fix: Enhance security handler tests and implement role-based access control

- Added role-based middleware to various security handler tests to ensure only admin users can access certain endpoints.
- Created a new test file for authorization checks on security mutators, verifying that non-admin users receive forbidden responses.
- Updated existing tests to include role setting for admin users, ensuring consistent access control during testing.
- Introduced sensitive data masking in settings handler responses, ensuring sensitive values are not exposed in API responses.
- Enhanced user handler responses to mask API keys and invite tokens, providing additional security for user-related endpoints.
- Refactored routes to group security admin endpoints under a dedicated route with role-based access control.
- Added tests for import handler routes to verify authorization guards, ensuring only admin users can access import functionalities.

backend/internal/api/tests/user_smtp_audit_test.go

@@ -100,7 +100,10 @@ func TestInviteToken_MustBeUnguessable(t *testing.T) {
 	var resp map[string]any
 	require.NoError(t, json.Unmarshal(w.Body.Bytes(), &resp))
 
-	token := resp["invite_token"].(string)
+	var invitedUser models.User
+	require.NoError(t, db.Where("email = ?", "user@test.com").First(&invitedUser).Error)
+	token := invitedUser.InviteToken
+	require.NotEmpty(t, token)
 
 	// Token MUST be at least 32 chars (64 hex = 32 bytes = 256 bits)
 	assert.GreaterOrEqual(t, len(token), 64, "Invite token must be at least 64 hex chars (256 bits)")