feat: add oidc cycle breaker

lib/mv_web/plugs/oidc_only_sign_in_redirect.ex

@@ -2,6 +2,8 @@ defmodule MvWeb.Plugs.OidcOnlySignInRedirect do
   @moduledoc """
   When OIDC-only mode is active:
   - GET /sign-in redirects to the OIDC flow when OIDC is configured (sign-in page skipped).
+  - GET /sign-in?oidc_failed=1 is not redirected, so the sign-in page is shown after an OIDC
+    failure (avoids redirect loop when the provider is down or misconfigured).
   - GET /auth/user/password/sign_in_with_token is rejected (redirect to /sign-in with error)
   so password sign-in cannot complete.
   """
@@ -19,19 +21,29 @@ defmodule MvWeb.Plugs.OidcOnlySignInRedirect do
   end
 
   defp maybe_redirect_sign_in_to_oidc(conn) do
-    if conn.request_path == "/sign-in" and conn.method == "GET" do
-      if Config.oidc_only?() and Config.oidc_configured?() do
-        conn
-        |> redirect(to: "/auth/user/oidc")
-        |> halt()
-      else
-        conn
-      end
-    else
+    if conn.request_path != "/sign-in" or conn.method != "GET" do
       conn
+    else
+      conn = fetch_query_params(conn)
+      maybe_redirect_sign_in_to_oidc_checked(conn)
     end
   end
 
+  defp maybe_redirect_sign_in_to_oidc_checked(conn) do
+    cond do
+      # Show sign-in page when returning from OIDC failure to avoid redirect loop.
+      conn.query_params["oidc_failed"] -> conn
+      Config.oidc_only?() and Config.oidc_configured?() -> redirect_and_halt(conn)
+      true -> conn
+    end
+  end
+
+  defp redirect_and_halt(conn) do
+    conn
+    |> redirect(to: "/auth/user/oidc")
+    |> halt()
+  end
+
   defp maybe_reject_password_token_sign_in(conn) do
     if conn.halted, do: conn, else: reject_password_token_sign_in_if_applicable(conn)
   end