honor requested auth method instead of silently falling back

Return auth.method_unavailable when a user requests an auth method that is not enabled for their account, rather than silently sending the smtp-link challenge. Also log requested/selected method details in auth.request_access audit entries for easier diagnostics.

server/index.js

@@ -958,6 +958,9 @@ async function handleRequestAccess(req, res, body) {
   }
 
   const selectedMethod = resolveAuthMethodForUser(user, requestedMethod);
+  if (requestedMethod && !selectedMethod) {
+    return sendError(res, 400, "auth.method_unavailable", "Gewaehlte Bestaetigungsart ist fuer dieses Konto nicht verfuegbar");
+  }
   if (!selectedMethod) {
     const token = await issueEmailToken(user.id, user.status === "active" ? "login" : "verify");
     const actionPath = user.status === "active" ? "/login?loginToken=" : "/login?verifyToken=";
@@ -978,7 +981,11 @@ async function handleRequestAccess(req, res, body) {
       message.text,
       message.html
     );
-    await appendAudit("auth.request_access", user, { status: user.status, method: "fallback-mail" });
+    await appendAudit("auth.request_access", user, {
+      status: user.status,
+      requestedMethod: requestedMethod || null,
+      method: "fallback-mail"
+    });
     return sendJson(res, 200, {
       ok: true,
       method: "smtp-link",
@@ -1039,7 +1046,12 @@ async function handleRequestAccess(req, res, body) {
     return sendError(res, 400, "auth.method_invalid", "Unbekannte Bestaetigungsart");
   }
 
-  await appendAudit("auth.request_access", user, { status: user.status });
+  await appendAudit("auth.request_access", user, {
+    status: user.status,
+    requestedMethod: requestedMethod || null,
+    method: selectedMethod.id,
+    challengeType
+  });
   return sendJson(res, 200, {
     ok: true,
     method: selectedMethod.id,