fix: prevent OAuth account pre-hijacking via unverified email linking

[lakhansamani]

Summary

• Security fix: Prevents account pre-hijacking attack where an attacker pre-registers with a victim's email (without verifying), then gains persistent password access after the victim logs in via OAuth.
• When an OAuth login matches an existing unverified account, the unverified account is now deleted and a fresh account is created for the OAuth user — the attacker's password is not preserved.
• When the existing account is verified, behavior is unchanged (OAuth identity is linked normally).
• Added 6 integration tests covering: unverified account replacement, verified account linking, end-to-end attacker login failure, revoked account handling, multi-provider linking, and clean deletion.

Attack scenario (before fix)

1. Attacker signs up with victim@company.com + password, does NOT verify email
2. Victim logs in via Google OAuth (normal behavior)
3. OAuth callback links Google identity to attacker's account, auto-verifies email
4. Attacker logs in with their original password — full account takeover

Test plan

• TestOAuthAccountLinkingPreHijack/unverified_account_should_not_retain_password_after_oauth_signup
• TestOAuthAccountLinkingPreHijack/verified_account_should_link_oauth_identity
• TestOAuthAccountLinkingPreHijack/attacker_cannot_login_after_victim_oauth
• TestOAuthAccountLinkingPreHijack/revoked_unverified_account_should_block_oauth
• TestOAuthAccountLinkingPreHijack/multiple_oauth_providers_link_to_verified_account
• TestOAuthAccountLinkingPreHijack/unverified_account_deletion_is_clean

[lakhansamani]

Resolves: https://github.com/authorizerdev/authorizer/security/advisories/GHSA-29rf-f4vv-pvq6