[OLH-1727] Add logging and testing for session state during authentication flow

[jeremy-barrass-gov]

Proposed changes

OLH-1727 Add logging, testing and error handling to authentication flow to confirm state has not been changed between the Authentication Request and Response

What changed

Added logging of the state session state on the request and the generated token, added a check for value mismatch and subsequent error handling, added a unit test to confirm any change to this state following the OICD Callback is detected.

Why did it change

Because 302 access_denied (Invalid state param present in Authorisation response) errors had been reported.

Related links

https://govukverify.atlassian.net/browse/OLH-1727?atlOrigin=eyJpIjoiODgzNTMxZGY3M2FkNGY4NWFlZDZlMzNmMzA5YTAzM2YiLCJwIjoiaiJ9

Checklists

Environment variables or secrets

• No environment variables or secrets were added or changed

Testing

Run unit tests. All tests pass.

• Automated test coverage includes features that are flagged off

Sign-offs

• New Node.JS/NPM dependencies have been signed-off by a Lead dev or Lead SRE
• Design updates have been signed off by a member of the UCD team

• Analytics updates have been signed off by a PA

Monitoring

• This PR includes changes that need to be monitored in production as the scope of the change could cause issues

How to review

[TaherKapasi]

could we make this a debug line please

[TaherKapasi]

could we make this a debug line please

[TaherKapasi]

I would like handleOidcCallbackError, when receiving the state in the qsp - I want this to exactly match the one held in the session otherwise redirect to PATH_DATA.SESSION_EXPIRED.url with a warning error stating that the state did not match.