Secure cell creation: require auth on POST /cell/ and set owner from authenticated user

[devleo10]

Summary

Address the FIXME in backend/api/resources/cell.py (lines 71–74): cell creation should use the authenticated user as the cell owner instead of trusting userEmail from the request body, and the POST /cell/ endpoint should be behind the authenticate decorator.

Current behavior

• Cell.post is not in method_decorators; only get, put, and delete use authenticate.
• Cell owner is taken from the request: userEmail = cell_data["userEmail"] and passed to add_cell_by_user_email(..., userEmail).
• A client can create cells and assign them to any email, which is a security and consistency issue.

Desired behavior

1. Require authentication on POST

   • Add "post": [authenticate] to Cell.method_decorators.
   • Change post(self) to post(self, user) and use user (e.g. user.email) as the cell owner.

2. Set owner from authenticated user

   • Do not use userEmail from the request body for ownership. Derive it from the authenticated user (e.g. user.email).

3. Schema (optional)

   • Relax or update AddCellSchema so userEmail is not required when the user is authenticated (or remove it from the request contract for creation).

Location

• File: backend/api/resources/cell.py
• Lines: 71–74 (FIXME and related logic in post)

Acceptance criteria

• POST /cell/ requires authentication (same as get/put/delete).
• New cells are created with the authenticated user as owner (e.g. user.email), not from request body.
• Request schema/docs updated if userEmail is no longer accepted or required for creation.
• Existing tests updated/added to cover authenticated cell creation and (if applicable) rejection of unauthenticated POST.

[devleo10]

If this looks good, a quick heads-up would be great ...I’ll get started. Thanks.
@jmadden173 @aleclevy