Improve oidc only mode (#474)

## Description of the implemented changes
The changes were:
- [x] Bugfixing
- [x] New Feature
- [ ] Breaking Change
- [x] Refactoring

**OIDC-only mode improvements and UX tweaks (success toasts, unauthenticated redirect).**

## What has been changed?

### OIDC-only mode (new feature)
- **Admin settings:** "Only OIDC sign-in" is an immediate toggle at the top of the OIDC section (no save button). Enabling it also turns off "Allow direct registration". When OIDC-only is on, the registration checkbox is disabled and shows a tooltip (DaisyUI `<.tooltip>`).
- **Backend:** Password sign-in is forbidden via Ash policy (`OidcOnlyActive` check). Password registration is blocked via validation `OidcOnlyBlocksPasswordRegistration`. New plug `OidcOnlySignInRedirect`: when OIDC-only and OIDC are configured, GET `/sign-in` redirects to the OIDC flow; GET `/auth/user/password/sign_in_with_token` is rejected with redirect + flash. `AuthController.success/4` also rejects password sign-in when OIDC-only.
- **Tests:** GlobalSettingsLive (OIDC-only UI), AuthController (redirect and password sign-in rejection), User authentication (register_with_password blocked when OIDC-only).

### UX / behaviour (no new feature flag)
- **Success toasts:** Success flash messages auto-dismiss after 5 seconds via JS hook `FlashAutoDismiss` and optional `auto_clear_ms` on `<.flash>` (used for success in root layout and `flash_group`).
- **Unauthenticated users:** Redirect to sign-in without the "You don't have permission to access this page" flash; that message is only shown to logged-in users who lack access. Logic in `LiveHelpers` and `CheckPagePermission` plug; test updated accordingly.

### Other
- Layouts: comment about unprocessed join-request count no longer uses "TODO" (Credo).
- Gettext: German translation for "Home" (Startseite); POT/PO kept in sync.
- CHANGELOG: Unreleased section updated with the above.

## Definition of Done
### Code Quality
- [x] No new technical depths
- [x] Linting passed
- [x] Documentation is added where needed (module docs, comments where non-obvious)

### Accessibility
- [x] New elements are properly defined with html-tags (labels, aria-label on checkboxes)
- [x] Colour contrast follows WCAG criteria (unchanged)
- [x] Aria labels are added when needed (e.g. oidc-only and registration checkboxes)
- [x] Everything is accessible by keyboard (toggles and buttons unchanged)
- [x] Tab-Order is comprehensible
- [x] All interactive elements have a visible focus (existing patterns)

### Testing
- [x] Tests for new code are written (OIDC-only UI, auth controller, user auth; SMTP config builder and mailer)
- [x] All tests pass
- [ ] axe-core dev tools show no critical or major issues (not re-run for this PR; suggest spot-check on settings and sign-in)

## Additional Notes
- **OIDC-only:** When the `OIDC_ONLY` env var is set, the toggle is read-only and shows "(From OIDC_ONLY)". When OIDC is not configured, the toggle is disabled.
- **Invalidation:** Enabling OIDC-only sets `registration_enabled: false` in one update; disabling OIDC-only only updates `oidc_only` (registration left as-is).
- **Review focus:** Plug order in router (OidcOnlySignInRedirect), policy/validation order in User, and that all OIDC-only paths (form, plug, controller) stay consistent.

Reviewed-on: #474
Co-authored-by: Simon <s.thiessen@local-it.org>
Co-committed-by: Simon <s.thiessen@local-it.org>

test/mv_web/live/global_settings_live_test.exs

@@ -110,4 +110,69 @@ defmodule MvWeb.GlobalSettingsLiveTest do
       assert html =~ "SMTP" or html =~ "E-Mail" or html =~ "Settings"
     end
   end
+
+  describe "Authentication section when OIDC-only is enabled" do
+    setup %{conn: conn} do
+      user = create_test_user(%{email: "admin@example.com"})
+      conn = conn_with_oidc_user(conn, user)
+      {:ok, settings} = Membership.get_settings()
+      original_oidc_only = Map.get(settings, :oidc_only, false)
+      {:ok, _} = Membership.update_settings(settings, %{oidc_only: true})
+      {:ok, conn: conn, original_oidc_only: original_oidc_only}
+    end
+
+    @describetag :ui
+    test "registration checkbox is disabled when OIDC-only is enabled", %{
+      conn: conn,
+      original_oidc_only: original
+    } do
+      try do
+        {:ok, view, _html} = live(conn, ~p"/settings")
+        assert has_element?(view, "#registration-enabled-checkbox[disabled]")
+      after
+        {:ok, s} = Membership.get_settings()
+        Membership.update_settings(s, %{oidc_only: original})
+      end
+    end
+
+    @describetag :ui
+    test "OIDC-only hint is visible when OIDC-only is enabled", %{
+      conn: conn,
+      original_oidc_only: original
+    } do
+      try do
+        {:ok, view, _html} = live(conn, ~p"/settings")
+        assert has_element?(view, "[data-testid='oidc-only-registration-hint']")
+      after
+        {:ok, s} = Membership.get_settings()
+        Membership.update_settings(s, %{oidc_only: original})
+      end
+    end
+
+    test "when OIDC-only is disabled, registration checkbox is enabled and can be toggled", %{
+      conn: conn,
+      original_oidc_only: original
+    } do
+      try do
+        {:ok, settings} = Membership.get_settings()
+        Membership.update_settings(settings, %{oidc_only: false})
+
+        {:ok, view, _html} = live(conn, ~p"/settings")
+        refute has_element?(view, "#registration-enabled-checkbox[disabled]")
+
+        initial_checked =
+          view |> element("#registration-enabled-checkbox") |> render() =~ "checked"
+
+        view
+        |> element("#registration-enabled-checkbox")
+        |> render_click()
+
+        new_checked = view |> element("#registration-enabled-checkbox") |> render() =~ "checked"
+        assert new_checked != initial_checked
+      after
+        {:ok, s} = Membership.get_settings()
+        Membership.update_settings(s, %{oidc_only: original})
+      end
+    end
+  end
 end