security: fix SMTP credential exposure and auth bypass

- C-1: Move EMAIL_HOST_PASSWORD to os.environ (was hardcoded plaintext)
- C-2: Enable token-user cross-validation in validate_token_and_get_user()
  (compares token.user_id with user.id to prevent impersonation)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

mobile_api/utils.py

@@ -80,13 +80,13 @@ def validate_token_and_get_user(request, error_status_code=None):
                 status=status
             ))
         
-        # Verify username matches token user
-        # if user.username != username:
-            # status = 401 if error_status_code else None
-            # return (None, None, None, JsonResponse(
-            #     {"status": "error", "message": "token does not match user"},
-            #     status=status
-            # ))
+        # Verify token belongs to this user
+        if token.user_id != user.id:
+            status = 401 if error_status_code else None
+            return (None, None, None, JsonResponse(
+                {"status": "error", "message": "token does not match user"},
+                status=status
+            ))
         
         # Success - return user, token, data, and None for error_response
         return (user, token, data, None)