Security Audit Exposes Critical Authentication Vulnerabilities in Codebase

A security audit of an authentication system has uncovered multiple critical vulnerabilities. The issues include a path traversal vulnerability via redirect, exploitable using a `///evil.com` bypass. This occurred because the `urljoin()` function treats triple-slash sequences as absolute URLs. The fix involves stripping leading slashes before URL joining. Two timing attack vulnerabilities were identified in the login flow and metrics session. These allowed for username enumeration by measuring response times, as non-existent users returned quickly (failing a file check) while existing users took longer (due to PBKDF2 key derivation). The fix requires always deriving the cryptographic key before checking for file existence. An open redirect vulnerability was also found in decorators, where the `next` parameter was not validated. This is fixed by adding a `URLValidator.is_safe_redirect_url()` check. Additionally, a registration timing leak was present, which is mitigated by adding a random delay to obscure timing differences. Other fixes include restoring a missing `login_required` decorator definition and adding a missing import statement. The vulnerabilities affected core files including `url_validator.py`, `encrypted_db.py`, `decorators.py`, and `routes.py`.