refactor and docs

test/mv_web/controllers/oidc_integration_test.exs

@@ -175,9 +175,9 @@ defmodule MvWeb.OidcIntegrationTest do
   end
 
   describe "OIDC error and edge case scenarios" do
-    test "OIDC registration with conflicting email and OIDC ID shows error" do
+    test "OIDC registration with conflicting email and OIDC ID shows hard error" do
       # Create user with email and OIDC ID
-      existing_user =
+      _existing_user =
         create_test_user(%{
           email: "conflict@example.com",
           oidc_id: "oidc_conflict_1"
@@ -195,19 +195,24 @@ defmodule MvWeb.OidcIntegrationTest do
           oauth_tokens: %{}
         })
 
-      # Should fail with PasswordVerificationRequired (account conflict)
+      # Should fail with hard error (not PasswordVerificationRequired)
       # This prevents someone with OIDC provider B from taking over an account
       # that's already linked to OIDC provider A
       assert {:error, %Ash.Error.Invalid{errors: errors}} = result
 
-      # Should contain PasswordVerificationRequired error
+      # Should contain error about "already linked to a different OIDC account"
       assert Enum.any?(errors, fn
-               %Mv.Accounts.User.Errors.PasswordVerificationRequired{user_id: user_id} ->
-                 user_id == existing_user.id
+               %Ash.Error.Changes.InvalidAttribute{message: msg} ->
+                 String.contains?(msg, "already linked to a different OIDC account")
 
                _ ->
                  false
              end)
+
+      # Should NOT be PasswordVerificationRequired
+      refute Enum.any?(errors, fn err ->
+               match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
+             end)
     end
 
     test "OIDC registration with missing sub and id should fail" do