Persist Wix PKCE verifier per-state in DB and enforce one-time use

[AJaySi]

Motivation

• Replace in-memory storage of PKCE code_verifier with durable per-state storage to support multi-process deployments and avoid instance-scoped secrets.
• Ensure the verifier is owned by the initiating user, is single-use, and expires shortly to reduce attack surface.
• Surface clear errors when a callback arrives with a missing, expired, or already-consumed state so callers can retry cleanly.

Description

• Added a new wix_oauth_pkce_states table and index and implemented store_pkce_verifier, consume_pkce_verifier, and cleanup_expired_pkce_states in services/integrations/wix_oauth.py to persist verifier + TTL and to atomically consume/invalidate it.
• Changed WixService.get_authorization_url to return a payload (authorization_url, state, code_verifier) instead of storing the verifier on the service instance and made exchange_code_for_tokens require an explicit code_verifier argument.
• Updated GET /api/wix/auth/url to require authentication, generate a state when absent, persist the code_verifier for the current user_id with a short TTL, and return only the URL and state to the client.
• Updated POST /api/wix/auth/callback and GET /api/wix/callback to validate presence of state, look up and consume the verifier scoped to the authenticated user_id, return a clear 400 error for invalid/expired states, and use the consumed verifier for token exchange and subsequent token storage.

Testing

• Ran python -m py_compile backend/services/wix_service.py backend/services/integrations/wix_oauth.py backend/api/wix_routes.py and it completed successfully.
• Verified that route code paths now call store_pkce_verifier and consume_pkce_verifier and that callbacks return explicit 400 errors when a state is missing or invalid during local testing of the flow.

---

Codex Task