fix(auth): logout invalidates session before audit (CWE-613)

Reorder AuthSessionController.logout so HttpSession.invalidate runs before
AuthService.logout, and wrap the audit call in try/catch so an exception (e.g.
the user was deleted between login and logout, making the audit-time
findByEmail throw) cannot leave the session row alive in spring_session.
The user's intent — "log me out" — is honoured even when audit fails.
Addresses PR #612 / Nora B2.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/test/java/org/raddatz/familienarchiv/auth/AuthSessionControllerTest.java

@@ -129,4 +129,16 @@ class AuthSessionControllerTest {
         mockMvc.perform(post("/api/auth/logout"))
             .andExpect(status().isUnauthorized());
     }
+
+    @Test
+    void logout_returns_204_even_when_audit_throws() throws Exception {
+        // CWE-613 defense: the session MUST be invalidated even if the audit lookup
+        // explodes (e.g. user deleted between login and logout). Audit is best-effort.
+        doThrow(new RuntimeException("audit DB down"))
+            .when(authService).logout(anyString(), anyString(), anyString());
+
+        mockMvc.perform(post("/api/auth/logout")
+                .with(user("ghost@test.de")))
+            .andExpect(status().isNoContent());
+    }
 }