Fix OAuth session storage - add missing database columns

- Add dpop_authserver_nonce, dpop_pds_nonce, pds_url, authserver_iss columns
- These columns are required by GetSession query but were missing from schema
- Add migrations to create columns on existing tables
- Add debug logging for OAuth flow troubleshooting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

db.go

@@ -111,8 +111,11 @@ CREATE TABLE IF NOT EXISTS oauth_sessions (
 	token_type TEXT NOT NULL DEFAULT 'DPoP',
 	expires_at TIMESTAMP NOT NULL,
 	created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-	dpop_nonce TEXT,
 	dpop_private_jwk TEXT,
+	dpop_authserver_nonce TEXT,
+	dpop_pds_nonce TEXT,
+	pds_url TEXT,
+	authserver_iss TEXT,
 	token_expiry TIMESTAMP
 );
 
@@ -227,6 +230,13 @@ func OpenDatabase(connString string) (*DB, error) {
 	pool.Exec(ctx, "ALTER TABLE oauth_sessions ADD COLUMN IF NOT EXISTS token_expiry TIMESTAMP")
 	// Make access_token nullable (session created before tokens obtained)
 	pool.Exec(ctx, "ALTER TABLE oauth_sessions ALTER COLUMN access_token DROP NOT NULL")
+	// Add missing OAuth session columns
+	pool.Exec(ctx, "ALTER TABLE oauth_sessions ADD COLUMN IF NOT EXISTS dpop_authserver_nonce TEXT")
+	pool.Exec(ctx, "ALTER TABLE oauth_sessions ADD COLUMN IF NOT EXISTS dpop_pds_nonce TEXT")
+	pool.Exec(ctx, "ALTER TABLE oauth_sessions ADD COLUMN IF NOT EXISTS pds_url TEXT")
+	pool.Exec(ctx, "ALTER TABLE oauth_sessions ADD COLUMN IF NOT EXISTS authserver_iss TEXT")
+	// Drop old dpop_nonce column if it exists
+	pool.Exec(ctx, "ALTER TABLE oauth_sessions DROP COLUMN IF EXISTS dpop_nonce")
 
 	// Migration: rename feed columns for consistent terminology
 	// last_crawled_at -> last_checked_at (feed_check = checking feeds for new items)