Expose default onCallback

[greenlynx]

• [✅] All new/changed/fixed functionality is covered by tests (or N/A)
• [✅] I have added documentation for all new/changed functionality (or N/A)

📋 Changes

We would like to define an onCallback hook in our code that takes an action but does not override default callback behaviour. This is currently difficult. This PR sends an extra defaultOnCallback parameter to onCallback that can be called if default callback behaviour is desired.

🎯 Testing

Automated unit tests added.

[Piyush-85]

Could we add JSDoc on type parameters, IDEs (VS Code, WebStorm) surface these on hover. Something like below should be good.

/**
 * Hook called once the user has been redirected back from Auth0 to your
 * application's callback route, after the authorization code has been
 * exchanged (or an error has occurred).
 *
 * Return a `NextResponse` to control where the user is sent next.
 * If you do not need custom routing, simply return the result of calling
 * the fourth argument (`defaultOnCallback`) to invoke the SDK's default behaviour.
 *
 * @param error - The error returned from Auth0 or during token exchange.
 *   `null` when the callback completed successfully.
 * @param ctx - Context about the transaction that initiated the auth flow
 *   (e.g. `returnTo` URL, `responseType`, `challengeMode`).
 * @param session - The `SessionData` that will be persisted after a
 *   successful callback. `null` when `error` is present.
 * @param defaultOnCallback - The SDK's built-in callback handler. Call this
 *   to keep the default redirect/error behaviour while still running your own
 *   side effects (e.g. syncing the user to your database, setting extra
 *   cookies). Signature: `(error, ctx) => Promise<NextResponse>`.
 *
 * @example
 * ```ts
 * const auth0 = new Auth0Client({
 *   async onCallback(error, ctx, session, defaultOnCallback) {
 *     if (!error && session) {
 *       await db.upsertUser(session.user); // side effect
 *     }
 *     return defaultOnCallback(error, ctx); // keep default redirect behaviour
 *   }
 * });
 * ```
 */

[Piyush-85]

this.defaultOnCallback is passed as a plain function reference. Since it's a regular method (not an arrow function), this won't be bound when the consumer calls it.
Please use this.defaultOnCallback.bind(this) at each callsite, so if defaultOnCallback ever gets updated to call this.someInternalHelper(), it does not silently break.

[Piyush-85]

Hi @greenlynx, thanks for your contribution - this is a useful addition.
The change looks good. Two minor comments to address before we merge, please take a look when you get a chance, and also rebase to resolve the merge conflicts.