Add state parameter support for server-side OAuth CSRF protection

[mazensakr05]

• Add optional State property to SignInOptions for custom state values
• Add State property to ProviderAuthState to return state to developer
• Auto-generate state using GenerateNonce() when not provided by developer
• Add state parameter to OAuth authorization URL query string
• Implements CSRF protection per OAuth2 RFC 6749 Section 10.12

This allows developers to:

1. Provide custom state for server-side CSRF validation
2. Use auto-generated state for convenience
3. Store and validate state in OAuth callbacks

Tested with ASP.NET Core application - state parameter now appears in OAuth URLs and is accessible via ProviderAuthState.State property.

Fixes supabase-community/supabase-csharp#222

What kind of change does this PR introduce?

Feature - Adds state parameter support for OAuth CSRF protection

---

What is the current behavior?

Currently, the SDK only supports PKCE flow for OAuth authentication, which protects against authorization code interception but does NOT protect against CSRF attacks in server-side OAuth flows.

The SignInOptions class lacks a State property, and ProviderAuthState does not return a state value. This makes it impossible for server-side ASP.NET Core applications to implement CSRF protection as recommended by OAuth2 RFC 6749 Section 10.12.

Related issue: supabase-community/supabase-csharp#222

---

What is the new behavior?

This PR adds support for the OAuth2 state parameter:

Changes Made

• Added optional State property to SignInOptions
• Added State property to ProviderAuthState return value
• Modified Helpers.GetUrlForProvider() to use developer-provided state or auto-generate using GenerateNonce()
• State parameter is added to OAuth authorization URL query string

Usage Examples

Server-side with CSRF protection:

var state = Guid.NewGuid().ToString();
HttpContext.Session.SetString("oauth_state", state);

var authState = await client.SignIn(Provider.Google, new SignInOptions
{
    State = state,
    FlowType = OAuthFlowType.PKCE,
    RedirectTo = "https://myapp.com/callback"
});

// Validate in callback:
if (Request.Query["state"] != HttpContext.Session.GetString("oauth_state"))
    throw new Exception("CSRF detected!");

**Auto-generated state:**
var authState = await client.SignIn(Provider.Google);
var stateToStore = authState.State; // SDK auto-generates

[mazensakr05]

I've also added captcha token support (from issue #213) in this PR.

Changes:

Added optional CaptchaToken property to SignUpOptions

Wired it to the auth API request as captcha_token field

Added test coverage

Non-breaking, additive change

Both features follow the same pattern (optional parameters for auth flows), so I grouped them together. Let me know if you'd prefer these as separate PRs.

[wiverson]

FYI there isn't an active maintainer for this repo, suggest reaching out to Supabase support.