Add security measures for SSO-only users: block password resets, enforce SSO authentication, and refactor validations for JIT provisioning. (#569)

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

test/controllers/oidc_accounts_controller_test.rb

@@ -191,4 +191,30 @@ class OidcAccountsControllerTest < ActionController::TestCase
     assert_redirected_to new_session_path
     assert_equal "No pending OIDC authentication found", flash[:alert]
   end
+
+  # Security: JIT users should NOT have password_digest set
+  test "JIT user is created without password_digest to prevent chained auth attacks" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    post :create_user
+
+    new_user = User.find_by(email: new_user_auth["email"])
+    assert_not_nil new_user, "User should be created"
+    assert_nil new_user.password_digest, "JIT user should have nil password_digest"
+    assert new_user.sso_only?, "JIT user should be SSO-only"
+  end
+
+  test "JIT user cannot authenticate with local password" do
+    session[:pending_oidc_auth] = new_user_auth
+
+    post :create_user
+
+    new_user = User.find_by(email: new_user_auth["email"])
+
+    # Attempting to authenticate should return nil (no password set)
+    assert_nil User.authenticate_by(
+      email: new_user.email,
+      password: "anypassword"
+    ), "SSO-only user should not authenticate with password"
+  end
 end