Bearer-token authentication middleware.

Extracts the bearer token from the Authorization header, verifies it with livery_auth:verify/2, and stores the validated claims on the request as meta(user, Claims) (read it back with livery_ext:user/1). On any failure it short-circuits with 401 Unauthorized and a WWW-Authenticate: Bearer header.

State is the livery_auth:verify_opts() map plus an optional required => boolean() (default true):

{livery_auth_bearer, #{
    keys     => Jwks,
    issuer   => <<"https://issuer.example">>,
    audience => <<"my-api">>
}}

When required => false, a missing token is allowed through (the handler sees no user meta), but a present-but-invalid token is still rejected.