Add security hardening and additional auth tests

Security improvements:
- Add password strength validation (min 8 characters)
- Invalidate all sessions on password change/reset
- Add timing-safe user lookup to prevent enumeration attacks
- Fix SQLAlchemy boolean comparisons (== True -> is_(True))
- Change default admin password to 'changeme123' (meets min length)

New tests (7 additional):
- Inactive user login attempt blocked
- Short password rejected on create/change/reset
- Duplicate username rejected (409)
- Non-owner API key deletion blocked (403)
- Sessions invalidated on password change

backend/app/main.py

@@ -27,7 +27,7 @@ async def lifespan(app: FastAPI):
         admin = create_default_admin(db)
         if admin:
             logger.warning(
-                "Default admin user created with username 'admin' and password 'admin'. "
+                "Default admin user created with username 'admin' and password 'changeme123'. "
                 "CHANGE THIS PASSWORD IMMEDIATELY!"
             )
     finally: