fix: OAuth redirect loop — revert to server-side redirect, force secure cookie

Two issues:
1. Client-side HTML meta-refresh redirect (added for double-login fix) had
   broken JS syntax in template literal and was unreliable across browsers.
   Reverted to simple NextResponse.redirect().
2. Cookie secure flag was conditional on NODE_ENV=production which may not
   be set on Amplify Lambda. Changed to always true (site is HTTPS-only).

Author: Partha-dev01

app/api/auth/callback/google/route.ts

@@ -103,20 +103,11 @@ export async function GET(request: NextRequest) {
     const sessionToken = await createSessionForUser(user.id);
 
     // ─── Set cookie & redirect ────────────────────────────────────
-    // Use a client-side meta-refresh redirect so the browser fully
-    // processes the Set-Cookie before navigating. Server-side 302/307
-    // redirects from cross-origin OAuth flows can race with cookie storage.
-    const destination = `${appUrl}/kid-dashboard`;
-    const html = `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0;url=${destination}"><script>window.location.href="${destination}"</script></head><body>Signing in...</body></html>`;
-
-    const response = new NextResponse(html, {
-      status: 200,
-      headers: { "Content-Type": "text/html" },
-    });
+    const response = NextResponse.redirect(`${appUrl}/kid-dashboard`);
 
     response.cookies.set(sessionCookieName, sessionToken, {
       httpOnly: true,
-      secure: process.env.NODE_ENV === "production",
+      secure: true,
       sameSite: "lax",
       maxAge: sessionMaxAgeSeconds,
       path: "/",