fix: state-replay race, share session options, idealo cheerio type

src/app/api/auth/callback/route.ts

@@ -14,8 +14,14 @@ export async function GET(req: NextRequest) {
     return NextResponse.json({ error: 'state mismatch' }, { status: 400 })
   }
 
+  // Consume the pending login atomically before doing the token exchange
+  // to prevent state replay on concurrent callbacks.
+  const { codeVerifier } = pending
+  delete session.loginInProgress
+  await session.save()
+
   const redirectUri = `${process.env.NEXT_PUBLIC_BASE_URL}/api/auth/callback`
-  const tokens = await exchangeCode({ code, codeVerifier: pending.codeVerifier, redirectUri })
+  const tokens = await exchangeCode({ code, codeVerifier, redirectUri })
   const claims = await verifyIdToken(tokens.id_token)
 
   if (!isAllowedUser(claims.sub)) {
@@ -26,7 +32,6 @@ export async function GET(req: NextRequest) {
   session.userId = claims.sub
   session.email = claims.email
   session.name = claims.name
-  delete session.loginInProgress
   await session.save()
 
   return NextResponse.redirect(new URL('/', req.url))