* fix: parameterize CQL/N1QL queries to prevent injection (CWE-943, CWE-209)

Replace all fmt.Sprintf string interpolation of user-controlled values
with parameterized queries across Cassandra (10 files, 66+ queries)
and Couchbase (2 files, 3 queries) backends.

Cassandra: use gocql ? placeholders with values passed to Query().
Couchbase: use $param named parameters with NamedParameters option.

* fix: convert json.Number to native types before passing to gocql

The JSON decoder with UseNumber() produces json.Number values which
gocql cannot marshal into CQL bigint columns. Add convertMapValues()
helper to convert json.Number to int64/float64, called after every
JSON map decode in dynamic INSERT/UPDATE queries.

* fix: validate redirect_uri against AllowedOrigins to prevent open redirect token theft

Six endpoints accepted user-controlled redirect_uri without validating
against AllowedOrigins, allowing attackers to steal tokens by redirecting
to malicious URLs. Added validators.IsValidOrigin() checks to:

- ForgotPassword (GraphQL mutation)
- MagicLinkLogin (GraphQL mutation)
- SignUp (GraphQL mutation)
- InviteMembers (GraphQL mutation)
- OAuthLoginHandler (HTTP handler)
- VerifyEmailHandler (HTTP handler, both query param and JWT claim fallback)

* test: add redirect_uri validation tests for open-redirect prevention

Tests verify that ForgotPassword, MagicLinkLogin, SignUp, and
InviteMembers reject attacker-controlled redirect_uri values not
matching AllowedOrigins, and accept valid ones.

* test: fix redirect_uri validation tests to use correct AllowedOrigins format

IsValidOrigin compares hostname:port (without protocol), so
AllowedOrigins must be specified without the http:// prefix.
Also use SQLite to allow tests to run without Docker/Postgres.

* fix: rewrite IsValidOrigin to use net/url and normalize origins correctly

The previous implementation compared allowed origins (e.g.
"https://example.com") as raw regex against "hostname:port", so
protocols in AllowedOrigins caused matches to always fail. Now both
input URL and allowed origins are normalized via net/url.Parse to
strip protocol/path before comparison. Also anchors the regex with
^...$ to prevent partial matches (e.g. "example.com" matching
"notexample.com").

Adds comprehensive unit tests covering: exact domains, custom ports,
standard ports (80/443), bare domains without protocol, subdomains,
deep subdomains, wildcard subdomains, wildcard with port, multiple
origins, attacker URLs, www variants, and live domain scenarios.

* fix: update InviteMembers test to use allowed origin for redirect_uri

The test was using "https://authorizer.dev/" which is not in
AllowedOrigins, so it now correctly gets rejected by the new
redirect_uri validation. Updated to use "http://localhost:3000/"
which matches the test config's AllowedOrigins.

…#503)

When an OAuth login matches an existing account by email, the handler
now checks EmailVerifiedAt. If the existing account's email was never
verified, the unverified account is deleted and a fresh one is created
for the OAuth user. This prevents attackers from pre-registering with
a victim's email to retain password access after the victim's OAuth login.