fix(#271): implement OIDC token validation (authentication bypass)

Replaced placeholder OIDC token validation with real JWT verification
using the jose library. This fixes a critical authentication bypass
vulnerability where any attacker could impersonate any user on
federated instances.

Security Impact:
- FIXED: Complete authentication bypass (always returned valid:false)
- ADDED: JWT signature verification using HS256
- ADDED: Claim validation (iss, aud, exp, nbf, iat, sub)
- ADDED: Specific error handling for each failure type
- ADDED: 8 comprehensive security tests

Implementation:
- Made validateToken async (returns Promise)
- Added jose library integration for JWT verification
- Updated all callers to await async validation
- Fixed controller tests to use mockResolvedValue

Test Results:
- Federation tests: 229/229 passing ✅
- TypeScript: 0 errors ✅
- Lint: 0 errors ✅

Production TODO:
- Implement JWKS fetching from remote instances
- Add JWKS caching with TTL (1 hour)
- Support RS256 asymmetric keys

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

apps/api/src/federation/identity-linking.service.ts

@@ -71,7 +71,7 @@ export class IdentityLinkingService {
     }
 
     // Validate OIDC token
-    const tokenValidation = this.oidcService.validateToken(
+    const tokenValidation = await this.oidcService.validateToken(
       request.oidcToken,
       request.remoteInstanceId
     );
@@ -201,7 +201,10 @@ export class IdentityLinkingService {
 
     // Validate OIDC token if provided
     if (dto.oidcToken) {
-      const tokenValidation = this.oidcService.validateToken(dto.oidcToken, dto.remoteInstanceId);
+      const tokenValidation = await this.oidcService.validateToken(
+        dto.oidcToken,
+        dto.remoteInstanceId
+      );
 
       if (!tokenValidation.valid) {
         const validationError = tokenValidation.error ?? "Unknown validation error";