Require email_verified to be explicitly true when enforcement is enabled

Previously the check only rejected email_verified === false, allowing
logins when the claim was missing entirely. Since the admin opted in,
the IdP is expected to provide the claim.

server/auth/OidcAuthStrategy.js

@@ -168,7 +168,7 @@ class OidcAuthStrategy {
       }
 
       // Enforce email_verified check on every login if configured
-      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified === false) {
+      if (global.ServerSettings.authOpenIDRequireVerifiedEmail && userinfo.email_verified !== true) {
         throw new AuthError('Email is not verified', 401)
       }
 

test/server/auth/OidcAuthStrategy.test.js

@@ -481,14 +481,16 @@ describe('OidcAuthStrategy', function () {
       expect(result).to.equal(user)
     })
 
-    it('should allow login when email_verified is missing and enforcement is on', async function () {
-      // Only reject when explicitly false, not when absent
+    it('should reject login when email_verified is missing and enforcement is on', async function () {
       global.ServerSettings.authOpenIDRequireVerifiedEmail = true
-      const user = makeUser()
-      DatabaseStub.userModel.findUserFromOpenIdUserInfo.resolves(user)
 
-      const result = await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
-      expect(result).to.equal(user)
+      try {
+        await strategy.verifyUser({ id_token: 'tok' }, { sub: 'sub-1', email: 'a@b.com' })
+        expect.fail('should have thrown')
+      } catch (err) {
+        expect(err.message).to.equal('Email is not verified')
+        expect(err.statusCode).to.equal(401)
+      }
     })
 
     it('should auto-register new user when enabled', async function () {