fix(oauth): Add atomic status check to deny action

Use the same atomic filter().update() pattern as approval to prevent
race condition where denial could overwrite an already-approved device
code, causing inconsistent state (ApiAuthorization exists but client
receives access_denied).

Author: dcramer

src/sentry/web/frontend/oauth_device.py

@@ -227,8 +227,15 @@ def _show_approval_form(self, request: HttpRequest, user_code: str) -> HttpRespo
 
     def _handle_deny(self, request: HttpRequest, device_code: ApiDeviceCode) -> HttpResponseBase:
         """Handle deny action for a device code."""
-        device_code.status = DeviceCodeStatus.DENIED
-        device_code.save(update_fields=["status"])
+        # Atomically mark as denied only if still pending (prevents race with approve)
+        updated = ApiDeviceCode.objects.filter(
+            id=device_code.id,
+            status=DeviceCodeStatus.PENDING,
+        ).update(status=DeviceCodeStatus.DENIED)
+
+        if not updated:
+            # Another request already processed this device code
+            return self._error_response(request, ERR_INVALID_CODE)
 
         metrics.incr("oauth_device.deny", sample_rate=1.0)
         logger.info(