Server has no auth and is open to any origin with overly permissive CORS

[broady]

The server is exposed unauthenticated and serves requests with overly board CORS headers, allowing a malicious website to control farfield without a password.

More detail:
https://ampcode.com/threads/T-019d93c9-c0cd-754b-8671-4b171ce99a07

[everydy]

I opened a draft PR with a smaller built-in option for this: #30.

The idea is to keep #10 / Cloudflare Access as the stronger advanced remote deployment path, while adding a lightweight core guardrail for the common farfield.app + Tailscale flow:

• optional FARFIELD_AUTH_TOKEN enforcement for /api/* and /api/unified/ws
• Authorization: Bearer <token> or X-Farfield-Token for HTTP
• Socket.IO auth token support from the web settings UI
• configurable FARFIELD_CORS_ORIGIN instead of hardcoded wildcard CORS
• README docs for Tailscale + token setup

I marked it as draft because maintainer preference may be to rename the envs, fold the work into #10, or choose a stricter default CORS behavior.