Map the caller's forwarded auth token to a userId

The scheduled-reports-service forwards the end user's auth headers verbatim; needsAuth validates them and populates req.user. This is the only identity step the scheduler cannot perform itself — token lookup, HMAC validation, and replay-protection all live in bgms.