Improve oidc only mode (#474)

## Description of the implemented changes
The changes were:
- [x] Bugfixing
- [x] New Feature
- [ ] Breaking Change
- [x] Refactoring

**OIDC-only mode improvements and UX tweaks (success toasts, unauthenticated redirect).**

## What has been changed?

### OIDC-only mode (new feature)
- **Admin settings:** "Only OIDC sign-in" is an immediate toggle at the top of the OIDC section (no save button). Enabling it also turns off "Allow direct registration". When OIDC-only is on, the registration checkbox is disabled and shows a tooltip (DaisyUI `<.tooltip>`).
- **Backend:** Password sign-in is forbidden via Ash policy (`OidcOnlyActive` check). Password registration is blocked via validation `OidcOnlyBlocksPasswordRegistration`. New plug `OidcOnlySignInRedirect`: when OIDC-only and OIDC are configured, GET `/sign-in` redirects to the OIDC flow; GET `/auth/user/password/sign_in_with_token` is rejected with redirect + flash. `AuthController.success/4` also rejects password sign-in when OIDC-only.
- **Tests:** GlobalSettingsLive (OIDC-only UI), AuthController (redirect and password sign-in rejection), User authentication (register_with_password blocked when OIDC-only).

### UX / behaviour (no new feature flag)
- **Success toasts:** Success flash messages auto-dismiss after 5 seconds via JS hook `FlashAutoDismiss` and optional `auto_clear_ms` on `<.flash>` (used for success in root layout and `flash_group`).
- **Unauthenticated users:** Redirect to sign-in without the "You don't have permission to access this page" flash; that message is only shown to logged-in users who lack access. Logic in `LiveHelpers` and `CheckPagePermission` plug; test updated accordingly.

### Other
- Layouts: comment about unprocessed join-request count no longer uses "TODO" (Credo).
- Gettext: German translation for "Home" (Startseite); POT/PO kept in sync.
- CHANGELOG: Unreleased section updated with the above.

## Definition of Done
### Code Quality
- [x] No new technical depths
- [x] Linting passed
- [x] Documentation is added where needed (module docs, comments where non-obvious)

### Accessibility
- [x] New elements are properly defined with html-tags (labels, aria-label on checkboxes)
- [x] Colour contrast follows WCAG criteria (unchanged)
- [x] Aria labels are added when needed (e.g. oidc-only and registration checkboxes)
- [x] Everything is accessible by keyboard (toggles and buttons unchanged)
- [x] Tab-Order is comprehensible
- [x] All interactive elements have a visible focus (existing patterns)

### Testing
- [x] Tests for new code are written (OIDC-only UI, auth controller, user auth; SMTP config builder and mailer)
- [x] All tests pass
- [ ] axe-core dev tools show no critical or major issues (not re-run for this PR; suggest spot-check on settings and sign-in)

## Additional Notes
- **OIDC-only:** When the `OIDC_ONLY` env var is set, the toggle is read-only and shows "(From OIDC_ONLY)". When OIDC is not configured, the toggle is disabled.
- **Invalidation:** Enabling OIDC-only sets `registration_enabled: false` in one update; disabling OIDC-only only updates `oidc_only` (registration left as-is).
- **Review focus:** Plug order in router (OidcOnlySignInRedirect), policy/validation order in User, and that all OIDC-only paths (form, plug, controller) stay consistent.

Reviewed-on: #474
Co-authored-by: Simon <s.thiessen@local-it.org>
Co-committed-by: Simon <s.thiessen@local-it.org>

lib/mv_web/controllers/auth_controller.ex

@@ -15,8 +15,23 @@ defmodule MvWeb.AuthController do
   use AshAuthentication.Phoenix.Controller
 
   alias Mv.Accounts.User.Errors.PasswordVerificationRequired
+  alias Mv.Config
 
-  def success(conn, activity, user, _token) do
+  def success(conn, {:password, :sign_in} = _activity, user, token) do
+    if Config.oidc_only?() do
+      conn
+      |> put_flash(:error, gettext("Only sign-in via Single Sign-On (SSO) is allowed."))
+      |> redirect(to: sign_in_path_after_oidc_failure())
+    else
+      success_continue(conn, {:password, :sign_in}, user, token)
+    end
+  end
+
+  def success(conn, activity, user, token) do
+    success_continue(conn, activity, user, token)
+  end
+
+  defp success_continue(conn, activity, user, _token) do
     return_to = get_session(conn, :return_to) || ~p"/"
 
     message =
@@ -134,7 +149,7 @@ defmodule MvWeb.AuthController do
       _ ->
         conn
         |> put_flash(:error, gettext("Unable to authenticate with OIDC. Please try again."))
-        |> redirect(to: ~p"/sign-in")
+        |> redirect(to: sign_in_path_after_oidc_failure())
     end
   end
 
@@ -148,7 +163,7 @@ defmodule MvWeb.AuthController do
       :error,
       gettext("The authentication server is currently unavailable. Please try again later.")
     )
-    |> redirect(to: ~p"/sign-in")
+    |> redirect(to: sign_in_path_after_oidc_failure())
   end
 
   # Handle Assent invalid response errors (configuration or malformed responses)
@@ -161,7 +176,7 @@ defmodule MvWeb.AuthController do
       :error,
       gettext("Authentication configuration error. Please contact the administrator.")
     )
-    |> redirect(to: ~p"/sign-in")
+    |> redirect(to: sign_in_path_after_oidc_failure())
   end
 
   # Catch-all clause for any other error types
@@ -171,7 +186,7 @@ defmodule MvWeb.AuthController do
 
     conn
     |> put_flash(:error, gettext("Unable to authenticate with OIDC. Please try again."))
-    |> redirect(to: ~p"/sign-in")
+    |> redirect(to: sign_in_path_after_oidc_failure())
   end
 
   # Handle generic AuthenticationFailed errors
@@ -211,10 +226,14 @@ defmodule MvWeb.AuthController do
 
         conn
         |> put_flash(:error, error_message)
-        |> redirect(to: ~p"/sign-in")
+        |> redirect(to: sign_in_path_after_oidc_failure())
     end
   end
 
+  # Path used when redirecting to sign-in after an OIDC failure. The query param tells
+  # OidcOnlySignInRedirect to show the sign-in page instead of redirecting back to OIDC (avoids loop).
+  defp sign_in_path_after_oidc_failure, do: "/sign-in?oidc_failed=1"
+
   # Extract meaningful error message from Ash errors
   defp extract_meaningful_error_message(errors) do
     # Look for specific error messages in InvalidAttribute errors