fix(GRO-874): add requireSuperUser() to GET /api/admin/settings/logo

The logo proxy route was missing auth middleware, allowing any
unauthenticated caller to receive the presigned S3 URL and exposing
the internal Ceph RGW hostname. Matches auth pattern used by all
other /api/admin/* routes in this file.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/routes/settings.ts

@@ -218,7 +218,7 @@ settingsRouter.post(
  * Proxies the logo from S3 so the browser never sees an S3 URL.
  * Returns the image bytes with proper Content-Type.
  */
-settingsRouter.get("/logo", async (c) => {
+settingsRouter.get("/logo", requireSuperUser(), async (c) => {
   const db = getDb();
 
   const [row] = await db.select().from(businessSettings).limit(1);