fix(auth): redirect OAuth login failures to login page instead of raw JSON (#1273)

[dokterbob]

Summary

• All user-facing OAuth callback failures (oauth_callback and oauth_azure_hf_callback) now redirect to /login?error=oauthSignin instead of returning raw JSON or a bare 500 — fixes the screenshot in UX bug: raw JSON on OAuth errors / Exception handling in auth #1273
• Missing code/state and invalid state cookie were HTTPException (400/401), now redirect; developer-config errors (missing oauth_callback, unknown provider) remain HTTPException
• Frontend i18n lookup tries the raw error key before lowercasing, so camelCase keys like oauthSignin now resolve to their specific message ("Try signing in with a different account") instead of always falling back to the generic default

Test plan

• 8 new backend unit tests (backend/tests/test_server.py) — all failure paths for both callback handlers
• New Cypress E2E spec (cypress/e2e/oauth_auth/) — provider error redirect, invalid-state redirect, friendly message render at /login?error=oauthSignin
• All existing tests green (uv run pytest tests/test_server.py — 61 passed)
• Lint, format, type-check clean (pre-commit hooks passed on commit)

Closes #1273

🤖 Generated with Claude Code

---

Summary by cubic

Redirects all OAuth login failures to the login page with a clear, localized message and correct redirect codes. Fixes #1273.

• Bug Fixes
  • Both oauth_callback (GET) and oauth_azure_hf_callback (POST) now redirect to /login?error=oauthSignin on user-facing failures; GET returns 302, POST returns 303 to avoid re-POST.
  • Provider errors, missing/invalid code/state, token/user-info exceptions, and a None user are all mapped to oauthSignin; raw provider codes are logged, asyncio.CancelledError is re-raised, and state-validation logs at warning with exc_info=True.
  • Updated locales so oauthSignin shows “Sign in failed. Please try again, or use a different sign-in method.”; login i18n checks the raw key before lowercasing; Alert uses role="alert" for errors and role="status" otherwise; tests now assert exact 302/303 codes and error=oauthSignin in redirect locations.

^{Written for commit 1083c04. Summary will update on new commits.}

[Copilot]

Pull request overview

This PR improves OAuth failure UX by redirecting OAuth callback errors to the login page (instead of returning raw JSON/500s), and updates the login error i18n lookup to correctly resolve camelCase error keys like oauthSignin. It also adds backend unit tests and a Cypress spec to cover key redirect/error-display paths.

Changes:

• Backend: Redirect more OAuth callback failure paths to /login?error=oauthSignin instead of raising HTTPException (JSON) or returning 500s.
• Frontend: i18n lookup now tries the exact error key before attempting a lowercased fallback.
• Tests: Adds backend unit tests and a Cypress E2E spec for OAuth error redirects and friendly messaging.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
backend/chainlit/server.py	Redirects additional OAuth failure paths to the login page instead of JSON/500 responses.
backend/tests/test_server.py	Adds regression tests for OAuth callback redirect behavior (including Azure hybrid flow).
frontend/src/components/LoginForm.tsx	Improves translation-key resolution for OAuth error query params (camelCase keys).
cypress/e2e/oauth_auth/spec.cy.ts	Adds E2E coverage for redirect-on-error and user-friendly login error message rendering.
cypress/e2e/oauth_auth/main.py	Provides a Chainlit app entrypoint configuring OAuth env vars for the new Cypress spec.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 9 comments.

[dokterbob]

The Windows e2e shards are red ("Cypress binary is missing" on windows-latest-5, fail-fast cancellation on the other four), but this is pre-existing, repo-wide infrastructure — not introduced by this PR. The identical failure signature appears on the unrelated feat/compact-cot-display branch (run 27305937906, 2026-06-10). Ubuntu shards are green, confirming the OAuth spec itself is correct.

Root cause and proposed fixes are tracked in #2957. This PR can be reviewed and merged independently of that infra issue.

[postoso]

Nice, this is a solid fix for #1273. OAuth failures redirect back to /login instead of dumping raw JSON now, and resolving the camelCase oauthSignin key via the lookup change is clean.

One thing though: I don't think it fully closes #2956. access_denied currently maps to oauthSignin along with the other failures, so someone who cancels still gets "Sign in failed. Please try again," which is the exact case #2956 wanted to special-case (telling a user who deliberately backed out to "try again" can loop them). All the redirect work here could stay as-is, just route access_denied to its own key.

Happy to put up a small follow-up for that on top of this if you'd want it.