browser-initiated upload against `ghcr.io/tarnover/send:latest` fails with `{"error": 400}` and the SPA navigates to `/error`. Root cause: the strict-format check I added in #1 used a standard-base64 regex (`+/`), but the SPA encodes the per-share auth key with base64url (`-_`, no padding) via `app/utils.js::arrayToB64`. The two have always disagreed in this fork — no browser upload could ever have succeeded.

Root cause

`app/utils.js`:
```js
function arrayToB64(array) {
return b64.fromByteArray(array)
.replace(/+/g, '-') // base64url
.replace(///g, '_')
.replace(/=/g, ''); // no padding
}
```

`server/routes/ws.js` and `server/routes/upload.js` (before this PR):
```js
!/^[A-Za-z0-9+/]+={0,2}$/.test(authParts[1]) // <-- rejects '-', '_', and missing padding
```

Fix

Two character-class edits, no behavior change for valid keys:
```diff

• !/^[A-Za-z0-9+/]+={0,2}$/.test(authParts[1])

• !/^[A-Za-z0-9+/_-]+={0,2}$/.test(authParts[1])
  ```

Applied identically in both `server/routes/ws.js` and `server/routes/upload.js`. Node's `Buffer.from(value, 'base64')` decodes both alphabets, so the downstream HMAC verifier in `server/middleware/auth.js` is unaffected and `meta.auth` storage stays in whatever alphabet the client sent.

Observability bonus

Previously the 400 rejection branches in both routes were silent — no `log.error()` — and `docker logs send` showed nothing useful, which is what made this take so long to track down. This PR adds:

• `log.error('upload.authFormat', { scheme: authParts[0] })` in `upload.js`
• `log.error('ws.params', { hasMetadata, hasAuth, timeLimit, dlimit })` and `log.error('ws.authFormat', { scheme })` in `ws.js`

So next time the WS / HTTP handler rejects a client at the 400 gate, an operator sees it.

Repro (Python, no browser)

```python
import json, base64, ssl
from websocket import create_connection
key = b"\xff" * 32
ws = create_connection("wss://snd.dx.pe/api/ws",
sslopt={"cert_reqs": ssl.CERT_NONE})
ws.send(json.dumps({
"fileMetadata": base64.b64encode(b"meta").decode(),
"authorization": "send-v1 " + base64.urlsafe_b64encode(key).decode().rstrip("="),
"timeLimit": 3600,
"dlimit": 1,
}))
print(ws.recv())
```

• Before this PR: `{"error": 400}`
• After this PR: `{"url": ..., "ownerToken": ..., "id": ...}` and the file is stored.

Same script with standard `base64.b64encode` already worked before this PR — that's how the reporter narrowed it down.

Reported by

Bug report from an operator running `ghcr.io/tarnover/send:latest` against `/version` reporting `v3.4.27` commit `f4e63ed` (current master tip).

Test plan

• `node --check` passes on both modified files.
• All 48 backend mocha tests still pass.
• Pull `ghcr.io/tarnover/send:fix-auth-base64url-regex` (the PR build), deploy, and upload a real file via the web UI — should succeed.
• Reporter's Python repro returns `{"url": ...}` against the PR build.

Follow-up (not in this PR)

We should add a backend regression test for the auth format gate. The current test suite (`test/backend/`) doesn't exercise either route handler's argument validation, which is how this regression made it to a release. Tracked separately.