fix(GRO-545): switch OAuth state to cookie storage and add login error display

The OAuth callback was failing with "please_restart_the_process" because
Better-Auth's default DB-backed state (verification table) was unreliable —
the UAT hourly reset wipes all tables including verification records. Switch
to cookie-based state storage so the encrypted state survives in the browser
cookie across the redirect flow.

Also removes explicit redirectURI from socialProviders (Better-Auth derives
it from baseURL) and adds visible error feedback on the login page when
OAuth callbacks fail.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/lib/auth.ts

@@ -170,8 +170,6 @@ export async function initAuth(): Promise<void> {
     const hasGoogle = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
     const hasGitHub = !!(process.env.GITHUB_CLIENT_ID && process.env.GITHUB_CLIENT_SECRET);
 
-    const callbackBase = `${BETTER_AUTH_URL}/api/auth/callback`;
-
     // Build Better-Auth instance using resolved config
     authInstance = betterAuth({
       database: drizzleAdapter(db, {
@@ -179,6 +177,9 @@ export async function initAuth(): Promise<void> {
       }),
       secret: BETTER_AUTH_SECRET,
       baseURL: BETTER_AUTH_URL,
+      account: {
+        storeStateStrategy: "cookie" as const,
+      },
       plugins: [
         genericOAuth({
           config: [
@@ -205,14 +206,12 @@ export async function initAuth(): Promise<void> {
           google: {
             clientId: process.env.GOOGLE_CLIENT_ID!,
             clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/google`,
           },
         } : {}),
         ...(hasGitHub ? {
           github: {
             clientId: process.env.GITHUB_CLIENT_ID!,
             clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-            redirectURI: `${callbackBase}/github`,
           },
         } : {}),
       },