refactor: 统一认证端点并删除冗余 profile 模块

- 合并 auth 端点: /verifications/verify → /verify, /verifications/resend → /resend
- 整合密码重置到 /verify 端点 (type=recovery)
- 移除未使用的 /auth/users 端点
- 添加 redirect URL 白名单验证 (site_url + additional_redirect_urls)
- 限流改用 Redis + IP 标识，替代内存锁
- 删除 v1/profile 死代码模块
- 更新前端 auth_api 适配新端点
- 添加 supabase site_url 和 additional_redirect_urls 配置

backend/tests/integration/test_auth_routes.py

@@ -138,7 +138,7 @@ def test_signup_verify_returns_token_response() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/verifications/verify",
+            "/api/v1/auth/verify",
             json={"email": "user@example.com", "token": "123456"},
         )
         assert response.status_code == 200
@@ -166,8 +166,8 @@ def test_signup_resend_returns_generic_message() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/verifications/resend",
-            json={"email": "user@example.com"},
+            "/api/v1/auth/resend",
+            json={"type": "recovery", "email": "user@example.com"},
         )
         assert response.status_code == 204
         assert response.content == b""
@@ -191,7 +191,7 @@ def test_signup_verify_invalid_token_returns_problem_details() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/verifications/verify",
+            "/api/v1/auth/verify",
             json={"email": "user@example.com", "token": "000000"},
         )
         assert response.status_code == 401
@@ -230,7 +230,7 @@ def test_signup_start_existing_email_returns_problem_details() -> None:
         assert response.status_code == 422
         assert response.headers["content-type"].startswith("application/problem+json")
         body = response.json()
-        assert body["title"] == "Unprocessable Content"
+        assert body["title"] == "Unprocessable Entity"
         assert body["status"] == 422
         assert body["detail"] == "Invalid signup request"
     finally:
@@ -254,13 +254,13 @@ def test_signup_verify_rate_limited_after_too_many_attempts() -> None:
     try:
         for _ in range(10):
             ok = client.post(
-                "/api/v1/auth/verifications/verify",
+                "/api/v1/auth/verify",
                 json={"email": "user@example.com", "token": "123456"},
             )
             assert ok.status_code == 200
 
         blocked = client.post(
-            "/api/v1/auth/verifications/verify",
+            "/api/v1/auth/verify",
             json={"email": "user@example.com", "token": "123456"},
         )
         assert blocked.status_code == 429
@@ -286,13 +286,13 @@ def test_signup_resend_rate_limited_after_too_many_attempts() -> None:
     try:
         for _ in range(5):
             ok = client.post(
-                "/api/v1/auth/verifications/resend",
+                "/api/v1/auth/resend",
                 json={"email": "user@example.com"},
             )
             assert ok.status_code == 204
 
         blocked = client.post(
-            "/api/v1/auth/verifications/resend",
+            "/api/v1/auth/resend",
             json={"email": "user@example.com"},
         )
         assert blocked.status_code == 429
@@ -493,6 +493,37 @@ def test_refresh_rate_limited_after_too_many_attempts() -> None:
         app.dependency_overrides = {}
 
 
+def test_refresh_rate_limit_not_bypassed_by_changing_refresh_token() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = SessionResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for index in range(10):
+            blocked = client.post(
+                "/api/v1/auth/sessions/refresh",
+                json={"refresh_token": f"invalid-{index}"},
+            )
+            assert blocked.status_code == 401
+
+        blocked = client.post(
+            "/api/v1/auth/sessions/refresh",
+            json={"refresh_token": "invalid-extra"},
+        )
+        assert blocked.status_code == 429
+    finally:
+        app.dependency_overrides = {}
+
+
 def test_logout_rate_limited_after_too_many_attempts() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = SessionResponse(
@@ -529,6 +560,39 @@ def test_logout_rate_limited_after_too_many_attempts() -> None:
         app.dependency_overrides = {}
 
 
+def test_logout_rate_limit_not_bypassed_by_changing_refresh_token() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = SessionResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for index in range(10):
+            ok = client.request(
+                "DELETE",
+                "/api/v1/auth/sessions",
+                json={"refresh_token": f"refresh-{index}"},
+            )
+            assert ok.status_code == 204
+
+        blocked = client.request(
+            "DELETE",
+            "/api/v1/auth/sessions",
+            json={"refresh_token": "refresh-extra"},
+        )
+        assert blocked.status_code == 429
+    finally:
+        app.dependency_overrides = {}
+
+
 def test_signup_start_validation_error_returns_problem_details() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = SessionResponse(
@@ -548,7 +612,7 @@ def test_signup_start_validation_error_returns_problem_details() -> None:
         assert response.status_code == 422
         assert response.headers["content-type"].startswith("application/problem+json")
         body = response.json()
-        assert body["title"] == "Unprocessable Content"
+        assert body["title"] == "Unprocessable Entity"
         assert body["status"] == 422
         assert body["detail"] == "Invalid request"
     finally:
@@ -577,110 +641,13 @@ def test_signup_start_missing_username_returns_problem_details() -> None:
         assert response.status_code == 422
         assert response.headers["content-type"].startswith("application/problem+json")
         body = response.json()
-        assert body["title"] == "Unprocessable Content"
+        assert body["title"] == "Unprocessable Entity"
         assert body["status"] == 422
         assert body["detail"] == "Invalid request"
     finally:
         app.dependency_overrides = {}
 
 
-def test_get_user_by_email_returns_user() -> None:
-    user = AuthUser(id="user-1", email="user@example.com")
-    token_response = SessionResponse(
-        access_token="access",
-        refresh_token="refresh",
-        expires_in=3600,
-        token_type="bearer",
-        user=user,
-    )
-    app.dependency_overrides[get_auth_service] = _override_auth_service(
-        FakeAuthService(token_response)
-    )
-    app.dependency_overrides[get_current_user] = lambda: CurrentUser(
-        id=UUID("00000000-0000-0000-0000-000000000001"),
-        email="user@example.com",
-    )
-
-    client = TestClient(app)
-    try:
-        response = client.get(
-            "/api/v1/auth/users",
-            params={"email": "user@example.com"},
-        )
-        assert response.status_code == 200
-        body = response.json()
-        assert body["email"] == "user@example.com"
-        assert body["id"] == "user-1"
-    finally:
-        app.dependency_overrides = {}
-
-
-def test_get_user_by_email_not_found_returns_problem_details() -> None:
-    user = AuthUser(id="user-1", email="user@example.com")
-    token_response = SessionResponse(
-        access_token="access",
-        refresh_token="refresh",
-        expires_in=3600,
-        token_type="bearer",
-        user=user,
-    )
-    app.dependency_overrides[get_auth_service] = _override_auth_service(
-        FakeAuthService(token_response)
-    )
-    app.dependency_overrides[get_current_user] = lambda: CurrentUser(
-        id=UUID("00000000-0000-0000-0000-000000000001"),
-        email="missing@example.com",
-    )
-
-    client = TestClient(app)
-    try:
-        response = client.get(
-            "/api/v1/auth/users",
-            params={"email": "missing@example.com"},
-        )
-        assert response.status_code == 404
-        assert response.headers["content-type"].startswith("application/problem+json")
-        body = response.json()
-        assert body["title"] == "Not Found"
-        assert body["status"] == 404
-        assert body["detail"] == "User not found"
-    finally:
-        app.dependency_overrides = {}
-
-
-def test_get_user_by_email_forbidden_when_querying_other_user() -> None:
-    user = AuthUser(id="user-1", email="user@example.com")
-    token_response = SessionResponse(
-        access_token="access",
-        refresh_token="refresh",
-        expires_in=3600,
-        token_type="bearer",
-        user=user,
-    )
-    app.dependency_overrides[get_auth_service] = _override_auth_service(
-        FakeAuthService(token_response)
-    )
-    app.dependency_overrides[get_current_user] = lambda: CurrentUser(
-        id=UUID("00000000-0000-0000-0000-000000000001"),
-        email="self@example.com",
-    )
-
-    client = TestClient(app)
-    try:
-        response = client.get(
-            "/api/v1/auth/users",
-            params={"email": "target@example.com"},
-        )
-        assert response.status_code == 403
-        assert response.headers["content-type"].startswith("application/problem+json")
-        body = response.json()
-        assert body["title"] == "Forbidden"
-        assert body["status"] == 403
-        assert body["detail"] == "Forbidden"
-    finally:
-        app.dependency_overrides = {}
-
-
 def test_password_reset_request_returns_204() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = SessionResponse(
@@ -697,7 +664,7 @@ def test_password_reset_request_returns_204() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/password-reset",
+            "/api/v1/auth/resend",
             json={"email": "user@example.com"},
         )
         assert response.status_code == 204
@@ -721,8 +688,9 @@ def test_password_reset_confirm_returns_204() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/password-reset/confirm",
+            "/api/v1/auth/verify",
             json={
+                "type": "recovery",
                 "email": "user@example.com",
                 "token": "123456",
                 "new_password": "newpassword123",
@@ -749,8 +717,9 @@ def test_password_reset_confirm_invalid_token_returns_401() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/password-reset/confirm",
+            "/api/v1/auth/verify",
             json={
+                "type": "recovery",
                 "email": "user@example.com",
                 "token": "000000",
                 "new_password": "newpassword123",
@@ -781,8 +750,9 @@ def test_password_reset_confirm_weak_password_returns_422() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/password-reset/confirm",
+            "/api/v1/auth/verify",
             json={
+                "type": "recovery",
                 "email": "user@example.com",
                 "token": "123456",
                 "new_password": "123",