Fix OAuth callback login failures

Two changes to address users landing on a blank /oauth/callback page:

1. Guard the GraphQLNotAuthenticatedErrorEvent handler so it's a no-op
   when the current page is /oauth/callback. A NOT_AUTHENTICATED error from
   any in-flight GraphQL query was able to call initiateAuthentication()
   mid-exchange, overwriting the PKCE data in sessionStorage and sending the
   user back to the OAuth server in a redirect loop.

2. Add a "Try logging in again" button to the OAuthCallback error UI so
   that when the exchange fails (e.g. missing PKCE state after a stale
   page load), users get a one-click path to restart the login flow rather
   than a dead-end error message.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: nbudin

app/javascript/Authentication/OAuthCallback.tsx

@@ -32,6 +32,18 @@ function OAuthCallback() {
     handleCallback();
   }, [authenticationManager]);
 
+  const handleRetry = async () => {
+    setProcessing(true);
+    setError(null);
+    try {
+      const { redirectUrl } = await authenticationManager.initiateAuthentication('/');
+      window.location.href = redirectUrl.toString();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : 'Authentication failed');
+      setProcessing(false);
+    }
+  };
+
   if (processing) {
     return (
       <div className="container mt-4">
@@ -50,9 +62,14 @@ function OAuthCallback() {
       <div className="alert alert-danger">
         <h4>{t('authentication.oauthCallback.authenticationError')}</h4>
         <ErrorDisplay stringError={error} />
-        <Link className="btn btn-primary mt-3" to="/">
-          {t('authentication.oauthCallback.returnToHome')}
-        </Link>
+        <div className="mt-3 d-flex gap-2">
+          <button className="btn btn-primary" onClick={handleRetry}>
+            {t('authentication.oauthCallback.retryLogin')}
+          </button>
+          <Link className="btn btn-outline-secondary" to="/">
+            {t('authentication.oauthCallback.returnToHome')}
+          </Link>
+        </div>
       </div>
     </div>
   );

app/javascript/packs/application.tsx

@@ -58,6 +58,10 @@ const bootstrapPromise: Promise<Bootstrap> = (async () => {
   const client = buildBrowserApolloClient(authenticityTokensManager, authManager);
 
   window.addEventListener(GraphQLNotAuthenticatedErrorEvent.type, async () => {
+    // Don't interrupt an in-progress OAuth exchange on the callback page itself
+    if (window.location.pathname === '/oauth/callback') {
+      return;
+    }
     const { redirectUrl } = await authManager.initiateAuthentication(window.location.href);
     window.location.href = redirectUrl.toString();
   });

locales/en.json

@@ -633,6 +633,7 @@
     "oauthCallback": {
       "authenticationError": "Authentication Error",
       "completingLogin": "Completing login...",
+      "retryLogin": "Try logging in again",
       "returnToHome": "Return to Home"
     },
     "passwordInput": {

locales/es.json

@@ -73,6 +73,7 @@
     "oauthCallback": {
       "authenticationError": "Authentication Error",
       "completingLogin": "Completing login...",
+      "retryLogin": "Try logging in again",
       "returnToHome": "Return to Home"
     },
     "passwordInput": {