fix(auth): Resolved PR

[MoonLawlier]

Summary

Fixes the interrupted GitHub OAuth retry flow by preventing cancelled sign-in starts from tripping the auth rate limiter, and redirects real auth throttles back to the sign-in UI instead of showing raw JSON. Also hardens Supabase env validation so malformed local URLs no longer crash the app at startup.

Closes #2267

---

Type of Change

•  🐛 Bug fix (non-breaking change that fixes an issue)

---

What Changed

• Updated src/lib/auth-rate-limit.ts so OAuth initiation routes like /api/auth/signin/github are no longer rate-limited, while callback/code-exchange routes remain protected.
• Updated src/middleware.ts to redirect auth rate-limit failures to /auth/signin?error=RateLimit instead of returning raw JSON.
• Updated src/app/auth/signin/page.tsx to show a user-friendly RateLimit toast/message.
• Added src/lib/supabase-env.ts and updated Supabase clients to avoid crashing when Supabase URL env vars are malformed.
• Updated test/auth-rate-limit.test.ts and test/supabase-guard.test.ts with regression coverage.

---

How to Test

1. Run npx vitest run test/auth-rate-limit.test.ts test/supabase-guard.test.ts.
2. Run npm run type-check.
3. Run npm run lint.
4. Start the app and retry GitHub sign-in after interrupting the OAuth flow with the browser Back button.

Expected result:

The interrupted OAuth flow can be retried without hitting a hard block. If auth rate limiting is triggered, the user is redirected back to the sign-in page with a friendly message instead of raw JSON. The app should also start without crashing when Supabase env URLs are malformed.

---

Screenshots / Recordings

Screenshots / Recordings

|

---

Checklist

•  Linked the related issue above
•  Self-reviewed my own diff
•  No unnecessary console.log, debug code, or commented-out blocks
•  npm run lint passes locally
•  No TypeScript errors (npm run type-check)
•  Added or updated tests where applicable
•  Updated documentation / comments if behavior changed

---

Accessibility (UI changes only)

•  Keyboard navigation works correctly
•  Color contrast meets WCAG AA standard
•  ARIA labels / roles added where needed
•  Tested on mobile / responsive layout

---

Additional Context

package-lock.json was already modified before these changes and was not touched as part of this fix.

.

[github-actions]

GSSoC Label Checklist 🏷️

@Umbrella-io — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Priyanshu-byte-coder]

This PR has merge conflicts with main. Please rebase or resolve conflicts and push again.