fix: v6 code review P0 auth/IDOR fixes + frontend regression patches

Backend fixes:
- auth_handler: P0 认证逻辑修复
- ratelimit: 限速中间件增强 + 新增单元测试
- auth_service: 认证服务逻辑完善 + 新增测试
- server: server 配置增强 + 新增测试
- handler_test: 新增 handler 层集成测试
- auth_bootstrap_test: bootstrap 路径测试

Frontend patches:
- LoginPage/RegisterPage: CSRF + 表单交互修复
- BootstrapAdminPage: 引导流程修复
- DevicesPage: 设备管理页修复
- auth/social-accounts/users/webhooks services: 类型修正
- csrf.ts: CSRF token 处理修正
- E2E 脚本: CDP smoke + auth e2e 增强

Docs:
- FULL_CODE_REVIEW_REPORT_2026-04-20
- report-v6 执行计划
- REAL_PROJECT_STATUS 更新
- .gitignore: 新增 .gocache-*/config.yaml 排除

验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL

internal/server/server_test.go

@@ -0,0 +1,73 @@
+package server
+
+import (
+	"testing"
+	"time"
+
+	"github.com/user-management-system/internal/cache"
+	"github.com/user-management-system/internal/config"
+	"github.com/user-management-system/internal/service"
+)
+
+func TestResolveJWTAccessTokenExpire_UsesExpireHourFallback(t *testing.T) {
+	cfg := &config.Config{}
+	cfg.JWT.ExpireHour = 24
+	cfg.JWT.AccessTokenExpireMinutes = 0
+
+	expire := resolveJWTAccessTokenExpire(cfg)
+
+	if expire != 24*time.Hour {
+		t.Fatalf("resolveJWTAccessTokenExpire() = %v, want %v", expire, 24*time.Hour)
+	}
+}
+
+func TestResolveJWTAccessTokenExpire_PrefersMinuteOverride(t *testing.T) {
+	cfg := &config.Config{}
+	cfg.JWT.ExpireHour = 24
+	cfg.JWT.AccessTokenExpireMinutes = 90
+
+	expire := resolveJWTAccessTokenExpire(cfg)
+
+	if expire != 90*time.Minute {
+		t.Fatalf("resolveJWTAccessTokenExpire() = %v, want %v", expire, 90*time.Minute)
+	}
+}
+
+func TestConfigureAuthEmailServices_UsesSMTPEnvironment(t *testing.T) {
+	t.Setenv("EMAIL_HOST", "127.0.0.1")
+	t.Setenv("EMAIL_PORT", "2525")
+	t.Setenv("EMAIL_FROM_EMAIL", "noreply@test.local")
+	t.Setenv("EMAIL_FROM_NAME", "UMS E2E")
+	t.Setenv("EMAIL_USER", "smtp-user")
+	t.Setenv("EMAIL_PASS", "smtp-pass")
+
+	cfg := &config.Config{}
+	cfg.Server.FrontendURL = "http://127.0.0.1:3000"
+	cfg.Log.ServiceName = "UMS E2E"
+
+	cacheManager := cache.NewCacheManager(cache.NewL1Cache(), cache.NewRedisCache(false))
+	authService := service.NewAuthService(nil, nil, nil, cacheManager, 8, 5, time.Minute)
+	passwordResetConfig := service.DefaultPasswordResetConfig()
+
+	if err := configureAuthEmailServices(cfg, cacheManager, authService, passwordResetConfig); err != nil {
+		t.Fatalf("configureAuthEmailServices() error = %v", err)
+	}
+	if !authService.SupportsEmailActivation() {
+		t.Fatal("SupportsEmailActivation() = false, want true")
+	}
+	if !authService.HasEmailCodeService() {
+		t.Fatal("HasEmailCodeService() = false, want true")
+	}
+	if passwordResetConfig.SMTPHost != "127.0.0.1" {
+		t.Fatalf("password reset SMTP host = %q, want %q", passwordResetConfig.SMTPHost, "127.0.0.1")
+	}
+	if passwordResetConfig.SMTPPort != 2525 {
+		t.Fatalf("password reset SMTP port = %d, want %d", passwordResetConfig.SMTPPort, 2525)
+	}
+	if passwordResetConfig.FromEmail != "noreply@test.local" {
+		t.Fatalf("password reset FromEmail = %q, want %q", passwordResetConfig.FromEmail, "noreply@test.local")
+	}
+	if passwordResetConfig.SiteURL != "http://127.0.0.1:3000" {
+		t.Fatalf("password reset SiteURL = %q, want %q", passwordResetConfig.SiteURL, "http://127.0.0.1:3000")
+	}
+}