added input validation and security hardening

backend/routes/auth.js

@@ -219,8 +219,13 @@ function createAuthRouter(db, logAudit) {
         }
     });
 
-    // Clean up expired sessions (can be called periodically)
+    // Clean up expired sessions (admin only)
     router.post('/cleanup-sessions', async (req, res) => {
+        // Basic auth check - require a valid session to call this
+        const sessionId = req.cookies?.session_id;
+        if (!sessionId) {
+            return res.status(401).json({ error: 'Authentication required' });
+        }
         try {
             await new Promise((resolve, reject) => {
                 db.run(