refactor: modernize session management and token validation

- Extract bearer token parsing, OIDC config reading, validator
  instantiation, NC provider validation, and user resolution into
  dedicated private methods to reduce cognitive complexity of
  getCurrentUserId()
- Replace the first-match-wins loop with findUniqueTokenMatch(), which
  requires unambiguous validation across all providers: a token accepted
  by more than one (provider, userId) pair is rejected with a warning
- Add countUsers() via a direct COUNT(*) query instead of fetching all
  UIDs into memory
- Introduce SESSION_USER_DATA, SESSION_PASSWORD_CONFIRM, and
  PASSWORD_CONFIRM_TTL constants to avoid magic strings/numbers
- Use ITimeFactory for the password-confirm session timestamp
- Fix first-login setup: move getUserFolder() inside the try/catch so a
  NotFoundException from storage setup no longer aborts login
- Keep $existingUser null when a user is freshly created via getOrCreate()
  so provisionUser() is not passed the wrong identity when UNIQUE_UID or
  PROVIDER_BASED_ID cause the stored ID to differ from the token sub
- Add doc blocks to all new private methods, with extended descriptions
  for methods that change observable backend behaviour

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: solracsf

lib/Db/UserMapper.php

@@ -169,4 +169,22 @@ public function getOrCreate(int $providerId, string $sub, bool $id4me = false):
 		$user->setUserId($userId);
 		return $this->insert($user);
 	}
+
+	/**
+	 * Count the total number of users provisioned by the OIDC backend.
+	 *
+	 * @return int the number of rows in the user_oidc table
+	 */
+	public function countUsers(): int {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->selectAlias($qb->func()->count('*'), 'user_count')
+			->from($this->getTableName());
+
+		$result = $qb->executeQuery();
+		$count = $result->fetchOne();
+		$result->closeCursor();
+
+		return (int)$count;
+	}
 }