fix: validate required fields in OAuth state parser

[mason5052]

Description of the Change

Problem

The parseState() function in auth.go accesses stateData["exp"] and stateData["provider"] without first checking whether these keys exist in the map. While Go map access on missing keys returns the zero value (empty string) rather than panicking, this produces misleading error messages:

• Missing exp: strconv.ParseInt("") fails with "invalid syntax" instead of clearly indicating the field is absent
• Missing provider: empty string is used as a provider key, resulting in a confusing "provider not initialized" error in authLoginCallback()

If the HMAC signing key were ever compromised or a signing bug introduced, crafted state payloads with missing fields would produce confusing errors that complicate incident response.

Solution

Add explicit existence checks for required fields (exp and provider) immediately after JSON unmarshalling in parseState(). Each missing field now returns a clear, specific error message (e.g., "missing required field: exp") with proper logging.

This is a defense-in-depth measure that ensures:

1. Clear error messages for each specific missing field
2. Early validation before downstream usage
3. Consistent error handling pattern with the rest of the function

Ref: #101 (item 8)

Type of Change

• 🛡️ Security update

Areas Affected

• Core Services (Frontend UI/Backend API)

Testing and Verification

Test Steps

1. Build the backend: cd backend && go build ./...
2. Run existing tests: go test ./pkg/server/services/...
3. Verify that valid OAuth flows still work normally
4. Verify that crafted states with missing exp or provider fields return clear error messages

Security Considerations

This change hardens the OAuth state parser against malformed state data. While the state is HMAC-signed (preventing tampering under normal conditions), this defense-in-depth validation ensures clear error handling even if the signing mechanism is bypassed.

Checklist

Code Quality

• My code follows the project's coding standards
• All new and existing tests pass
• I have run go fmt and go vet (for Go code)

Security

• I have considered security implications
• Changes maintain or improve the security model

Compatibility

• Changes are backward compatible

[Copilot]

Pull request overview

Hardens the OAuth state parsing logic in AuthService.parseState() by validating required fields up-front, improving error clarity and reducing confusing downstream failures during OAuth callbacks (defense-in-depth per issue #101 item 8).

Changes:

• Add explicit presence/emptiness validation for the exp field before parsing it as an integer.
• Add explicit presence validation for the provider field before it’s used by the OAuth callback handler.

Comments suppressed due to low confidence (1)

backend/pkg/server/services/auth.go:649

• provider is only checked for key presence, not for an empty value. A crafted/buggy state payload with {"provider":""} will still pass validation and later hit authLoginCallback() with an empty provider, producing the same confusing "provider not initialized" error this PR aims to avoid. Consider validating provider similarly to exp (check existence and non-empty).

	if _, ok := stateData["provider"]; !ok {
		err := fmt.Errorf("missing required field: provider")
		logger.FromContext(c).WithError(err).Errorf("error on validating state data")
		response.Error(c, response.ErrAuthInvalidAuthorizationState, err)
		return nil, err
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[asdek]

LGTM

thank you for contribution!