[bug] API endpoint URLs should use <pk:uuid> instead of <pk:str>

[pandafy]

Describe the bug
Several API endpoint URLs in openwisp-users currently use <pk:str> or <str:user_pk> patterns, despite the User model (and possibly other resources) using UUID primary keys. This inconsistency means that endpoints will accept any string as a primary key, letting malformed UUIDs through to the database and view logic. This reduces input validation, increases risk of confusing 500 errors, and is inconsistent with the best practice of using <pk:uuid> patterns to validate at the routing level.

This was highlighted in the review of openwisp-radius PR #680 and is visible in the openwisp-users API docs, where all user endpoints use string-based URL parameters.

Expected behavior
All API endpoint URL patterns referencing UUID primary keys (e.g., user, organization, etc.) should use <uuid:pk> (for DRF) or <uuid:user_pk>, etc., instead of <str:pk>, so that invalid UUIDs are filtered at the routing level, triggering 404 as early as possible and ensuring consistency across openwisp modules.

[czarflix]

Hello, I would like to work on this issue. I have reproduced the bug and isolated the root cause to a router-to-model mismatch caused by the str:pk converters in openwisp_users/api/urls.py. I have verified that changing these to uuid:pk correctly rejects malformed identifiers at the routing boundary with a 404. I am opening a pull request with this fix and the corresponding regression tests now.