Implementa internal/models e internal/auth.

- internal/models/user.go:
  - User: ID, Email unique, PasswordHash, EmailVerified, Role (default user), timestamps.

- internal/models/auth_tokens.go:
  - EmailVerificationToken: UserID, TokenHash unique, ExpiresAt, timestamps
  - PasswordResetToken: UserID, TokenHash unique, ExpiresAt, timestamps

- internal/auth/passwords.go:
  - HashPassword(plain) -> hash (bcrypt)
  - ComparePassword(hash, plain) -> bool/error

- internal/auth/tokens.go:
  - NewToken() -> plainToken (base64url random 32+ bytes)
  - HashToken(plainToken) -> hex/bytes SHA-256 string
  - ExpiresAt helpers (verify 24h, reset 1h)

Assicurati che nel DB venga salvato SOLO l’hash del token.