Dashboard: harden GitHub/PayPal social-login OAuth state handling

[heydemoura]

Part of #LIN-XXXX

Proposed Changes

• Generate and pass OAuth state nonces for Dashboard GitHub and PayPal social-login authorization redirects.
• Include the returned OAuth state in auth-code exchange requests, and support exchange_token responses before falling back to access_token.
• Extend social-login API typing to include exchange_token for hardened OAuth exchange handling.

Why are these changes being made?

• This hardens the OAuth flow against state tampering and aligns Dashboard social-login handling with server-side validation expectations for GitHub and PayPal.

Testing Instructions

• Go to Dashboard security social logins and start the GitHub and PayPal connect flows.
• Confirm each provider redirect URL includes a state query parameter.
• Complete each flow and verify social login connection still succeeds.
• Simulate a failed nonce fetch (for example, by failing the nonce request) and verify the UI shows an error notice.

Pre-merge Checklist

• Has the general commit checklist been followed? (PCYsg-hS-p2)
• Have you written new tests for your changes?
• Have you tested the feature in Simple (P9HQHe-k8-p2), Atomic (P9HQHe-jW-p2), and self-hosted Jetpack sites (PCYsg-g6b-p2)?
• Have you checked for TypeScript, React or other console errors?
• Have you tested accessibility for your changes? Ensure the feature remains usable with various user agents (e.g., browsers), interfaces (e.g., keyboard navigation), and assistive technologies (e.g., screen readers) (PCYsg-S3g-p2).
• Have you used memoizing on expensive computations? More info in Memoizing with create-selector and Using memoizing selectors and Our Approach to Data
• Have we added the "[Status] String Freeze" label as soon as any new strings were ready for translation (p4TIVU-5Jq-p2)?
  • For UI changes, have we tested the change in various languages (for example, ES, PT, FR, or DE)? The length of text and words vary significantly between languages.
• For changes affecting Jetpack: Have we added the "[Status] Needs Privacy Updates" label if this pull request changes what data or activity we track or use (p4TIVU-aUh-p2)?

[github-actions]

Calypso Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-175028

Jetpack Cloud Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-175028&env=jetpack

Automattic for Agencies Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-175028&env=a8c-for-agencies

Dashboard Live (dotcom) (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-175028&env=dashboard

Dashboard Live (CIAB) (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-175028&env=dashboard-ciab

[matticbot]

This PR modifies the release build for the following Calypso Apps:

For info about this notification, see here: PCYsg-OT6-p2

• help-center
• notifications
• wpcom-block-editor

To test WordPress.com changes, run install-plugin.sh $pluginSlug update/dashboard-social-login-oauth-state-hardening on your sandbox.