Require auth for debug and settings API routes
Enforce access control on API endpoints by importing and calling auth helpers. The debug/config and debug/refresh GET handlers now accept locals and call requireAdmin to restrict access to admins. The user settings GET and POST handlers now call requireAuth and accept locals to ensure requests are authenticated. Also updated imports accordingly.
