[MEDIUM] OAuth callback input not validated

[ibuyspy]

Unvalidated query boundary in \�pps/api/src/modules/auth/router.ts:40-44. Missing state/PKCE checks.

Fix: Zod-validate callback query; enforce OAuth state and PKCE verification.
Source: Security audit