refactor(oauth2): apply review feedback to refresh error handling

- use errors.As so wrapped *oauth2.RetrieveError still matches
- early-return on non-invalid_grant errors instead of if/else
- log UserID instead of ExternalID to avoid leaking provider-side
  identifiers (which can be username/email) into INFO logs

Co-Authored-By: Claude (Opus 4.7) <noreply@anthropic.com>

services/auth/source/oauth2/source_sync.go

@@ -5,6 +5,7 @@ package oauth2
 
 import (
 	"context"
+	"errors"
 	"time"
 
 	user_model "code.gitea.io/gitea/models/user"
@@ -49,8 +50,11 @@ func (source *Source) refresh(ctx context.Context, provider goth.Provider, u *us
 
 	token, err := provider.RefreshToken(u.RefreshToken)
 	if err != nil {
-		if retrieveErr, ok := err.(*oauth2.RetrieveError); ok && retrieveErr.ErrorCode == "invalid_grant" {
+		var retrieveErr *oauth2.RetrieveError
-			log.Info("SyncExternalUsers[%s] dropping invalid refresh token for external login %s", source.AuthSource.Name, u.ExternalID)
+		if !errors.As(err, &retrieveErr) || retrieveErr.ErrorCode != "invalid_grant" {
+			return err
+		}
+		log.Info("SyncExternalUsers[%s] dropping invalid refresh token for user %d", source.AuthSource.Name, u.UserID)
 
 		// Refresh tokens can expire or be revoked independently from the
 		// upstream account state. Keep the local user active and only clear
@@ -60,9 +64,6 @@ func (source *Source) refresh(ctx context.Context, provider goth.Provider, u *us
 		u.ExpiresAt = time.Time{}
 
 		return user_model.UpdateExternalUserByExternalID(ctx, u)
-		} else {
-			return err
-		}
 	}
 
 	// Otherwise, update the tokens