feat: link identities by token

[johndpope]

What kind of change does this PR introduce?

This implementation allows linking identities using ID tokens. Here's what it provides:

A new endpoint for linking identities using ID tokens
Support for various OIDC providers (Google, Apple, etc.)
Proper validation of ID tokens including audience and nonce checks
Transaction handling for safe database updates
Audit logging of identity linking
Error handling consistent with the existing codebase

UPDATE

tests - for apple (TODO - extend to a few more google / facebook - help wanted)

User creation with email identity
Session and access token generation
Mocking of Apple ID tokens
Identity linking verification
Error case handling
Metadata verification

What is the current behavior?

#313

What is the new behavior?

client implementation

const linkIdentityWithIdToken = async (idToken: string, provider: string) => {
  const response = await fetch('/user/identities/link_token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${accessToken}`
    },
    body: JSON.stringify({
      id_token: idToken,
      provider: provider
    })
  })
  return response.json()
}

example

import * as AppleAuthentication from 'expo-apple-authentication'

// Link Apple identity to existing user
const linkAppleIdentity = async () => {
  try {
    const credential = await AppleAuthentication.signInAsync({
      requestedScopes: [
        AppleAuthentication.AppleAuthenticationScope.FULL_NAME,
        AppleAuthentication.AppleAuthenticationScope.EMAIL,
      ],
    })
    
    const { user, error } = await linkIdentityWithIdToken(
      credential.identityToken,
      'apple'
    )
    
    if (error) throw error
    return user
  } catch (error) {
    console.error('Error linking Apple identity:', error)
    throw error
  }
}