fix(auth): support Authentik authorization URL override

[markwoodford]

Fixes #11884

Summary

• Add optional AUTH_AUTHENTIK_AUTHORIZATION_URL env var to allow browser redirects to use an external Authentik URL.
• Keep issuer-based server-side validation while deriving token, userinfo, and JWKS endpoints from the issuer when override mode is enabled.
• Relax AUTH_AUTHENTIK_ISSUER validation to allow an optional trailing slash.

Test plan

• Configure AUTH_AUTHENTIK_ISSUER to an internal host and AUTH_AUTHENTIK_AUTHORIZATION_URL to a browser-reachable host.
• Click Authentik login and verify redirect goes to the external authorization URL.
• Complete login and verify token/userinfo/JWKS calls still work.
• Verify existing Authentik setups without the new env var behave unchanged.

Made with Cursor

---

Important

Add support for overriding Authentik authorization URL via new env var, while maintaining server-side validation and relaxing issuer validation.

• Behavior:
  • Add AUTH_AUTHENTIK_AUTHORIZATION_URL env var in env.mjs to override Authentik authorization URL for browser redirects.
  • Maintain server-side validation by deriving token, userinfo, and JWKS endpoints from issuer in auth.ts.
  • Relax AUTH_AUTHENTIK_ISSUER validation to allow optional trailing slash in env.mjs.
• Implementation:
  • Modify auth.ts to handle new AUTH_AUTHENTIK_AUTHORIZATION_URL by setting custom authorization, token, userinfo, and JWKS URLs when override is enabled.
  • Update regex for AUTH_AUTHENTIK_ISSUER in env.mjs to allow optional trailing slash.

^{This description was created by for e27d963. You can customize this summary. It will automatically update as commits are pushed.}

[CLAassistant]

All committers have signed the CLA.

[Steffen911]

Thank you a lot for creating this! 🙌

[Steffen911]

Corresponding docs PR once this is merged: langfuse/langfuse-docs#2577

[Steffen911]

Could you also address the linting reports?