fix: revoke OAuth 2.0 old refresh tokens when refreshing

[supalarry]

Fixes #26538

---

Summary by cubic

Adds OAuth 2.0 refresh token rotation with server-side tracking so old refresh tokens are rejected after use. Introduces a unified POST /token endpoint (form-encoded, snake_case) and keeps legacy endpoints. Addresses CAL-7035.

• Bug Fixes

  • Store a per-token secret and persist refresh token records; on reuse return invalid_grant (refresh_token_revoked).
  • Accept legacy refresh tokens (no secret) once, then issue new-format tokens; reject tokens missing both userId and teamId.
  • Rotate by user or team on refresh and avoid deleting unrelated tokens (fix undefined vs null filters).
  • Unify exchange/refresh into POST /token; accept application/x-www-form-urlencoded; flat snake_case response; keep legacy /exchange and /refresh.
  • Standardize OAuth errors (error + error_description) across API v2 and web; add e2e tests for legacy acceptance, rotation, and reuse rejection.

• Migration

  • Add OAuthRefreshToken table with indexes and FKs; run Prisma migrate.
  • No backfill needed; records are created on token issue and refresh.

^{Written for commit 48be831. Summary will update on new commits.}

---

Updates since last revision

• Fixed a bug in OAuthRefreshTokenRepository.rotateToken() where the condition userId != null failed to distinguish between undefined and null. When userId is explicitly null (client credentials token), the previous condition would skip adding userId to the where clause, causing deleteMany to match ALL tokens for the client—including tokens belonging to actual users. Changed to userId !== undefined to properly handle all cases.
• Replaced generic throw new Error(...) with typed throw new ErrorWithCode(ErrorCode.BadRequest, "invalid_grant", ...) in the else branch of refreshAccessToken() so clients get a proper OAuth error response instead of a 500 (identified by Cubic AI review).

What does this PR do?

Implements OAuth 2.0 refresh token rotation to prevent token reuse attacks. When a refresh token is used, it is invalidated and a new one is issued. Attempting to reuse an old refresh token returns invalid_grant with reason refresh_token_revoked.

• Fixes fix: invalidate old refresh tokens #26538
• Fixes CAL-7035

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - internal OAuth implementation detail.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Create an OAuth client and obtain tokens via authorization code flow
2. Use the refresh token to get new tokens - should succeed
3. Try to reuse the same refresh token again - should fail with invalid_grant / refresh_token_revoked
4. E2E tests cover both API v2 (oauth2.controller.e2e-spec.ts) and web (oauth-refresh-tokens.e2e.ts)

Human Review Checklist

• Verify the undefined vs null fix in rotateToken() correctly isolates client credentials tokens (where userId is null) from user tokens
• Confirm legacy token migration path (tokens without secret field) works correctly for one-time use
• Note: logger import in OAuthService.ts may be unused after error handling refactor (lint warning, non-blocking)

---

Link to Devin run: https://app.devin.ai/sessions/78d60d454fa2432cb97575bc00747c05
Requested by: unknown ()

The base branch was changed.

[github-actions]

E2E results are ready!

• Workflow #105133.1 latest results

[keithwillcode]

Moving back to draft while we discuss

[supalarry]

Moving back to draft while we discuss

marking it as ready for review for Pedro