Fix critical password recovery security vulnerabilities and enhance validation

[Copilot]

This PR addresses critical security vulnerabilities in the password recovery system that were preventing users from logging in after password resets, along with several other security and consistency improvements.

Critical Security Fix: Password Double-Hashing

The most critical issue was in the User and Company model pre-save hooks, which were hashing passwords on every save operation, not just when passwords were new or modified. This caused a dangerous double-hashing scenario:

// Before (dangerous):
userSchema.pre('save', async function(next){
    this.senha = await bcrypt.hash(this.senha, 10) // Always hashes!
    next();
});

// After (secure):
userSchema.pre('save', async function(next){
    if (this.isNew || this.isModified('senha')) {
        this.senha = await bcrypt.hash(this.senha, 10) // Only when needed
    }
    next();
});

Impact: Users who reset their passwords couldn't log in because the system was comparing plain passwords against double-hashed values, causing authentication to always fail.

Token Expiration Consistency

Fixed inconsistent token expiration times that were causing confusion:

• Token model was set to 1 hour expiration
• Validation logic was checking for 15 minutes
• Standardized everything to 15 minutes for security

Enhanced Password Validation

Added robust password strength requirements to the reset password endpoint:

• Minimum 6 characters
• Must contain letters, numbers, and special characters
• Consistent with existing alterarSenha validation

Security Improvements

• Token Cleanup: Remove existing tokens before generating new ones to prevent accumulation
• Expiration Validation: Enhanced validateToken endpoint to check and clean expired tokens
• Error Handling: Improved error messages that don't leak sensitive information
• Input Validation: Better validation of token formats and request parameters

Testing and Documentation

• Added comprehensive test suite covering password validation, token handling, and error scenarios
• Complete API documentation with security explanations and usage examples
• Validated all changes don't break existing functionality

Affected Endpoints

• POST /api/user/auth/recuperar-senha - Request password reset
• GET /api/user/auth/validar-token/:token - Validate reset token
• POST /api/user/auth/redefinir-senha - Reset password with token

This fix ensures the password recovery system works correctly for both individual users (PF) and companies (PJ), addressing the testing requirements mentioned in the issue comments.

Fixes #11.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

@joao-pedro01 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

[netlify]

❌ Deploy Preview for ecovoucher failed.

Name	Link
🔨 Latest commit	26f3f1e
🔍 Latest deploy log	https://app.netlify.com/projects/ecovoucher/deploys/68ce18995d1c5600087828b8