Fix multiple security vulnerabilities (CWE-798, CWE-915, CWE-347, CWE-942)

[saaa99999999]

This PR fixes multiple security vulnerabilities in the REST API tutorial reference implementation.

CWE-798: Hardcoded JWT Secret

• env.config.js contained a hardcoded JWT secret "myS33!!creeeT" in source control. Replaced with environment variable JWT_SECRET with startup validation.

CWE-915: Mass Assignment / Privilege Escalation

• users.controller.js PATCH endpoint passed the entire request body to Mongoose without field filtering. An authenticated user could set permissionLevel: 2048 to become admin. Added field allowlist to restrict updatable fields to firstName, lastName, email, password.

CWE-347: JWT Refresh Key Embedded in Token

• authorization.controller.js included the refresh token HMAC salt (refreshKey) inside the JWT payload, allowing anyone with a valid JWT to generate new refresh tokens. Fixed by using a self-contained salt.hash format for refresh tokens and signing only user claims in the JWT.

CWE-942: CORS Wildcard with Credentials

• index.js used Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true, an insecure combination. Fixed to echo the request origin.

[saaa99999999]

CVE Request — Action Needed from Maintainer

This PR fixes security vulnerabilities. To assign a CVE number:

GitHub only issues CVEs from the official upstream repository, not from forks.

Please:

1. Go to this repo → Security → Advisories → New draft security advisory
2. Add @saaa99999999 as a collaborator
3. I will populate the full vulnerability details (CVSS, CWE, data flow, PoC) and submit the CVE request

If you prefer, I can submit the CVE via MITRE (cveform.mitre.org) instead — just let me know.

Thank you for reviewing this PR!