loginProvider doesn't check HTTP status before decoding token response

[ewanc26]

Bug

The loginProvider in Bluesky.swift discards the HTTP response status and tries to decode any response body as a TokenResponse.

When a token endpoint returns a 4xx error (e.g., {"error":"invalid_grant"}), it produces a misleading DecodingError: missing key 'access_token' instead of surfacing the actual error.

Affected code:

let (data, _) = try await params.responseProvider(request)
let tokenResponse = try JSONDecoder().decode(TokenResponse.self, from: data)

Fix: Check HTTP status code before decoding, like refreshProvider already does.

Found while integrating OAuthenticator into Inkwell (AT Protocol client for iOS).

[ewanc26]

Workaround for this in Inkwell (AT Protocol iOS client): we intercept the first POST to the token endpoint in a custom urlLoader, pre-flight the token endpoint with a GET to obtain its DPoP-Nonce header, then return a fake HTTP 401 with {"error":"use_dpop_nonce"} and the real nonce in the response header. The library's DPoP layer caches the nonce and retries with the correct proof. The auth code never reaches the server on the first (intercepted) attempt, so no code is burned.

This is necessary because some PDS implementations (eurosky.social) use per-endpoint nonces and burn auth codes on the first DPoP mismatch (returning HTTP 400 instead of 401, which is a PDS spec violation). The proper fix would be to add HTTP status checking to loginProvider like refreshProvider already has.

Full workaround code: https://github.com/ewanc26/inkwell/blob/main/Inkwell/Authentication/LoginStateManager.swift