Fix parseHash state validation bypass

[parasol-aser]

Summary

Fixes #2786.

This removes Lock's forwarding of the private __enableIdPInitiatedLogin auth0-js parseHash option. The private _enableIdPInitiatedLogin and _enableImpersonation constructor options no longer cause callback parsing to bypass OAuth state validation, so unsolicited token fragments without a matching transaction fail closed through auth0-js.

Also updates the public TypeScript declarations so those private state-validation bypass switches are no longer advertised as supported constructor options.

Issue follow-up check

Before opening this PR, I rechecked #2786 through both the GitHub issue page and API. The issue is still open, was last updated at 2026-04-23T05:16:31Z, and the API reports comments: 0 with an empty comments response, so there are no follow-up maintainer notes or scope changes to reflect beyond the original issue body.

Changes

• Stop storing _enableIdPInitiatedLogin / _enableImpersonation as a parseHash bypass flag in Auth0APIClient.
• Omit __enableIdPInitiatedLogin from every client.parseHash() call while preserving hash, nonce, and state forwarding.
• Replace the previous parseHash snapshots that expected the bypass flag with explicit negative regression assertions.
• Cover private option, root bypass option, params bypass option, unsolicited token hash, OAuth error hash, empty hash, and configured nonce/state cases.
• Remove _enableImpersonation and _enableIdPInitiatedLogin from Auth0LockConstructorOptions and add TypeScript smoke-test expectations that they are rejected.

Test plan

• npm test -- --runInBand src/__tests__/core/web_api/p2_api.test.js
• npx eslint src/core/web_api/p2_api.js src/__tests__/core/web_api/p2_api.test.js
• git diff --check
• rg -n "__enableIdPInitiatedLogin|_enableIdPInitiatedLogin|_enableImpersonation" src types test support