Re-use challengeString cookie if it is already set

The cause of the login issues appears to be Chrome specifically
re-generating the challenge string when it visits /oauth, causing it to
not match the hash we sent to BaaS.

Website/src/routes/(main)/headerContents.svelte

@@ -33,5 +33,7 @@
 {#if hasValidJwt}
   <Button href="/logout" variant="secondary" data-sveltekit-reload>Log out</Button>
 {:else}
-  <Button href={`/login?originalPage=${$page.url.pathname}`}>Login</Button>
+  <Button href={`/login?originalPage=${$page.url.pathname}`} data-sveltekit-preload-data="off">
+    Login
+  </Button>
 {/if}

Website/src/routes/(main)/login/+page.server.ts

@@ -2,6 +2,7 @@ import { redirect } from '@sveltejs/kit';
 import { Buffer } from 'buffer';
 
 import { PUBLIC_BAAS_CLIENT_ID, PUBLIC_BAAS_URL } from '$env/static/public';
+import Cookies from '$lib/auth/cookies.ts';
 
 import type { PageServerLoad } from './$types';
 
@@ -25,9 +26,16 @@ export const load: PageServerLoad = async ({ cookies, locals, url }) => {
 
   const originalPage = url.searchParams.get('originalPage') ?? '/';
 
-  const challengeStringValue = getChallengeString();
+  // For reasons not fully understood, going back to /oauth can sometimes run this code.
+  // We don't want to overwrite the challenge string if we are about to send it to BaaS, because
+  // that will mean the hashes won't match.
+  let challengeStringValue = cookies.get(Cookies.ChallengeString);
+  if (!challengeStringValue) {
+    challengeStringValue = getChallengeString();
+    cookies.set(Cookies.ChallengeString, challengeStringValue, { path: '/' });
+  }
+
   const challengeStringHash = await getUrlSafeBase64Hash(challengeStringValue);
-  cookies.set('challengeString', challengeStringValue, { path: '/' });
 
   logger.debug(
     { challengeStringValue, challengeStringHash },