Fixing security and quality issues

[TechHutTV]

Summary

Fixes 8 security and quality audit issues across the backend and frontend, ranging from critical vulnerabilities to low-priority type safety improvements.

Critical

• Path traversal guard in storage provider — LocalStorageProvider.read/readStream/delete/exists now resolve paths and reject any that escape the root directory.
• Authenticate workspace file route — GET /storage/:workspaceId/uploads/* now requires authentication, verifies workspace membership, and rejects traversal attempts.

High

• Instance admin privilege escalation — Replaced the flawed "admin of any workspace = instance admin" check with a dedicated isInstanceAdmin boolean on the User model. First registered user is automatically granted instance admin. Includes migration.

Medium

• OIDC return URL validation — Added sanitizeReturnUrl() that rejects //, \, and null bytes in both raw and decoded form. Applied in login and callback handlers.
• Await email sending — Three fire-and-forget sendVerificationEmail/sendPasswordResetEmail calls now use await to surface unhandled promise rejections.
• Rate limit workspace creation — POST /api/workspaces is now rate-limited to 5 requests per minute per client.

Low

• Remove as any in backup services — Introduced typed helpers (toCustomFieldType, toPriority, toJsonValue) and narrowed conditional includes with inline type annotations, eliminating all as any casts.
• ESLint disable in page lock hook — Replaced the eslint-disable-line suppression with useRef-based tracking so the cleanup effect reads latest values without needing them as dependencies.