Fix Bloom Cognito logout UX and auth errors

[iamh2o]

Summary

• switch Bloom hosted logout to Cognito managed-login semantics using redirect_uri and response_type=code
• redirect local sign-in and logout misconfiguration failures back to Bloom so the app can show actionable error copy
• add targeted regression coverage for the logout contract and human-readable auth error handling

Testing

• source ./activate test >/dev/null && python -m pytest tests/test_cognito_shared_pool_resolution.py tests/test_gui_auth_callback.py -q --no-cov
• source ./activate test >/dev/null && python -m ruff check auth/cognito/client.py bloom_lims/gui/routes/auth.py tests/test_cognito_shared_pool_resolution.py tests/test_gui_auth_callback.py

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 58729ffb29

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use post-logout URI instead of callback URI

Building the logout URL with redirect_uri=self.redirect_uri and response_type=code sends users into Cognito's managed-login reauthentication path after sign-out, which returns to /auth/callback without a Bloom-initiated state. Bloom's callback flow expects state from /auth/login (see the existing test_auth_callback_get_requires_prior_login_state behavior), and logout clears session state, so users who sign back in from that Cognito page can be bounced with invalid_state instead of completing login. This regresses the normal logout→login loop unless logout redirects back to a true post-logout URL (logout_uri) or a stateful flow is introduced.

Useful? React with 👍 / 👎.