[auth] Add logic for sending state through login flow

[humphd]

Our frontend and auth service both need to be taught how to send a random piece of text (i.e., state) through with a login flow, so that redirects back to the front-end can be trusted (i.e., we know we initiated them). The idea is that the browser generates a random string (e.g., using nanoid or something) and stores it in localStorage, then begins the login redirect flow, passing ?state=... on the query string. This value needs to get picked up by our auth service (should work already), and then passed along with the SAML request (we don't do this, but passport-saml supports it), and then we can get it back via our auth's login/callback, and send it back with the token to the browser. The browser would compare it to what it has in storage and either accept that it's what we expect, or reject it (e.g., we didn't initiate this flow, so stop it).

This will require a bit of tinkering in our front-end and back-end, and depends on #1796 and #1843.

[humphd]

Our e2e tests for auth would need to include this (e.g., new test cases).