feature/VSN-2806 - implement secure email change flow with Keycloak username/email update
Add complete email change feature with two-step OTP verification, syncing both email and username fields in Keycloak.
Backend Changes:
- Add EmailChangeController with /initiate and /confirm endpoints
- Implement EmailChangeService with transactional OTP validation
- Add EmailChangeRequest entity and repository for pending operations
- Integrate Keycloak Admin Client to update BOTH email and username
- Add email templates (S3) for OTP delivery and confirmation
Key Technical Decisions:
- OTP is hashed with currentEmail to generate operationHash for security
- Keycloak update: Updates BOTH 'email' AND 'username' fields (requires "Edit username" enabled in Keycloak realm settings)
- Transactional rollback on Keycloak failure to maintain DB consistency
- Pending requests auto-expire after 15 minutes via scheduled cleanup
Validation:
- @NotBlank and @Size constraints on DTOs
- Ownership check: user can only confirm their own requests
- Idempotency: duplicate confirmations return appropriate status
- Pre-check: prevents email/username conflicts with existing users
Testing:
- Manual testing with yopmail.com addresses for OTP flow
- Verified Keycloak username and email are both updated
Closes VSN-2806