Better handling of cancelled/failed redirect logins (PP-3961)

[tdilauro]

Description

Adds cancel-detection and error-recovery to the SAML, OIDC, and Clever auth redirect handlers, preventing infinite redirect loops when a login attempt is cancelled or fails.

When a patron initiates an external auth login, the handler redirects to an identity provider via a hard browser navigation. Previously, returning to the app without completing auth — via browser back, closing a popup, or an IdP-side failure — caused the handler to immediately redirect again, trapping the patron in a loop.

Key changes:

• Auth-failure loop fix: When an IdP redirects back to a protected page with an error parameter, that error is now passed through to the login handler, which displays it as an error message rather than triggering another redirect.
• Browser-back cancel detection: sessionStorage flags track the redirect lifecycle. When a user returns to the login page without completing auth, the cancelled message ("Login was cancelled.") is shown with a "Try Again" option rather than immediately re-redirecting.
• Intentional re-navigation: When a user on the cancel screen navigates back to the sign-in page (e.g. via the header or the "Try Again" option), the flags are cleared and a fresh redirect proceeds normally.

Special cases:

• Safari bfcache support: Safari restores pages from its back-forward cache without re-running React effects. A special event listener detects this case so that the cancelled message can be displayed correctly.
• Cancel button: A cancel button has been added to allow the user to manually abort and stop the spinner. This is kind of a catch all, but I went down that path because of an issue I ran into with my daily driver ARC Browser:
  • Popup overlay support (ARC browser): ARC's "Little Arc" feature opens external URLs as an in-browser overlay, leaving the main page mounted in spinner state with no standard DOM event to detect closure. An explicit "Cancel" button on the spinner lets the patron manually abort.

Motivation and Context

Users attempting to log in via redirect-based authentication -- SAML, OIDC, or Clever -- who cancelled mid-flow or failed to authenticate could become trapped in an infinite redirect loop without an obvious way out.

[Jira PP-3961]

How Has This Been Tested?

• New unit tests for the improved functionality.
• Manual testing in Firefox, Helium, Safari, and ARC.
• All checks pass locally.
• CI checks pass.

Checklist:

• I have updated the documentation accordingly.
• All new and existing tests passed.