fix(oauth): correctly remove code_verifier cookie when used

[pbr1111]

Reasoning 💡

Once the pkce code verifier is used, the cookie is cleared but the browser blocks the deletion of this cookie, keeping it in the browser until it expires.

This is because when using the cookie with the useSecureCookies option enabled (https environment), the cookie is prefixed with __Secure-. and it must use the cookies.pkceCodeVerifier.options options to be valid (the secure attribute must be set to true).

Checklist 🧢

• Documentation
• Tests
• Ready to be merged

Affected issues 🎟

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/nextauthjs/next-auth/FUepxM5cSfTStySRwPg2Qco3SbMQ
✅ Preview: https://next-auth-git-fork-pbr1111-fix-pkce-code-verifier-nextauthjs.vercel.app

[codecov-commenter]

Codecov Report

Merging #2325 (1d3b8a6) into main (ac5b4db) will not change coverage.
The diff coverage is 0.00%.

@@          Coverage Diff          @@
##            main   #2325   +/-   ##
=====================================
  Coverage   9.96%   9.96%           
=====================================
  Files         82      82           
  Lines       1395    1395           
  Branches     395     395           
=====================================
  Hits         139     139           
  Misses      1030    1030           
  Partials     226     226           

Impacted Files	Coverage Δ
src/server/lib/oauth/pkce-handler.js	0.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac5b4db...1d3b8a6. Read the comment docs.

[balazsorban44]

Appreciate this PR, good catch! I'll try this out and merge if all is well! 🙏