fix: Use OAuth state parameter instead of session for tier

Session was being lost between /stripe/auth and /auth/discord/callback.
Now passes tier through Discord OAuth state parameter which survives
the redirect.

Chronicler #75

services/arbiter-3.0/src/routes/auth.js

@@ -5,15 +5,25 @@ const router = express.Router();
 /**
  * Standard Discord OAuth - redirects to admin after login
  */
-router.get('/discord', passport.authenticate('discord'));
+router.get('/discord', (req, res, next) => {
+  // Check if there's a checkout tier to pass through
+  const tier = req.session.pendingCheckoutTier;
+  
+  passport.authenticate('discord', {
+    state: tier ? `checkout:${tier}` : undefined
+  })(req, res, next);
+});
 
 router.get('/discord/callback', passport.authenticate('discord', {
   failureRedirect: '/'
 }), (req, res) => {
-  // Check if this was a checkout flow (tier stored in session)
-  if (req.session.pendingCheckoutTier) {
-    const tierLevel = req.session.pendingCheckoutTier;
-    delete req.session.pendingCheckoutTier; // Clean up
+  // Check for checkout flow via state parameter
+  const state = req.query.state;
+  
+  if (state && state.startsWith('checkout:')) {
+    const tierLevel = state.replace('checkout:', '');
+    // Clear any session data
+    delete req.session.pendingCheckoutTier;
     
     // Redirect to checkout creation with Discord ID now available
     return res.redirect(`/stripe/checkout?tier=${tierLevel}`);