security: replace python-jose with PyJWT for JWT handling

[PeakPy]

Description

Replaces python-jose with PyJWT to address known security vulnerabilities (CVE-related to alg=none bypass and denial-of-service).

Partially addresses #248 (JWT security concern)

Changes

• Removed python-jose>=3.3.0 dependency
• Added PyJWT>=2.8.0 dependency
• Updated JWT encoding/decoding in security.py to use PyJWT API
• Updated exception handling in logout.py to catch jwt.PyJWTError
• Converted exp claim to Unix timestamp for PyJWT compliance
• Updated uv.lock with new dependency tree

Tests

All existing tests pass (11/11):

• Authentication flow
• Token creation and verification
• User CRUD operations

Checklist

• I have read the CONTRIBUTING document
• My code follows the code style of this project (ruff, mypy pass)
• I have added necessary documentation (if appropriate)
• I have added tests that cover my changes (existing tests validate behavior)
• All new and existing tests passed

Additional Notes

• Token format and behavior remain unchanged for backward compatibility
• PyJWT is already a transitive dependency, so lock file impact is minimal
• This PR focuses only on the JWT library migration (other items in Dependency & Security Review: JWT, Database, and Background Worker Concerns #248 can be separate PRs)

[LucasQR]

Thanks for the PR! However, we tested this and the vulnerability doesn't actually apply to this project.

We're on python-jose 3.5.0, which already rejects alg=none tokens when algorithms=["HS256"] is explicitly specified which is what we do on every jwt.decode
call in security.py. You can verify this by running the test script in test_jose_vulnerability.py on the repo.

The CVE was valid for older versions of the library, but 3.5.0 already addresses it. Since there's no actual security issue here and the migration introduces
churn (different API, timestamp handling changes, new exception types) without a concrete benefit, I'm going to close this.

Appreciate you looking into it though!