Users with multiple open tabs are all redirected to the same return url

[rtyley]

Steps to reproduce bug

1. Ensure you have more than 1 Google account - meaning that Google will ask you to choose which Google account to use every time you authenticate.
2. Go to https://dashboard.ophan.co.uk/ and get the Ophan Heatmap bookmarklet
3. Log out of https://dashboard.ophan.co.uk/ with the signout button.
4. In tab A, go to https://dashboard.ophan.co.uk/ - you should be redirected and see a Google Choose an account to continue to ophan.co.uk message
5. In tab B, go to https://www.theguardian.com/uk and activate the Ophan Heatmap. You should see a "Please log into Ophan to use the heatmap." message:
6. Complete the authentication process (by selecting your guardian.co.uk account) in tab A.

Expected behaviour

Tab A is redirected to https://dashboard.ophan.co.uk/ - which is where the user was trying to go in that tab before the authentication happened.

Actual behaviour

Tab A is redirected to https://dashboard.ophan.co.uk/heatmap/filter-bar?path=/uk&# on completing authentication, and it looks like a mess:

Cause

The return url is stored in the Play session:

https://github.com/guardian/play-googleauth/blob/7582a32f38877795fd02157b005b8fee9c5fddd0/module/src/main/scala/com/gu/googleauth/actions.scala#L83-L86

...and is being set with the authentication attempt in Tab A, then overwritten by the authentication attempt in Tab B. When Tab A returns, it unfortunately uses that return url stored by tab B:

https://github.com/guardian/play-googleauth/blob/7582a32f38877795fd02157b005b8fee9c5fddd0/module/src/main/scala/com/gu/googleauth/actions.scala#L197-L201

Proposed Fix

Instead of storing the return url in the Play session, it could be stored in the state of the OAuth authentication request - ie in the JWT token introduced with #52.

The return url should probably be encrypted to avoid return urls leaking to Google servers.