fix: add auth layer to family protected routes

Fix authentication for /families/:id/members endpoint by adding
auth_layer instead of just session_layer to family_protected_routes.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/src/lib.rs

@@ -176,7 +176,7 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
         .route("/my-family/invite-links", get(routes::invite_link::get_my_invite_links))
         .route("/my-family/invite-links/:token", delete(routes::invite_link::delete_invite_link))
         .route("/invite/:token/join", post(routes::invite_link::join_family_via_invite))
-        .layer(auth_layer)
+        .layer(auth_layer.clone())
         .with_state(db.clone());
 
     let family_protected_routes = Router::new()
@@ -201,7 +201,7 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
         .route("/families/:family_id/shopping-items/clear-all", delete(routes::shopping_item::clear_all))
         .route("/families/:family_id/members", get(routes::user::get_family_members))
         .route_layer(axum_middleware::from_fn(middleware::require_family_access))
-        .layer(session_layer.clone())
+        .layer(auth_layer.clone())
         .with_state(db.clone());
 
     let public_routes = Router::new()