fix: hide internal server error details from users

[Jabejixo]

Overview

This PR prevents internal server error details from being exposed to end users in HTTP responses. Replaces detailed error messages with safe, generic messages while preserving full error logging for administrators.

What this PR does / why we need it

Addresses a security vulnerability where internal server errors could leak sensitive information to end users through HTTP error responses, including:

• Database connection details and error messages
• Stack traces revealing internal code structure
• Implementation-specific error messages
• Sensitive system information

Key changes:

• server/errors.go: Centralized safe error messages for user-facing responses
• server/handlers.go: Replace err.Error() calls with generic messages in HTTP responses
• server/deviceflowhandlers.go: Remove XSS vulnerabilities and unsafe error exposure
• server/introspectionhandler.go: Fix JSON marshaling error leakage
• server/oauth2.go: Hide sensitive client_id and redirect_uri from displayed errors
• server/errors_test.go: Comprehensive tests to prevent future regressions

Security impact:

• Before: Users could see detailed errors like "illegal base64 data at input byte 0", stack traces, database errors
• After: Users see generic messages like "Login error. Please contact your administrator or try again later."
• Logging: All error details are preserved in server logs for debugging

Special notes for your reviewer

• All OAuth2/OIDC protocol flows remain unchanged - only error message content is modified
• Comprehensive test coverage added to prevent regressions
• No breaking changes for client applications
• Error logging is enhanced, not reduced

[sagikazarmark]

Thanks!