feat: provide clear errors for missing required envs

test/mv_web/controllers/auth_controller_test.exs

@@ -316,9 +316,11 @@ defmodule MvWeb.AuthControllerTest do
 
         # When OIDC-only is enabled, password sign-in must not succeed (no redirect to sign_in_with_token).
         case result do
-          {:error, {:redirect, %{to: to}}} ->
-            refute to =~ "sign_in_with_token",
-                   "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to}"
+          {:error, {:redirect, opts}} when is_map(opts) ->
+            to_path = Map.get(opts, :to) || Map.get(opts, "to") || ""
+
+            refute to_path =~ "sign_in_with_token",
+                   "Expected password sign-in to be rejected when OIDC-only, got redirect to: #{to_path}"
 
           _ ->
             # LiveView re-rendered (e.g. with flash error) instead of redirecting to success
@@ -398,8 +400,24 @@ defmodule MvWeb.AuthControllerTest do
 
     test "returns 200 when OIDC-only but OIDC not configured", %{conn: authenticated_conn} do
       {:ok, settings} = Membership.get_settings()
-      original_oidc_only = Map.get(settings, :oidc_only, false)
-      {:ok, _} = Membership.update_settings(settings, %{oidc_only: true})
+
+      prev = %{
+        oidc_only: settings.oidc_only,
+        oidc_client_id: settings.oidc_client_id,
+        oidc_base_url: settings.oidc_base_url,
+        oidc_redirect_uri: settings.oidc_redirect_uri,
+        oidc_client_secret: settings.oidc_client_secret
+      }
+
+      # Set OIDC-only but leave OIDC unconfigured so the plug does not redirect.
+      {:ok, _} =
+        Membership.update_settings(settings, %{
+          oidc_only: true,
+          oidc_client_id: nil,
+          oidc_base_url: nil,
+          oidc_redirect_uri: nil,
+          oidc_client_secret: nil
+        })
 
       try do
         conn = build_unauthenticated_conn(authenticated_conn)
@@ -407,7 +425,7 @@ defmodule MvWeb.AuthControllerTest do
         assert conn.status == 200
       after
         {:ok, s} = Membership.get_settings()
-        Membership.update_settings(s, %{oidc_only: original_oidc_only})
+        Membership.update_settings(s, prev)
       end
     end