feat(auth): PKCE client refinements + backend refresh token support

- oauth.ts: provider param, TokenResponse typing, exchangeCode returns full response
- LoginPage: fully async handleOAuth with buildAuthUrl
- CallbackPage: dual-mode PKCE (code) + legacy (token), refresh token forwarding
- LoginButton: provider prop support
- auth.routes: POST /auth/session accepts refreshToken, sets od_refresh cookie

frontend/src/pages/CallbackPage.tsx

@@ -37,8 +37,19 @@ export default function CallbackPage() {
       const redirectUri = `${window.location.origin}/callback`;
 
       exchangeCode(code, verifier, redirectUri)
-        .then(() => {
-          navigate('/app', { replace: true });
+        .then((tokens) => {
+          // Pass tokens to backend to set httpOnly cookies + sync user
+          return apiFetch<SessionResponse>('/auth/session', {
+            method: 'POST',
+            body: JSON.stringify({
+              token: tokens.access_token,
+              refreshToken: tokens.refresh_token,
+            }),
+          });
+        })
+        .then((res) => {
+          setUser(res.data.user);
+          navigate('/', { replace: true });
         })
         .catch(() => setError("Échec de l'échange de code OAuth. Réessaie."));
       return;