fix: harden auth flows and align api contracts

internal/api/handler/context_guard_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/gin-gonic/gin"
+	"github.com/user-management-system/internal/auth"
 )
 
 func init() {
@@ -15,7 +16,14 @@ func init() {
 }
 
 func TestSSOHandlerAuthorize_InvalidContextTypes_ReturnsUnauthorized(t *testing.T) {
-	h := &SSOHandler{}
+	h := &SSOHandler{clientsStore: auth.NewDefaultSSOClientsStore()}
+	store := h.clientsStore.(*auth.DefaultSSOClientsStore)
+	store.RegisterClient(&auth.SSOClient{
+		ClientID:     "test-client",
+		ClientSecret: "test-secret",
+		RedirectURIs: []string{"https://example.com/callback"},
+	})
+
 	engine := gin.New()
 	engine.GET("/authorize", func(c *gin.Context) {
 		c.Set("user_id", "not-int64")