Fix PKCE code verifier authentication error

Add explicit cookie configuration for PKCE code verifier to resolve
'InvalidCheck: pkceCodeVerifier value could not be parsed' error.

This fixes an issue where OAuth authentication would fail on first attempt
due to NextAuth v5 not having explicit cookie settings for PKCE flow.
The explicit configuration ensures cookies are properly stored and retrieved
during the OAuth callback, preventing authentication failures.

- Add pkceCodeVerifier cookie configuration with proper security settings
- Use dynamic secure flag based on AUTH_URL protocol (HTTP vs HTTPS)
- Set appropriate cookie options (httpOnly, sameSite, path, maxAge)
- Handle undefined AUTH_URL during build time with optional chaining

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

Author: cursoragent

packages/web/src/auth.ts

@@ -158,6 +158,18 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         strategy: "jwt",
     },
     trustHost: true,
+    cookies: {
+        pkceCodeVerifier: {
+            name: "next-auth.pkce.code_verifier",
+            options: {
+                httpOnly: true,
+                sameSite: "lax",
+                path: "/",
+                secure: env.AUTH_URL?.startsWith("https://") ?? false,
+                maxAge: 60 * 15, // 15 minutes
+            },
+        },
+    },
     events: {
         createUser: onCreateUser,
         signIn: async ({ user, account }) => {