fix: trim userinfo to mapped fields before storing in session cookie

[healqq]

Summary

• OIDC providers like Keycloak include roles, groups, and other claims in the userinfo response regardless of requested scopes. The full response is stored in the session cookie via gorilla/securecookie, which has a 4096-byte hard limit. This causes securecookie: the value is too long errors for any provider with a non-trivial number of claims.
• This PR derives the needed top-level keys from --header-mapping and --oidc-user-id-field, then filters the userinfo map before saving it to the session. When no mapping is configured, the full response is preserved (backwards-compatible).

Changes

• pkg/auth/auth.go — NewAuthRouter accepts userInfoFields []string; filterUserInfo() strips unneeded keys before session storage
• pkg/mcp-proxy/main.go — userInfoFieldsFromConfig() extracts top-level keys from JSON pointer config flags
• Tests for filtering logic, config extraction, and full OAuth flow integration

Test plan

• go test ./... passes
• Unit tests for filterUserInfo (specified keys, missing keys, empty/nil input)
• Unit tests for userInfoFieldsFromConfig (JSON pointers, nested paths, dedup, empty config)
• Integration test: mock provider returns bloated userinfo → session only contains filtered fields
• Integration test: nil filter preserves full userinfo (backwards compat)

🤖 Generated with Claude Code

[healqq]

@hrntknr hello!
Will you have time to have a look at this one? It's currently a blocker for my use-case, and I can't easily work around it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[hrntknr]

Thank you, this approach seems very appropriate.