Validate invite_code server-side in add_anon_user

[mircealungu]

Context

PR #582 adds support for storing an invite_code on anonymous accounts so that the cohort/classroom assignment carries through to account upgrade.

The mobile flow today is presumed to call GET /validate_invite_code/<code> before submitting POST /add_anon_user, and the existing add_user (full signup) endpoint already runs valid_invite_code() server-side and rejects invalid codes.

Gap

add_anon_user itself does not validate invite_code server-side — it stores whatever the client sends. If the client is buggy, skips the dedicated validation endpoint, or someone calls /add_anon_user directly, an invalid invitation_code gets persisted on the user. The failure surfaces later, silently, at upgrade_to_full_account: the user is upgraded but never added to the cohort, with only a server log line.

Suggested fix

Mirror add_user's pattern — one line at the top of add_anon_user:

if invite_code and not valid_invite_code(invite_code):
    return make_error(...)

This makes the two account-creation endpoints symmetric and removes the trust-the-client assumption.

Priority

Low — defense-in-depth, not a known incident. Worth doing next time someone is in this area.