fix: harden auth token handling

[nguyenlnp]

Fixes #1861.

This tightens two auth token paths from the security report:

• removes the hardcoded email verification HMAC fallback key and fails closed when config.app.key is missing
• invalidates prior password reset tokens before issuing a new one so stale tokens cannot remain valid for the same email
• reads the newest reset token during reset verification as a defensive guard for existing duplicate rows

I kept this PR intentionally focused on the token-forgery and stale-reset-token portions of the report so it is easier to review. The remaining WebAuthn counter/challenge and OAuth secret-storage items can be handled separately.

Validation: could not run the project typecheck locally because bun is not installed in this environment.

[what-the-diff]

PR Summary

• Improved Key Management for Token Generation

  • The token generation process has been refined to not rely on a hardcoded back-up key. Instead, we've introduced a new function getAppKey(). This function efficiently handles app key configuration by checking its validity and presence, enhancing the information security measures of our app.

• Optimized Password Reset Function

  • We've made the password reset feature more efficient and secure. Now, any previous reset requests are automatically removed when a new one is initiated for a certain email. This prevents confusion from multiple requests and enhances user security.
  • Additionally, we've modified the process of retrieving the password reset request, ensuring that the most recent request is considered. This ensures a smooth user experience especially when multiple reset requests are made within a short time frame.