fix(auth): handle interrupted oauth flows gracefully without triggeri…

[MoonLawlier]

Summary

Fixes the interrupted GitHub OAuth retry flow by preventing cancelled sign-in starts from tripping the auth rate limiter, and redirects real auth throttles back to the sign-in UI instead of showing raw JSON. Also hardens Supabase env validation so malformed local URLs no longer crash the app at startup.

Closes #2267

---

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)

---

What Changed

• Updated src/lib/auth-rate-limit.ts so OAuth initiation routes like /api/auth/signin/github are no longer rate-limited, while callback/code-exchange routes remain protected.
• Updated src/middleware.ts to redirect auth rate-limit failures to /auth/signin?error=RateLimit instead of returning raw JSON.
• Updated src/app/auth/signin/page.tsx to show a user-friendly RateLimit toast/message.
• Added src/lib/supabase-env.ts and updated Supabase clients to avoid crashing when Supabase URL env vars are malformed.
• Updated test/auth-rate-limit.test.ts and test/supabase-guard.test.ts with regression coverage.

---

How to Test

1. Run npx vitest run test/auth-rate-limit.test.ts test/supabase-guard.test.ts.
2. Run npm run type-check.
3. Run npm run lint.
4. Start the app and retry GitHub sign-in after interrupting the OAuth flow with the browser Back button.

Expected result:

The interrupted OAuth flow can be retried without hitting a hard block. If auth rate limiting is triggered, the user is redirected back to the sign-in page with a friendly message instead of raw JSON. The app should also start without crashing when Supabase env URLs are malformed.

---

Screenshots / Recordings

Before	After

|

---

Checklist

• Linked the related issue above
• Self-reviewed my own diff
• No unnecessary console.log, debug code, or commented-out blocks
• npm run lint passes locally
• No TypeScript errors (npm run type-check)
• Added or updated tests where applicable
• Updated documentation / comments if behavior changed

---

Accessibility (UI changes only)

• Keyboard navigation works correctly
• Color contrast meets WCAG AA standard
• ARIA labels / roles added where needed
• Tested on mobile / responsive layout

---

Additional Context

package-lock.json was already modified before these changes and was not touched as part of this fix.

[vercel]

Someone is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Priyanshu-byte-coder]

This PR now has merge conflicts (likely from recent merges to main affecting package-lock.json). The code changes look good — please rebase on latest main, resolve the conflicts, and this can be merged.