feat(custom-oidc): support non-standard discovery URLs (#2573)

## What kind of change does this PR introduce?

Feature

## What is the current behavior?

`discoveryUrl` is only validated during provider creation (admin
endpoint)

## What is the new behavior?

use `discoveryUrl` while making the actual OIDC discovery too

## Summary
- Adds `OIDCProviderCache.GetProviderFromURL` so custom OIDC providers
can fetch their discovery document from any URL, not just
`{issuer}/.well-known/openid-configuration`.
- Custom OIDC providers now always route through this path; the URL is
sourced from `CustomOAuthProvider.GetDiscoveryURL()` (which falls back
to the standard path when no override is configured).
- Bounds discovery fetches with a 10s HTTP timeout and verifies the
document's `issuer` matches the configured one before constructing the
provider.

fix(custom-oidc): strip trailing slashes from issuer (#2570)

## What kind of change does this PR introduce?

Bug fix

## summary
Fixes `GetDiscoveryURL` constructing a malformed URL (e.g.
`https://example.com//.well-known/openid-configuration`) when the
configured OIDC issuer has a trailing slash.

fix: check session state for admin tokens (#2555)

## What kind of change does this PR introduce?

Bug fix

## What is the current behavior?

Middleware validates the session token has not expired.

## What is the new behavior?

Validates the token has not expired and that the session has not been
revoked.

## Additional context

Middleware checks for admin tokens should validate that the session is
still live. JWTs may be revoked but stay valid until the expiry time.

fix(Dockerfile): ensure forks exists on fs before make deps (#2567)

Release action is
[failing](https://github.com/supabase/auth/actions/runs/27016942895/job/79738663274)
due to the Dockerfile calling make deps before the source for the
replace directive is set.

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

feat(conf): add JSON config file support (#2540)

Adds two new replace directives to `go.mod` which point to the newly
created `internal/forks` directory:
* `github.com/joho/godotenv` => `./internal/forks/godotenv`
* `github.com/kelseyhightower/envconfig` => `./internal/forks/envconfig`

Each one is clone of the version we use from the public repos with no
additional changes made. This may be a repeatable pattern we could use
to work around some limitations of older packages and allow reaching
into internals to ease migrating away from them.

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

fix(passkeys): enforce AAL checks on passkey registration and deletion (

#2565)

If a user has a verified MFA factor enrolled, then enforce AAL2 for
passkey registration and deletion.

Note: we explicitly do not gate the passkey update operation since it
can only be used to update the `friendly_name` of the passkey.

fix(passkeys): delete webauthn creds when user is soft-deleted (#2564)

Delete WebAuthn credentials when a user is soft deleted to prevent
authentication.

fix: Azure issuer validation (#2560)

Azure issuer validation fix

feat: add -failfast to make test command (#2553)

When builds fail you don't get feedback until all tests finish running.
In addtion it is also difficult to find which line failed, even if you
know what to search for.

Adding -testfail in the Makefile test target addresses causes tests to
stop on the first failure.

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

chore(ci): pin Oriole image (#2556)

Pin Oriole DB image to latest working version as `latest` has caused
some instability in CI.