Revamp OIDC auth: remove Passport wrapper, add schema-driven settings UI

- Remove Passport.js wrapper from OIDC auth, use openid-client directly
- Add schema-driven OIDC settings UI (OidcSettingsSchema.js drives form rendering)
- Add group mapping with KeyValueEditor (explicit mapping or legacy direct name match)
- Add scopes configuration (authOpenIDScopes)
- Add verified email enforcement option (authOpenIDRequireVerifiedEmail)
- Fix group claim validation rejecting URN-style claims (#4744)
- Add auto-discover endpoint for OIDC provider configuration
- Store oidcIdToken in sessions table instead of cookie
- Add AuthError class for structured error handling in auth flows
- Migration v2.33.0 adds oidcIdToken column and new settings fields

test/server/auth/AuthError.test.js

@@ -0,0 +1,24 @@
+const { expect } = require('chai')
+const AuthError = require('../../../server/auth/AuthError')
+
+describe('AuthError', function () {
+  it('should create error with default statusCode 500', function () {
+    const error = new AuthError('Something went wrong')
+    expect(error.message).to.equal('Something went wrong')
+    expect(error.statusCode).to.equal(500)
+    expect(error.name).to.equal('AuthError')
+    expect(error).to.be.instanceOf(Error)
+  })
+
+  it('should create error with custom statusCode', function () {
+    const error = new AuthError('Unauthorized', 401)
+    expect(error.message).to.equal('Unauthorized')
+    expect(error.statusCode).to.equal(401)
+  })
+
+  it('should have a stack trace', function () {
+    const error = new AuthError('test')
+    expect(error.stack).to.be.a('string')
+    expect(error.stack).to.include('AuthError')
+  })
+})