Add authentication and IDOR protection to account endpoints

[saaa99999999]

Summary

All four account CRUD endpoints had no authentication or authorization checks:

• GET /api/accounts — returned all users with emails and tokens to unauthenticated callers
• GET /api/accounts/{id} — allowed reading any user's full profile without auth
• PATCH /api/accounts/{id} — allowed changing any user's password, email, or username without auth
• DELETE /api/accounts?id=N — allowed deleting any user's account without auth

Changes

• Added backend/src/api/dependencies/auth.py with get_current_user dependency that validates JWT Bearer tokens and returns the authenticated user
• Updated backend/src/api/routes/account.py:
  • Added Depends(get_current_user) to all four account endpoints
  • Added IDOR checks (verify id matches the authenticated user's id)
  • GET /accounts now returns only the current user's data instead of all users

Fixed Vulnerability

• CWE-862: Missing Authorization — account CRUD endpoints had no authentication, allowing unauthenticated attackers to enumerate users, modify any account, and delete any account

Test plan

• Register a new user via POST /api/auth/signup
• Verify GET /api/accounts without Bearer token returns 401
• Verify GET /api/accounts with valid Bearer token returns only the authenticated user
• Verify PATCH /api/accounts/999 (different user ID) with valid token returns 403
• Verify DELETE /api/accounts?id=999 (different user ID) with valid token returns 403

[saaa99999999]

CVE Request

This PR fixes CWE-862 (Missing Authorization): all four account CRUD endpoints (GET/PATCH/DELETE /api/accounts) had no authentication, allowing unauthenticated attackers to enumerate all users and their emails, change any user's password, and delete any account. The severity is Critical (CVSS 3.1: 9.1 — AV:N/AC:L/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

Could you please request a CVE via GitHub Security Advisory for this vulnerability?