fix(15): update oauth routes/tests for async + OIDC session auth

- Add await to all oauth service calls in routes (registerClient, getClient, etc.)
- Rewrite oauth tests to use mocked OIDC session instead of createUser/password
- Test consent-based authorize flow instead of credential-based flow

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/routes/oauth.ts

@@ -117,7 +117,7 @@ oauthRoutes.post("/register", async (c) => {
 	}
 
 	const clientName = body.client_name || "Unknown Client";
-	const { clientId } = registerClient(db, clientName, body.redirect_uris);
+	const { clientId } = await registerClient(db, clientName, body.redirect_uris);
 
 	return c.json(
 		{
@@ -152,7 +152,7 @@ oauthRoutes.get("/authorize", async (c) => {
 		return c.json({ error: "Missing required parameters" }, 400);
 	}
 
-	const client = getClient(db, clientId);
+	const client = await getClient(db, clientId);
 	if (!client) {
 		return c.json({ error: "Unknown client_id" }, 400);
 	}
@@ -192,7 +192,7 @@ oauthRoutes.post("/authorize", async (c) => {
 	const codeChallengeMethod = body.code_challenge_method as string;
 	const state = (body.state as string) ?? "";
 
-	const client = getClient(db, clientId);
+	const client = await getClient(db, clientId);
 	if (!client) {
 		return c.json({ error: "Unknown client_id" }, 400);
 	}
@@ -202,7 +202,7 @@ oauthRoutes.post("/authorize", async (c) => {
 		return c.json({ error: "redirect_uri not allowed" }, 400);
 	}
 
-	const { code } = createAuthorizationCode(
+	const { code } = await createAuthorizationCode(
 		db,
 		clientId,
 		codeChallenge,
@@ -225,7 +225,7 @@ oauthRoutes.post("/token", async (c) => {
 	const grantType = body.grant_type as string;
 
 	// Opportunistic cleanup
-	cleanExpiredOAuthData(db);
+	await cleanExpiredOAuthData(db);
 
 	if (grantType === "authorization_code") {
 		const code = body.code as string;