fix: return 400 instead of 500 on malformed OIDC callbacks

[mvanhorn]

Description

This PR fixes a 500 on malformed SSO callbacks.

GET /authenticate/callback is routed to OidcController.new/2, whose clauses
only match the known param shapes (provider+code+state, state+code,
error+state). A request with no query string, or any unexpected param
combination, matched no clause, so Phoenix raised Phoenix.ActionClauseError
and returned a 500. Bare-URL hits from scanners and crawlers made this a steady
trickle of unhandled exceptions.

Added a catch-all new(conn, _params) clause in
lib/lightning_web/controllers/oidc_controller.ex that returns a plain
400 Bad Request instead of raising.

Closes #4806

Validation steps

1. Request GET /authenticate/callback with no query string and confirm a 400
   response (previously a 500 with an ActionClauseError).
2. Request GET /authenticate/callback?foo=bar and confirm a 400 response.
3. Confirm the valid flows are unchanged: state+code still broadcasts the
   code and error+state still broadcasts the error.

Additional notes for the reviewer

1. Two controller tests cover the no-params and unexpected-param cases in
   test/lightning_web/controllers/oidc_controller_test.exs. The three valid
   callback clauses are untouched.
2. This endpoint is part of the unauthenticated SSO callback flow, so there are
   no authorization policies to exercise.

AI Usage

Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):

• I have used Claude Code
• I have used another model
• I have not used AI

You can read more details in our
Responsible AI Policy

Pre-submission checklist

• I have performed an AI review of my code (we recommend using /review
  with Claude Code)
• I have implemented and tested all related authorization policies.
  (e.g., :owner, :admin, :editor, :viewer)
• I have updated the changelog.
• I have ticked a box in "AI usage" in this PR

AI was used for assistance.