Add tests for /v1/oauth/authorize PKCE endpoint

[Copilot]

The /v1/oauth/authorize endpoint (entry point to the PKCE flow) had no test coverage, leaving happy paths, validation logic, and grant enforcement untested.

Changes

• makeOAuthJWT helper: generates valid Ethereum personal-signed JWTs using a fixed test private key, replicating the exact signing format validated by validateOAuthJWTTokenToUserId
• seedOAuthTestData update: user 100's wallet updated to the address derived from the test private key, enabling real JWT verification against the DB in authorize tests
• 10 new test cases for POST /v1/oauth/authorize:
  • Happy path: read scope and write scope with an approved grant
  • Required-field validation: missing token, client_id, redirect_uri, code_challenge, scope → 400 invalid_request
  • code_challenge_method must be S256 → 400 invalid_request
  • Invalid scope value → 400 invalid_request
  • Invalid/unsigned JWT → 401 access_denied
  • Unknown client_id → 400 invalid_client
  • write scope with no approved grant → 403 access_denied

// makeOAuthJWT signs a JWT with a known test private key whose wallet
// is seeded into the users table, enabling full JWT validation in tests.
func makeOAuthJWT(t *testing.T, userID int, privKeyHex string) string {
    privKey, _ := crypto.HexToECDSA(privKeyHex)
    message := header + "." + base64url(payload)
    sig := crypto.Sign(keccak256(ethereumPrefix+message), privKey)
    return message + "." + base64url(hexEncode(sig))
}

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.