fix: guard admin sso pkce verifier loss

[danny-avila]

Summary

I added an admin SSO guard for the PKCE verifier-loss failure reported in danny-avila/LibreChat#13205 and documented the HTTP cookie setting that causes it.

• Preserve LibreChat one-time exchange codes by refusing to call /api/admin/oauth/exchange when the admin panel callback no longer has the stored PKCE verifier.
• Return a targeted session-state message that points HTTP deployments to SESSION_COOKIE_SECURE=false instead of surfacing a generic expired-code error.
• Add server-function coverage proving the callback exchanges codes with code_verifier when present and skips the LibreChat exchange when the verifier is missing.
• Document SESSION_COOKIE_SECURE in the admin panel README and .env.example, including the paired LibreChat setting for plain-HTTP deployments.

Related report: danny-avila/LibreChat#13205

Change Type

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

Testing

• Ran bun run test src/server/auth.oauth.test.ts src/server/utils/oauth.test.ts.
• Ran bun run lint.
• Ran bun run build.
• Ran git diff --check.

Test Configuration:

• Bun 1.3.13
• Vitest 3.2.4
• Vite 8.0.3

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have made pertinent documentation changes
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes

[danny-avila]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".