security: validate OAuth state parameter to prevent CSRF attacks

[cfsmp3]

Summary

• Generate cryptographically secure random state per OAuth request using crypto/rand
• Store state in session and validate in callback to prevent CSRF attacks
• Clear state after validation (one-time use)
• Log warnings for state mismatches

Security Issue Addressed

OAuth State Not Validated (High) - Previously used hardcoded "state" parameter, making the OAuth flow vulnerable to CSRF attacks. An attacker could potentially trick a user into logging into the attacker's account.

Changes

• backend/controllers/app_handlers.go:
  • Add generateOAuthState() function for secure random state generation
  • Update OAuthHandler to generate and store state in session
  • Update OAuthCallbackHandler to validate state before processing callback

Test plan

• Test OAuth login flow works correctly
• Verify state is validated (tampering with state should fail)
• Verify expired/missing state is rejected

🤖 Generated with Claude Code

[github-actions]

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

• Check the "Files changed" tab
• Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
• Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
• Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!