fix(server): validate origin before persisting invited users (APP-15239) (#41826)

## Description

When `APPSMITH_BASE_URL` is set to a value that differs from the actual
base URL of an Appsmith instance, the invite users flow (`POST
/api/v1/users/invite`) returns an error ("Origin header does not match
APPSMITH_BASE_URL configuration"), but the invited user is **still added
to the workspace's permission group** in MongoDB. If the invited user
later signs up and logs in, they can see the workspace they were invited
to.

**Root cause:** The invite flow in
`UserAndAccessManagementServiceCEImpl.inviteUsers()` executes user
creation and permission-group assignment BEFORE origin validation, which
only runs at the email-sending stage (`EmailServiceCEImpl`). Since there
is no transactional rollback across the reactive chain, the writes
persist even when the email step errors.

**Fix:** Inject `SecureBaseUrlResolver` into
`UserAndAccessManagementServiceCEImpl` and call
`resolveSecureBaseUrl(originHeader)` as a pre-flight check at the
beginning of `inviteUsers()`, before any DB writes. If origin validation
fails, the entire flow short-circuits — no user is created, no
permission group is modified.

**TDD verification:**
- **Red phase:** Without the fix, the test
`inviteUsers_originMismatch_shouldNotPersistUserInPermissionGroup` fails
with `expected: null but was: User(email=...)` — proving the user gets
persisted despite the error
- **Green phase:** With the fix, the test passes — no user persisted on
origin mismatch
- **Regression:** `WorkspaceServiceTest#addNewUserToWorkspaceAsAdmin`
passes — existing invite flow unaffected

Fixes
https://linear.app/appsmith/issue/APP-15239/invite-users-flow-adds-users-to-workspace-even-when-origin-validation

Slack thread:
https://theappsmith.slack.com/archives/C09NG5BJ18S/p1779119152961779

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results -->
<!-- end of auto-generated comment: Cypress test results -->

## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Invitation workflow now validates the Origin header up front and
rejects invalid origins, preventing partial or orphaned invitations and
ensuring atomicity.

* **Tests**
* Added integration test to confirm invalid Origin headers block user
persistence and side effects.
* Strengthened unit test assertions to ensure invited users are not
duplicated in admin groups.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/appsmithorg/appsmith/pull/41826?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
726b03e945190b2ea549987ca410a2d6c46cb428 yet
> <hr>Wed, 20 May 2026 07:37:39 UTC
<!-- end of auto-generated comment: Cypress test results  -->