/**
 * Generate a cryptographically secure OAuth2 state string
 * base64url encoded, URL-safe
 */
export function generateOAuthState(bytes: number = 32): string {
  const random = new Uint8Array(bytes);
  crypto.getRandomValues(random);

  // base64url encode
  return btoa(String.fromCharCode(...random))
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=+$/, '');
}