fix(oidc): implement better http timeoutes, callbacks, and session lifetimes for oidc

[perfectra1n]

1. OIDC HTTP timeout is now configurable, default raised 5s -> 30s. Added oauthHttpTimeout to config.ini / env vars in config.ts, wired into generateOAuthConfig() in open_id.ts. Fixes the problem of having to login twice caused by cold-start IdP responses exceeding the library's 5s default.
2. OIDC session lifetime now matches the 21-day cookieMaxAge. Added a session: { rolling: true, rollingDuration, absoluteDuration } block to the OIDC config - both bounded by config.Session.cookieMaxAge. Fixes the problem where the library's silent 24h-rolling / 7d-absolute defaults were the weak link in min(trilium.sid, appSession).
3. OIDC callback now regenerates the session ID. Wrapped req.session.regenerate(...) around the loggedIn = true assignment in afterCallback. Brings the OIDC path to parity with the password path (login.ts:133) and closes the session-fixation gap.
4. OIDC error paths now log instead of swallowing silently. Replaced console.log("user invalid!") with log.error(...) and the bare catch {} in isTokenValid with a logged `catch (err). Makes future OIDC misbehavior actually debuggable.

[gemini-code-assist]

Code Review

This pull request introduces a configurable timeout for OAuth/OIDC requests and synchronizes OIDC session lifetimes with the application's session settings. It also enhances security by implementing session regeneration upon successful OIDC login and improves error logging. Feedback suggests explicitly saving the session after regeneration to ensure state persistence before redirection.

[gemini-code-assist]

When using req.session.regenerate in an asynchronous context like afterCallback, it is a best practice to explicitly call req.session.save() after modifying the new session's properties. This ensures that the session state is persisted to the store before the middleware proceeds to redirect the user, preventing potential race conditions where the redirect happens before the session is saved.

            await new Promise<void>((resolve, reject) => {
                req.session.regenerate((err) => {
                    if (err) {
                        log.error(`Failed to regenerate session on OIDC login: ${err}`);
                        return reject(err);
                    }
                    req.session.loggedIn = true;
                    req.session.lastAuthState = {
                        totpEnabled: false,
                        ssoEnabled: true
                    };
                    req.session.save((saveErr) => {
                        if (saveErr) {
                            log.error(`Failed to save session after OIDC regeneration: ${saveErr}`);
                            return reject(saveErr);
                        }
                        resolve();
                    });
                });
            });

[perfectra1n]

/gemini review

[gemini-code-assist]

Code Review

This pull request enhances OIDC configuration by adding support for custom HTTP timeouts and scopes, while also improving security through session regeneration upon login and aligning OIDC session lifetimes with application defaults. Additionally, logging for authentication failures has been improved. A suggestion was made to specify the radix in parseInt() when parsing the timeout value to ensure consistent behavior.

[gemini-code-assist]

It is a best practice to always specify the radix (base) when using parseInt() to avoid any ambiguity in how the string is parsed, especially in older environments or with strings that might have leading zeros.

Suggested change

	const parsed = parseInt(String(value));
	const parsed = parseInt(String(value), 10);