feat(auth): Complete OIDC security refactor and modernize test suite

- Refactored OIDC flow to implement PKCE, state/nonce validation, and BFF pattern.
- Centralized configuration in Settings class (DEV_MODE, FRONTEND_URL, OIDC_REDIRECT_URI).
- Updated auth routers to use conditional secure cookie flags based on DEV_MODE.
- Modernized and cleaned up test suite by removing legacy Streamlit tests.
- Fixed linting errors and unused imports across the backend.

backend/tests/api/test_api_auth.py

@@ -1,6 +1,6 @@
 import pytest
 from fastapi.testclient import TestClient
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch
 from ea_chatbot.api.main import app
 from ea_chatbot.history.models import User
 
@@ -66,31 +66,43 @@ def test_protected_route_without_token():
     assert response.status_code == 401
 
 def test_oidc_login_redirect():
-    """Test that OIDC login returns a redirect URL."""
+    """Test that OIDC login returns a redirect URL and sets session cookie."""
     with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc:
-        mock_oidc.get_login_url.return_value = "https://oidc-provider.com/auth"
+        mock_oidc.get_auth_data.return_value = {
+            "url": "https://oidc-provider.com/auth",
+            "state": "test_state",
+            "nonce": "test_nonce",
+            "code_verifier": "test_verifier"
+        }
         
         response = client.get("/api/v1/auth/oidc/login")
         assert response.status_code == 200
         assert response.json()["url"] == "https://oidc-provider.com/auth"
+        assert "oidc_session" in response.cookies
 
-def test_oidc_callback_success_ajax():
-    """Test successful OIDC callback and JWT issuance via AJAX."""
+def test_oidc_callback_success():
+    """Test successful OIDC callback and JWT issuance."""
     with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc, \
+         patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt, \
          patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm:
         
-        mock_oidc.exchange_code_for_token.return_value = {"access_token": "oidc-token"}
-        mock_oidc.get_user_info.return_value = {"email": "sso@example.com", "name": "SSO User"}
+        mock_decrypt.return_value = {
+            "state": "test_state",
+            "nonce": "test_nonce",
+            "code_verifier": "test_verifier"
+        }
+        mock_oidc.exchange_code_for_token.return_value = {"id_token": "fake_id_token"}
+        mock_oidc.validate_id_token.return_value = {"email": "sso@example.com", "name": "SSO User"}
         mock_hm.sync_user_from_oidc.return_value = User(id="sso-123", username="sso@example.com", display_name="SSO User")
         
+        client.cookies.set("oidc_session", "fake_token")
         response = client.get(
-            "/api/v1/auth/oidc/callback?code=some-code",
-            headers={"Accept": "application/json"}
+            "/api/v1/auth/oidc/callback?code=some-code&state=test_state",
+            follow_redirects=False
         )
         
-        assert response.status_code == 200
-        assert "access_token" in response.json()
-        assert response.json()["token_type"] == "bearer"
+        assert response.status_code == 302
+        assert "access_token" in response.cookies
 
 def test_get_me_success():
     """Test getting current user with a valid token."""

backend/tests/api/test_api_auth_cookie.py

@@ -1,6 +1,6 @@
 import pytest
 from fastapi.testclient import TestClient
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch
 from ea_chatbot.api.main import app
 from ea_chatbot.history.models import User
 from ea_chatbot.api.utils import create_access_token
@@ -83,15 +83,25 @@ def test_logout_clears_cookie():
 def test_oidc_callback_redirects_with_cookie():
     """Test that OIDC callback sets cookie and redirects."""
     with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc, \
+         patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt, \
          patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm:
         
-        mock_oidc.exchange_code_for_token.return_value = {"access_token": "oidc-token"}
-        mock_oidc.get_user_info.return_value = {"email": "sso@example.com", "name": "SSO User"}
+        mock_decrypt.return_value = {
+            "state": "test_state",
+            "nonce": "test_nonce",
+            "code_verifier": "test_verifier"
+        }
+        mock_oidc.exchange_code_for_token.return_value = {"id_token": "fake_id_token"}
+        mock_oidc.validate_id_token.return_value = {"email": "sso@example.com", "name": "SSO User"}
         mock_hm.sync_user_from_oidc.return_value = User(id="sso-123", username="sso@example.com", display_name="SSO User")
         
-        # Follow_redirects=False to catch the 307/302
-        response = client.get("/api/v1/auth/oidc/callback?code=some-code", follow_redirects=False)
+        # Set the session cookie
+        client.cookies.set("oidc_session", "fake_token")
         
-        assert response.status_code in [302, 303, 307]
+        # Follow_redirects=False to catch the 302
+        response = client.get("/api/v1/auth/oidc/callback?code=some-code&state=test_state", follow_redirects=False)
+        
+        assert response.status_code == 302
         assert "access_token" in response.cookies
-        assert "/auth/callback" in response.headers["location"]
+        # Should redirect to FRONTEND_URL (default http://localhost:5173)
+        assert "http://localhost:5173" in response.headers["location"]

backend/tests/api/test_oidc_flow.py

@@ -0,0 +1,82 @@
+import pytest
+from fastapi.testclient import TestClient
+from unittest.mock import patch
+from ea_chatbot.api.main import app
+from ea_chatbot.history.models import User
+
+@pytest.fixture
+def client():
+    """Provides a fresh TestClient for each test."""
+    return TestClient(app)
+
+@pytest.fixture
+def mock_auth_data():
+    return {
+        "url": "https://example.com/auth?state=test_state",
+        "state": "test_state",
+        "nonce": "test_nonce",
+        "code_verifier": "test_verifier"
+    }
+
+def test_oidc_login_sets_cookie(client, mock_auth_data):
+    """Test that OIDC login initiation sets the temporary session cookie."""
+    with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc:
+        mock_oidc.get_auth_data.return_value = mock_auth_data
+        
+        response = client.get("/api/v1/auth/oidc/login")
+        
+        assert response.status_code == 200
+        assert response.json()["url"] == mock_auth_data["url"]
+        assert "oidc_session" in response.cookies
+
+def test_oidc_callback_missing_cookie(client):
+    """Test that OIDC callback fails if the temporary session cookie is missing."""
+    with patch("ea_chatbot.api.routers.auth.oidc_client"):
+        # Ensure no cookies are set
+        client.cookies.clear()
+        response = client.get("/api/v1/auth/oidc/callback?code=test_code&state=test_state", follow_redirects=False)
+        
+        # Should redirect to frontend with error
+        assert response.status_code == 302
+        assert "error=oidc_failed" in response.headers["location"]
+
+def test_oidc_callback_invalid_state(client, mock_auth_data):
+    """Test that OIDC callback fails if the state in the URL doesn't match the cookie."""
+    with patch("ea_chatbot.api.routers.auth.oidc_client"), \
+         patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt:
+        
+        # Mock valid cookie content
+        mock_decrypt.return_value = mock_auth_data
+        
+        # Send different state in URL
+        client.cookies.set("oidc_session", "fake_token")
+        response = client.get("/api/v1/auth/oidc/callback?code=test_code&state=wrong_state", follow_redirects=False)
+        
+        assert response.status_code == 302
+        assert "error=oidc_failed" in response.headers["location"]
+
+def test_oidc_callback_success(client, mock_auth_data):
+    """Test successful OIDC callback and session establishment."""
+    with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc, \
+         patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt, \
+         patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm, \
+         patch("ea_chatbot.api.routers.auth.create_access_token") as mock_create_token:
+        
+        mock_decrypt.return_value = mock_auth_data
+        mock_oidc.exchange_code_for_token.return_value = {"id_token": "fake_id_token"}
+        mock_oidc.validate_id_token.return_value = {"email": "user@test.com", "name": "Test User"}
+        mock_hm.sync_user_from_oidc.return_value = User(id="user-123", username="user@test.com")
+        mock_create_token.return_value = "fake_access_token"
+        
+        client.cookies.set("oidc_session", "fake_token")
+        response = client.get("/api/v1/auth/oidc/callback?code=test_code&state=test_state", follow_redirects=False)
+        
+        assert response.status_code == 302
+        # Redirect to FRONTEND_URL (default localhost:5173)
+        assert "http://localhost:5173" in response.headers["location"]
+        assert "access_token" in response.cookies
+        
+        # Verify oidc_session was cleaned up (deleted)
+        # In RedirectResponse, delete_cookie works by setting the cookie with empty value and past expiry
+        cookie_header = response.headers.get("set-cookie", "")
+        assert "oidc_session=;" in cookie_header or 'oidc_session=""' in cookie_header

backend/tests/api/test_persistence.py

@@ -3,10 +3,8 @@ from fastapi.testclient import TestClient
 from unittest.mock import MagicMock, patch, AsyncMock
 from ea_chatbot.api.main import app
 from ea_chatbot.api.dependencies import get_current_user
-from ea_chatbot.history.models import User, Conversation, Message, Plot
+from ea_chatbot.history.models import User, Conversation
 from ea_chatbot.api.utils import create_access_token
-from datetime import datetime, timezone
-import json
 
 client = TestClient(app)