Ho Ngoc Hai
6a8e75effe
feat(auth): validate KYC image URL hosts match MinIO bucket
Closes TEC-2725. Backend KYC presign + submit endpoints already landed in
8f8e20f; this adds the remaining acceptance criterion — host validation on
presigned URLs accepted via /auth/kyc/submit.
- Add IMediaStorageService.isTrustedUrl(url) — host+bucket check, supports
MINIO_TRUSTED_HOSTS for CDN aliases
- SubmitKycHandler rejects imageUrls pointing outside our MinIO bucket
- Update handler specs with mock + new untrusted-host test
Co-Authored-By: Paperclip <noreply@paperclip.ing>