fix(#412): enable PKCE, fix docker OIDC default, document @SkipCsrf

- AUTH-003: Add safe empty default for OIDC_REDIRECT_URI in swarm compose
- AUTH-004: Enable PKCE (pkce: true) in genericOAuth config (in prior commit)
- AUTH-005: Document @SkipCsrf() rationale (BetterAuth internal CSRF)

Refs #412

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/auth/auth.controller.ts

@@ -89,6 +89,12 @@ export class AuthController {
    * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
    */
   @All("*")
+  /**
+   * BetterAuth implements CSRF protection internally via Fetch Metadata headers
+   * (Sec-Fetch-Site, Sec-Fetch-Mode) and SameSite=Lax cookies. The @SkipCsrf()
+   * decorator skips the custom CSRF guard to avoid double-protection conflicts.
+   * Reference: https://www.better-auth.com/docs/reference/security
+   */
   @SkipCsrf()
   @Throttle({ strict: { limit: 10, ttl: 60000 } })
   async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {

docker-compose.swarm.portainer.yml

@@ -293,7 +293,7 @@ services:
       OIDC_ISSUER: ${OIDC_ISSUER}
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
-      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-http://localhost:3001/auth/callback}
+      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-}
       JWT_SECRET: ${JWT_SECRET:-change-this-to-a-random-secret}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}