refactor(auth): remove redirect_uri parameter from OAuth flow

Simplify OAuth login and account linking by removing the redirect_uri
parameter from initiateLogin and initiateLink functions. The backend
now handles callback URL construction internally.

src/lib/api.ts

@@ -902,9 +902,8 @@ export const api = {
       request<LinkedAccountsResponse>('/auth/external/linked-accounts'),
 
     // Initiate OAuth login flow — returns authorization_url to redirect the browser to
-    initiateLogin: (provider: string, options?: { redirect_uri?: string; organization_id?: string; flow?: string; oidc_session_id?: string }) => {
+    initiateLogin: (provider: string, options?: { organization_id?: string; flow?: string; oidc_session_id?: string }) => {
       const params = new URLSearchParams({ flow: options?.flow ?? 'login' });
-      if (options?.redirect_uri) params.set('redirect_uri', options.redirect_uri);
       if (options?.organization_id) params.set('organization_id', options.organization_id);
       if (options?.oidc_session_id) params.set('oidc_session_id', options.oidc_session_id);
       return request<OAuthAuthorizeResponse>(`/auth/external/${provider}/authorize?${params.toString()}`, {
@@ -914,10 +913,9 @@ export const api = {
     },
 
     // Initiate account linking flow (requires auth)
-    initiateLink: (provider: string, redirect_uri?: string) =>
+    initiateLink: (provider: string) =>
       request<OAuthAuthorizeResponse>(`/auth/external/${provider}/link`, {
         method: 'POST',
-        body: JSON.stringify({ redirect_uri }),
         credentials: 'include',
       }),
 

src/pages/auth/LoginPage.tsx

@@ -512,14 +512,9 @@ export default function LoginPage() {
     setIsLoading(true);
 
     try {
-      // The redirect_uri Google will call is the *backend* callback.
-      // The backend then redirects to the frontend /oauth/callback with the token.
-      const backendCallbackUri = `${import.meta.env.VITE_API_BASE_URL ?? 'http://localhost:5000/api/v1'}/auth/external/${provider}/callback`;
-
       // Ask backend for the Google authorization URL
       // If we're in an OIDC bridge flow, pass oidc_session_id so it survives the round-trip
       const response = await api.externalAuth.initiateLogin(provider, {
-        redirect_uri: backendCallbackUri,
         flow: 'login',
         ...(oidcSessionId ? { oidc_session_id: oidcSessionId } : {}),
       });

src/pages/user/LinkedAccountsPage.tsx

@@ -88,11 +88,7 @@ export default function LinkedAccountsPage() {
     setIsLinking(provider);
 
     try {
-      // The backend link flow also redirects to the backend callback, which
+      const response = await api.externalAuth.initiateLink(provider);
-      // then redirects to the frontend /oauth/callback with flow=link.
-      const backendCallbackUri = `${import.meta.env.VITE_API_BASE_URL ?? 'http://localhost:5000/api/v1'}/auth/external/${provider}/callback`;
-
-      const response = await api.externalAuth.initiateLink(provider, backendCallbackUri);
 
       // Redirect to authorization
       window.location.href = response.authorization_url;