fix: make email lookup case-insensitive in get_user_by_email (#397)

* fix: make email lookup case-insensitive in get_user_by_email

Email addresses are case-insensitive in practice, but get_user_by_email
compared with an exact `UserModel.email == email` predicate. A user who
signed up as "User@example.com" could not be found when logging in as
"user@example.com" (and vice-versa), so the same person could fail to log
in — or be treated as a brand-new account — depending only on how their
client capitalized the address.

Compare on `func.lower(UserModel.email) == func.lower(email)` so lookups
are robust to capitalization. Minimal and backwards-compatible: it works
with existing mixed-case rows immediately, with no migration required.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix: enforce case-insensitive user emails

---------

Co-authored-by: developer603 <vrramsolutions@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Abhishek Kumar <abhishek@a6k.me>

api/tests/test_user_email_case_insensitive.py

@@ -0,0 +1,19 @@
+import pytest
+
+
+@pytest.mark.asyncio
+async def test_user_email_writes_lowercase_and_looks_up_case_insensitively(
+    db_session,
+):
+    user = await db_session.create_user_with_email(
+        email="User@Example.COM",
+        password_hash="hashed-password",
+    )
+
+    assert user.email == "user@example.com"
+
+    fetched = await db_session.get_user_by_email("USER@example.com")
+
+    assert fetched is not None
+    assert fetched.id == user.id
+    assert fetched.email == "user@example.com"