fix(auth): notify after exchangeCodeForSession lock for SSR

🔍 Description

Fix SSR OAuth callback cookie persistence by moving SIGNED_IN notification outside the auth lock in exchangeCodeForSession and adding regression tests.

What changed?

• Notify SIGNED_IN after exchangeCodeForSession releases the lock, avoiding serverless/SSR timing issues.
• Remove the deferred setTimeout notification for PKCE exchange.
• Add tests covering notification timing, error path, and lock-safe callback usage.

Why was this change needed?

SSR/serverless callbacks (e.g. Next.js route handlers using @supabase/ssr) rely on SIGNED_IN to persist cookies before the response returns. Deferring notification caused missing cookies in OAuth flows.

Closes #2037

📸 Screenshots/Examples

N/A

🔄 Breaking changes

• This PR contains no breaking changes

📋 Checklist

• I have read the Contributing Guidelines
• My PR title follows the conventional commit format: <type>(<scope>): <description>
• I have run npx nx format to ensure consistent code formatting
• I have added tests for new functionality (if applicable)
• I have updated documentation (if applicable)

📝 Additional notes

Tests run: npx nx test:auth auth-js