Harden OAuth redirect, secret, and token expiry checks

[grantf04]

Summary

Fixes #6
Fixes #7
Fixes #8

Hardens the OAuth flow by validating registered redirect URIs, comparing client secrets with crypto.timingSafeEqual, and adding expiration to OAuth access tokens. I saw these were proposed as S-size security bounty candidates, but I understand they are not currently formalized live bounties.

Changes

• Validate redirect_uri against the OAuth client's redirectUris during /authorize, /login, and /callback
• Replace direct client-secret string comparison with length-guarded crypto.timingSafeEqual
• Store expiresAt for newly issued OAuth tokens and return expires_in from /token
• Reject expired OAuth tokens during request authentication, including older tokens that only have createdAt

Type

• Bug fix
• New feature
• Breaking change
• Documentation
• Refactor

Testing

• Unit tests pass
• Integration tests pass (if applicable)
• Manual testing completed

Manual verification:

• cd functions && npm run build

AI Usage

• No AI tools used
• AI-assisted (describe below)

AI tools used: OpenAI Codex
What AI generated: OAuth/security patch implementation and PR text
What was human-reviewed/modified: Security behavior, redirect validation coverage, token expiry behavior, and TypeScript build output

Screenshots

No UI changes.