pub fn generate_authorization_code() -> StringExpand description
Generate a raw authorization code: 32 random bytes, base64url-encoded.
Same pattern as sessions::generate_token(). Returns the raw code string
to include in the redirect URI. The caller must hash it before storage.