Remove admin token from sessionStorage during impersonation

Embed admin_id claim in impersonation JWTs and add a backend
/api/admin/unimpersonate endpoint that re-issues the admin token
from that claim. The admin token no longer needs to be stored in
sessionStorage, eliminating the risk of token theft via XSS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nginx/html/js/admin.js

@@ -118,8 +118,6 @@ async function toggleUser(id, disable) {
 async function impersonateUser(id) {
     try {
         const data = await API.post(`/api/admin/users/${id}/impersonate`, {});
-        // Save admin token so user can return
-        sessionStorage.setItem('admin_token', Auth.getToken());
         Auth.setToken(data.access_token);
         window.location.href = '/';
     } catch (err) {