fix: harden auth flows and align api contracts

internal/api/handler/user_handler_test.go

@@ -316,7 +316,7 @@ func TestUserHandler_UpdatePassword_Success(t *testing.T) {
 		"new_password": "NewPass456!",
 	})
 	defer resp.Body.Close()
-	
+
 	// Accept both 200 (success) and 403 (if user doesn't have permission to update self)
 	// The handler checks: currentUserID != id && !IsAdmin(c)
 	// For self-update, currentUserID == id, so should be allowed
@@ -589,7 +589,7 @@ func TestUserHandler_BatchDelete_Success(t *testing.T) {
 	}
 
 	// Batch delete uses DELETE method with body
-	req, _ := http.NewRequest("DELETE", server.URL+"/api/v1/users/batch", 
+	req, _ := http.NewRequest("DELETE", server.URL+"/api/v1/users/batch",
 		bytes.NewReader([]byte(`{"ids": [2, 3, 4]}`)))
 	req.Header.Set("Authorization", "Bearer "+token)
 	req.Header.Set("Content-Type", "application/json")
@@ -599,7 +599,7 @@ func TestUserHandler_BatchDelete_Success(t *testing.T) {
 		t.Fatalf("request failed: %v", err)
 	}
 	defer resp.Body.Close()
-	
+
 	// Accept 200 or method not allowed
 	if resp.StatusCode == http.StatusOK {
 		bodyBytes, _ := io.ReadAll(resp.Body)