Support personal API token authentication (read from file)

[kshepherd]

DSpace-CRIS supports personal API tokens (JWTs with very long expiry) generated by users from their profile page.
DSpace core will soon support this too.

Partially addreses #23

This pull request adds support for token authentication instead of simple username and password auth.
Tokens are detected by the following methods, in order:

1. If env var PERSONAL_API_TOKEN_FILE is set (e.g. by docker compose or in env while executing a script), try to read from a file path using the value of the env var
   a. To be clear, the value of the env var should NOT be the token itself, but a path to the token that the user executing the script can read.
2. If a file name .dspace-personal-api-token.secret exists in the current working directory of the script, try to read it
3. If a file name .dspace-personal-api-token.secret exists in the current user's home directory, try to read it

If no token is found, fall back to standard password auth

If a token is found, it will be set as the Authorization Bearer header instead of requesting short-lived JWT bearer tokens.

I have given this a quick test on my demo CRIS instance and it appears to work but more testing would be appreciated. Standard password auth still works if no token is present. Would appreciate feedback about the token path candidates. If it is safer and less confusing to just require that _FILE env var, I can understand that.

Expected output:

╰─$ python console.py
2026-03-13 05:02:45,468 - Authenticated successfully using personal API token as user@test.server
Python 3.14.2 (main, Jan  2 2026, 14:27:39) [GCC 15.2.1 20251112] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> quit()
now exiting InteractiveConsole..

Other notes:

• The whole class-level THIS = os.environ(that) setup is ugly and not good style, and will eventually be cleaned up into nice __init__ instance initialisation, but for now that's out of scope of this PR, I just want to try and support this auth method ASAP.
• Once we add a third auth method we might need to look at coming up with a more complete stack, but my feeling is that once DSpace core supports these tokens, it will be the preferred auth method for 99% of use cases here.
• This PR includes the "remove class-level session declaration" because it was annoying me, but technically that is unrelated

[kshepherd]

@quintusdias would you like to try this small change out and give feedback re: implementing personal API token auth for DSpace CRIS instances?

[quintusdias]

I don't have a DSpace CRIS instance at the moment, unfortunately. I can look into trying to set one up.