fix(auth): harden login against timing-based user enumeration

- Use constant-time comparison when user is not found to prevent
  user enumeration via response timing
- Remove debug logging that could expose sensitive data
- Add AspectJ weaver dependency for AOP support

build.gradle.kts

@@ -23,6 +23,7 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter")
     implementation("org.jetbrains.kotlin:kotlin-reflect")
     implementation("org.springframework.boot:spring-boot-starter-web")
+    implementation("org.aspectj:aspectjweaver")
     implementation("org.springframework.security:spring-security-crypto")
     implementation("org.bouncycastle:bcprov-jdk18on:1.84")
     implementation("com.mysql:mysql-connector-j")