Add security measures for SSO-only users: block password resets, enforce SSO authentication, and refactor validations for JIT provisioning. (#569)

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>

test/fixtures/oidc_identities.yml

@@ -19,3 +19,14 @@ jakob_google:
     first_name: Jakob
     last_name: Dylan
   last_authenticated_at: <%= 2.days.ago %>
+
+sso_only_identity:
+  user: sso_only
+  provider: openid_connect
+  uid: sso-only-uid-12345
+  info:
+    email: sso-user@example.com
+    name: SSO User
+    first_name: SSO
+    last_name: User
+  last_authenticated_at: <%= 1.day.ago %>

test/fixtures/users.yml

@@ -43,6 +43,17 @@ new_email:
   last_name: User
   email: user@example.com
   unconfirmed_email: new@example.com
-  password_digest: $2a$12$XoNBo/cMCyzpYtvhrPAhsubG21mELX48RAcjSVCRctW8dG8wrDIla 
+  password_digest: $2a$12$XoNBo/cMCyzpYtvhrPAhsubG21mELX48RAcjSVCRctW8dG8wrDIla
   onboarded_at: <%= Time.current %>
+  ai_enabled: true
+
+# SSO-only user: created via JIT provisioning, no local password
+sso_only:
+  family: empty
+  first_name: SSO
+  last_name: User
+  email: sso-user@example.com
+  password_digest: ~
+  role: admin
+  onboarded_at: <%= 1.day.ago %>
   ai_enabled: true