fix(security): prevent unauthenticated disclosure of instance metadata [APP-14994] (#41598)

## Summary

Fixes APP-14994: three API endpoints were accessible without
authentication and exposed sensitive instance metadata to any
unauthenticated caller.

- **`/api/v1/users/features`** — removed from `permitAll()` in
`SecurityConfig`; now returns **401** for unauthenticated requests.
Feature flags are per-user data and must not be disclosed to anonymous
callers.
- **`/api/v1/tenants/current`** — kept accessible without authentication
(the login page uses it to discover enabled auth providers), but
`instanceId` and `adminEmailDomainHash` are now **suppressed** from the
response when the caller is anonymous. This eliminates exposure of the
unsalted SHA-256 admin-email-domain hash and the instance UUID.
- **`/api/v1/consolidated-api/view`** — kept accessible without
authentication (required for public/published apps), but the embedded
`organizationConfig` no longer contains `instanceId` or
`adminEmailDomainHash` for anonymous callers (same service-layer fix as
above).

## Changes

| File | Change |
|------|--------|
| `SecurityConfig.java` | Remove `GET /api/v1/users/features` from
`permitAll()` |
| `OrganizationServiceCEImpl.java` | Check
`ReactiveSecurityContextHolder` in `getOrganizationConfiguration()`;
skip setting `instanceId` / `adminEmailDomainHash` for anonymous
principals |
| `OrganizationServiceCETest.java` | Add two tests: anonymous caller
gets `null` for sensitive fields; authenticated caller gets non-null
values |
| `AuthGuardTest.java` | New controller-level test: `GET
/api/v1/users/features` returns 401 for unauthenticated requests; `GET
/api/v1/tenants/current` remains accessible |

## Test plan

- [x]
`OrganizationServiceCETest#getOrganizationConfig_AnonymousUser_DoesNotExposeInstanceMetadata`
— asserts `instanceId` and `adminEmailDomainHash` are `null` for
anonymous callers
- [x]
`OrganizationServiceCETest#getOrganizationConfig_AuthenticatedUser_ExposesInstanceMetadata`
— asserts both fields are non-null for authenticated callers
- [x] `AuthGuardTest#featureFlagsEndpoint_unauthenticated_returns401` —
HTTP 401 for unauthenticated `GET /api/v1/users/features`
- [x] `AuthGuardTest#tenantCurrentEndpoint_unauthenticated_isAccessible`
— `GET /api/v1/tenants/current` still returns 200 without auth
- [x] All 15 existing `OrganizationServiceCETest` tests pass (1
pre-existing disabled test skipped)

🤖 Generated with [Claude Code](https://claude.com/claude-code)




<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
  * The user features endpoint now requires authentication.
* Organization instance metadata (instanceId, adminEmailDomainHash) is
concealed for unauthenticated requests; tenant/current remains
accessible but without sensitive fields.

* **Tests**
* Added tests validating authentication for the features endpoint and
that anonymous vs. authenticated users receive appropriately filtered
organization metadata.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/22959284307>
> Commit: 1bcf565adcf0e5e44c0bce6899ca7816473ffb25
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=22959284307&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Wed, 11 Mar 2026 16:17:45 UTC
<!-- end of auto-generated comment: Cypress test results  -->

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>