docs: add authentication security patterns to DEVELOPMENT.md

[moltboie]

Summary

Documents anti-timing-attack patterns for login routes, based on patterns established in PR #136.

Added

Authentication Security section covering:

• Dummy bcrypt hash technique to prevent timing-based username enumeration
• Generic error messages to avoid revealing user existence

e2e Testing

Documentation-only change. Verified DEVELOPMENT.md renders correctly and content is accurate against the actual implementation in src/server/routes/users/post-login.ts.

[moltboie]

Self-Review

Discussion thread status:

• New PR. No prior feedback.

Checked:

• Content accuracy: Documents the dummy bcrypt hash technique matching the implementation in PR security/ux: fix username enumeration and add login error feedback #136. The pattern (run bcrypt.compare even for non-existent users) is correct and mitigates timing-based username enumeration.
• Generic error message guidance: Correct — never reveal whether the username or password was wrong; always return "Invalid credentials.".
• Placement: New "Authentication Security" section in DEVELOPMENT.md. Logical location next to other auth-related patterns.
• No code changes: Documentation-only PR. No functional risk.
• CI: build ✓, test ✓

E2E Testing:

• Documentation-only change. No app testing needed.

Issues found:

• None

Confidence: High

[moltboie]

Self-Review

Discussion thread status:

• New PR. No prior feedback. Documentation-only change.

Checked:

• Content accuracy: Anti-timing-attack pattern (dummy bcrypt hash) documented correctly — matches implementation in PR security/ux: fix username enumeration and add login error feedback #136. Generic error message pattern also accurate.
• No code changes: Docs-only; no functional risk.
• CI: build + test both passing ✅

E2E Testing:

• N/A (documentation only).

Issues found:

• None

Confidence: High