SEC-20: Critical Auth Flaw in Taskdeck API — Any User Can Change Another User's Password

A critical security vulnerability in the Taskdeck API allows any authenticated user to change the password of any other user. The flaw resides in the `AuthController.ChangePassword` endpoint, which accepts a `UserId` parameter in the request body and passes it directly to the underlying authentication service without verifying it against the authenticated caller's identity from the JWT token claims. This design oversight means that an attacker who knows or can guess another user's GUID can take complete control of their account by resetting the password, effectively bypassing all intended authorization checks.

The vulnerability is located in `backend/src/Taskdeck.Api/Controllers/AuthController.cs`. The expected behavior is for the endpoint to extract the caller's `userId` exclusively from the JWT claims—using the existing `AuthenticatedControllerBase.TryGetCurrentUserId` method—and to ignore or reject any `UserId` supplied in the incoming request payload. The current implementation violates this fundamental security principle, creating a direct path for privilege escalation and account takeover within the application.

The recommended fix is straightforward but urgent: either remove the `UserId` field from the `ChangePasswordRequest` model entirely, deriving the target user solely from the claims, or implement a validation step that returns a 403 Forbidden error if the `request.UserId` does not match the `claimsUserId`. This flaw necessitates immediate remediation and the implementation of security tests to verify that User A cannot change the password for User B, a basic safeguard that is currently absent.