fix oidc security bug

lib/accounts/user/errors/password_verification_required.ex

@@ -0,0 +1,33 @@
+defmodule Mv.Accounts.User.Errors.PasswordVerificationRequired do
+  @moduledoc """
+  Custom error raised when an OIDC login attempts to use an email that already exists 
+  in the system with a password-only account (no oidc_id set).
+
+  This error indicates that the user must verify their password before the OIDC account
+  can be linked to the existing password account.
+  """
+  use Splode.Error,
+    fields: [:user_id, :oidc_user_info],
+    class: :invalid
+
+  @type t :: %__MODULE__{
+          user_id: String.t(),
+          oidc_user_info: map()
+        }
+
+  @doc """
+  Returns a human-readable error message.
+
+  ## Parameters
+  - error: The error struct containing user_id and oidc_user_info
+  """
+  def message(%{user_id: user_id, oidc_user_info: user_info}) do
+    email = Map.get(user_info, "preferred_username", "unknown")
+    oidc_id = Map.get(user_info, "sub") || Map.get(user_info, "id", "unknown")
+
+    """
+    Password verification required: An account with email '#{email}' already exists (user_id: #{user_id}).
+    To link your OIDC account (oidc_id: #{oidc_id}) to this existing account, please verify your password.
+    """
+  end
+end