feat: Add oauth support

[hhvrc]

This PR introduces OAuth2 authentication and account linking into the API, starting with Discord as the first supported provider.

🔑 Key Additions

• OAuth Controller & Endpoints

  • GET /oauth/providers – list supported providers.
  • GET /oauth/{provider}/authorize – begin login-or-create flow.
  • GET /oauth/{provider}/handoff – process provider callback, either sign in or continue flow.
  • GET /oauth/{provider}/data – retrieve handoff data (email, display name, expiry).
  • POST /oauth/{provider}/finalize – finalize flow: create a new account or link to an existing one.

• Account OAuth Connections

  • GET /account/connections – list linked connections.
  • GET /account/connections/{provider}/link – initiate link flow.
  • DELETE /account/connections/{provider} – unlink a provider.

• Database & Services

  • Migration adds UserOAuthConnections table.
  • New OAuthConnectionService for managing external identities.
  • Extended AccountService with support for creating OAuth-only accounts (passwordless).
  • Added support for ASP.NET Core data protection key persistence.

• Authentication & Config

  • Short-lived cookie scheme for OAuth flow state.
  • Full Discord OAuth2 integration (configurable via options).
  • Expanded AuthConstants with flow types (login-or-create, link).

⚙️ Step-by-Step Flow

1. Frontend requests login/signup with Discord
   → Calls GET /oauth/discord/authorize

2. Redirect to Discord
   → User consents and Discord redirects back to /oauth/discord/handoff

3. Handoff decision

   • If the external account is already linked → user is signed in directly.
   • If not linked → frontend is redirected to oauth/discord/create (new account) or oauth/discord/link (link existing account).

4. Frontend fetches temporary identity data
   → Calls GET /oauth/discord/data to display email/display name.

5. Finalize flow

   • POST /oauth/discord/finalize
   • If action = create → new OAuth-only account is created and linked.
   • If action = link → external identity is attached to the logged-in account.

6. OAuth connection persisted
   → Stored in UserOAuthConnections and accessible under /account/connections.

🚀 Impact

• Users can now sign up or log in using Discord OAuth2.
• Existing users can link or remove Discord accounts from their profile.

[Copilot]

Pull Request Overview

This PR introduces OAuth2 authentication and account linking functionality, starting with Discord as the first supported provider. The implementation includes comprehensive endpoints for user signup/signin via OAuth, account linking for existing users, and passwordless account creation.

Key Changes:

• OAuth Infrastructure: Added OAuth controllers, authentication schemes, and flow management with temporary cookie-based state handling
• Database Schema: Introduced UserOAuthConnection table and made user passwords nullable to support OAuth-only accounts
• Account Service Extensions: Enhanced account creation to support OAuth-only (passwordless) accounts with email verification logic

Reviewed Changes

Copilot reviewed 44 out of 45 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Common/OpenShockDb/UserOAuthConnection.cs	New entity for storing OAuth provider connections
Common/OpenShockDb/User.cs	Made PasswordHash nullable for OAuth-only accounts
API/Services/OAuthConnection/	Service layer for managing OAuth connections
API/Controller/OAuth/	OAuth flow endpoints (authorize, handoff, finalize)
API/Controller/Account/Authenticated/	OAuth connection management for authenticated users
Common/Utils/AuthUtils.cs	Enhanced authentication utilities with OAuth support

Files not reviewed (1)

• Common/Migrations/20250903235304_AddOAuthSupport.Designer.cs: Language not supported

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}