Resolves Issues #1844 and #1845: Authorization and org-identity issues

[afoote-mitre]

Closes Issue #1844 and #1845

Summary

Fixes org-identity authorization issues around duplicate short names and registry organization renames.

Authenticated request handling now preserves and uses the authenticated user/org UUIDs throughout request execution, preventing short-name lookup ambiguity from granting access to the wrong organization. Registry organization renames via new_short_name now follow the same duplicate checks, alias collision checks, and joint-approval flow as short_name changes. The follow-up refactor centralizes UUID-scoped requester/org/user checks in repository-backed auth helpers and fixes approved review-object application so it does not re-enter pending review processing.

Important Changes

src/middleware/middleware.js

• Persists authenticated org/user UUID context on req.ctx after API-key validation.

src/utils/authContext.js

• Added shared helpers for requester org/user resolution and UUID-scoped role checks.
• Uses repository-level UUID helpers for Secretariat, Bulk Download, and Org Admin checks.
• Exposes requester context lookup so controllers can avoid repeating short-name/user resolution logic.

src/repositories/baseOrgRepository.js

• Added UUID-scoped org role helpers.
• Allows approved review-object org updates to skip pending review-object processing while still applying the approved data.

src/repositories/orgRepository.js

• Added legacy UUID-scoped org role helper support.

src/repositories/baseUserRepository.js

• Added UUID-scoped user lookup and org-admin checks.

src/repositories/userRepository.js

• Added legacy UUID-scoped user lookup and org-admin checks.

src/controller/*.js

• Updated controller authorization checks to use authenticated UUID context instead of broader short-name lookups.

src/controller/registry-org.controller/registry-org.controller.js

• Treats new_short_name as the requested rename target for duplicate and alias collision checks.
• Rejects conflicting short_name / new_short_name rename intent.
• Uses shared requester context for org update authorization decisions.

src/controller/review-object.controller/review-object.controller.js

• Applies approved org review objects without re-triggering pending review-object processing.

src/repositories/baseOrgRepositoryHelpers.js

• Prevents new_short_name from mutating stored org documents before joint-approval detection.

src/controller/cve-id.controller/cve-id.controller.js

• Removed an unused variable flagged by lint.

test/unit-tests/**

• Updated controller and middleware tests for authenticated UUID-scoped authorization.

test/integration-tests/middleware/authenticatedContextTest.js

• Added duplicate short-name regression coverage for authenticated org scoping.

test/integration-tests/registry-org/**

• Added regression coverage for new_short_name duplicate rejection and non-Secretariat review-only rename behavior.

Testing

Steps to manually test updated functionality:

• 1. Run unit tests: bash -i -c "npm run test:unit-test".
• 2. Run integration tests: bash -i -c "npm run test:integration".
• 3. Verify a non-Secretariat org admin cannot gain Secretariat access through duplicate org short-name behavior.
• 4. Verify PUT /api/registry/org/:shortname with new_short_name: "mitre" returns duplicate short-name error.
• 5. Verify non-Secretariat new_short_name updates create a pending review object and do not immediately rename the live org.
• 6. Verify approving an org review object successfully applies the approved org update.