fix: change session cookie SameSite from Strict to Lax

SameSite=Strict breaks magic link login from email clients: the browser
does not send the cookie on the redirect to /admin because the navigation
chain originated from a cross-site context. Lax allows top-level
cross-site navigations while still blocking cross-site POST requests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: yoyo930021

src/routes/admin.rs

@@ -167,7 +167,7 @@ pub async fn auth_magic_link(
         .path("/admin")
         .http_only(true)
         .secure(is_https)
-        .same_site(SameSite::Strict)
+        .same_site(SameSite::Lax)
         .max_age(time::Duration::hours(24))
         .build();