Store state instead of session id in cookie

[mkevinosullivan]

WHY are these changes introduced?

Currently, when an app calls beginAuth we create a temporary session and store the session id in the cookie that will be passed throughout the OAuth process. In validateAuthCallback, we use the session id from the cookie to retrieve the state value, which we then compare to the state value we received from Shopify as part of the validation.

Fixes https://github.com/Shopify/first-party-library-planning/issues/388

WHAT is this pull request doing?

Rather than create a temporary session in order to store a session id in a cookie for the OAuth transaction, we can store the state in the cookie instead, that can be compared against the state provided by Shopify in the callback, and then create the session at that point.

Type of change

• [x] Patch: Bug (non-breaking change which fixes an issue)
• [ ] Minor: New feature (non-breaking change which adds functionality)
• [ ] Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• [x] I have added a changelog entry, prefixed by the type of change noted above
• [x] I have added/updated tests for this change
• [ ] I have documented new APIs/updated the documentation for modified APIs (for public APIs)