Fixed
- API-token requests (
Authorization: Bearer <token>) no longer crash with a 500 error when creating budget transactions, loans, loan repayments, notes, tasks, shopping lists, meals, or recipes. Affected routes read the canonical authenticated user id (req.authUserId) instead of the session-onlyreq.session.userId, which is undefined for token auth (#270).