Feat: Add OAuth `state` parameter for CSRF protection (#7709)

### What problem does this PR solve?

Add OAuth `state` parameter for CSRF protection:
- Updated `get_authorization_url()` to accept an optional state
parameter
- Generated a unique state value during OAuth login and stored in
session
- Verified state parameter in callback to ensure request legitimacy

This PR follows OAuth 2.0 security best practices by ensuring that the
authorization request originates from the same user who initiated the
flow.

### Type of change

- [x] New Feature (non-breaking change which adds functionality)

api/apps/auth/oauth.py

         self.http_request_timeout = 7
 
 
-    def get_authorization_url(self):
+    def get_authorization_url(self, state=None):
         """
         Generate the authorization URL for user login.
         """
         }
         if self.scope:
             params["scope"] = self.scope
+        if state:
+            params["state"] = state
         authorization_url = f"{self.authorization_url}?{urllib.parse.urlencode(params)}"
         return authorization_url
 

api/apps/user_app.py

         raise ValueError(f"Invalid channel name: {channel}")
     auth_cli = get_auth_client(channel_config)
 
-    auth_url = auth_cli.get_authorization_url()
+    state = get_uuid()
+    session["oauth_state"] = state
+    auth_url = auth_cli.get_authorization_url(state)
     return redirect(auth_url)
 
 
             raise ValueError(f"Invalid channel name: {channel}")
         auth_cli = get_auth_client(channel_config)
 
+        # Check the state
+        state = request.args.get("state")
+        if not state or state != session.get("oauth_state"):
+            return redirect("/?error=invalid_state")
+        session.pop("oauth_state", None)
+
         # Obtain the authorization code
         code = request.args.get("code")
         if not code: