feat(security): enforce admin allowlist guard on admin APIs and attach bearer for admin client

backend/.env.example

@@ -21,3 +21,6 @@ AUTHENTIK_USERINFO_ENDPOINT=
 
 PUBLIC_FRONTEND_ORIGINS=https://member.ose.tw,https://mkt.ose.tw,https://admin.ose.tw
 INTERNAL_SHARED_SECRET=CHANGE_ME
+ADMIN_ALLOWLIST_EMAILS=
+ADMIN_ALLOWLIST_SUBS=
+ADMIN_REQUIRED_GROUPS=