Fix(oauth2): enforce owner-scoped PAT deletion

[Musicminion]

Summary

This PR fixes an authorization gap in PAT deletion by enforcing token ownership at deletion time.

Changes

• Updated removeToken to require both tokenId and userId.
• Scoped delete query to:
  • _id = tokenId
  • user_id = userId
  • type = personal_access_token
• Added invalid tokenId handling with ObjectId.isValid(...) to avoid deletion attempts on malformed IDs.
• Updated delete controller flow to:
  • pass user._id into removeToken(...)
  • return 404 Token not found when no owned token is deleted (deletedCount !== 1)

Security Impact

• Prevents users from deleting PATs they do not own via token ID alone.

[Musicminion]

@codex, please do code review.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".