UX: show distinct message when OAuth login is denied/cancelled (access_denied)

[dokterbob]

Context

PR #2955 (fix for #1273) maps all OAuth provider errors — including access_denied — to a single friendly message:

"Sign in failed. Please try again, or use a different sign-in method."

This is correct for internal errors (invalid state, token failure, etc.), but slightly misleading for access_denied: that code means the user or provider explicitly denied or cancelled the authorisation. Telling them to "try again" may prompt a loop where they keep cancelling and being asked to try again.

Proposal

Add a dedicated translation key — e.g. auth.login.errors.oauthAccessDenied — and route error=access_denied redirects to that key, with wording such as:

"Sign in was cancelled or access was denied. If this was a mistake, please try again."

This keeps the generic oauthSignin message for infrastructure failures (token errors, bad state, etc.) while giving a more honest, actionable message for explicit user/provider denials.

Implementation notes

• In server.py oauth_callback and oauth_azure_hf_callback, check if error == "access_denied" before the generic fallback.
• Add oauthAccessDenied to all 23 locale files in backend/chainlit/translations/.
• Update spec.cy.ts to cover the new key for the access_denied test case.

References

• Fixes: UX bug: raw JSON on OAuth errors / Exception handling in auth #1273
• PR: fix(auth): redirect OAuth login failures to login page instead of raw JSON (#1273) #2955

[synergyai-os]

any updates on this?? @Chainlit