refactor(auth): replace untyped JWT claims with typed Claims struct

Introduced a typed Claims struct in core/auth to replace the raw
map[string]any approach used for JWT claims throughout the codebase.
This provides compile-time safety and better readability when creating,
validating, and extracting JWT tokens. Also upgraded lestrrat-go/jwx
from v2 to v3 and go-chi/jwtauth to v5.4.0, adapting all callers to
the new API where token accessor methods now return tuples instead of
bare values. Updated all affected handlers, middleware, and tests.

Signed-off-by: Deluan <deluan@navidrome.org>

server/public/handle_images_test.go

@@ -3,7 +3,6 @@ package public
 import (
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/navidrome/navidrome/core/auth"
-	"github.com/navidrome/navidrome/model"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
@@ -15,18 +14,11 @@ var _ = Describe("decodeArtworkID", func() {
 
 	It("fails to decode an invalid token", func() {
 		_, err := decodeArtworkID("xx-123")
-		Expect(err).To(MatchError("invalid JWT"))
-	})
-
-	It("defaults to kind mediafile for empty artwork ID", func() {
-		token, _ := auth.CreatePublicToken(map[string]any{"id": ""})
-		id, err := decodeArtworkID(token)
-		Expect(err).ToNot(HaveOccurred())
-		Expect(id.Kind).To(Equal(model.KindMediaFileArtwork))
+		Expect(err).To(HaveOccurred())
 	})
 
 	It("fails to decode a token without an id", func() {
-		token, _ := auth.CreatePublicToken(map[string]any{})
+		token, _ := auth.CreatePublicToken(auth.Claims{})
 		_, err := decodeArtworkID(token)
 		Expect(err).To(HaveOccurred())
 	})