fix(auth): avoid persisting populated relationship fields in OAuth session write

[JannikZed]

Summary

This PR fixes a regression in OAuth callback session persistence where the plugin writes the full user object via db.updateOne when adding a Payload session.

In projects with populated relationship fields (e.g. roles) on the user during login hooks, this can persist relationship objects instead of IDs and trigger Mongo cast errors like:

• Cast to [ObjectId] failed ... at path "roles.0"

Root Cause

addPayloadSessionToUser currently passes a user-shaped object into session persistence, which can include populated relationship data from login hooks.

Fix

Update addPayloadSessionToUser to persist only session-related fields:

• sessions
• updatedAt

while still mutating the in-memory user with session info for downstream token signing.

Tests

Added regression coverage in test/callback-endpoint.spec.ts:

• does not persist populated relationship fields when creating Payload sessions

This test simulates a populated roles array injected in beforeLogin and asserts that db.updateOne payload does not include roles.

Verification

Ran targeted test suite:

• pnpm test -- callback-endpoint.spec.ts
• Result: all tests passing (15/15)

[JannikZed]

@WilsonLe found this bug with the new session logic.