♻️(backend) explicitly enforce sub field immutability

Add OIDC_USER_SUB_FIELD_IMMUTABLE setting to our config and enforce
it in the user viewset. Previously relied on implicit Django
LaSuite defaults.

Makes the sub mutability constraint explicit and ensures it's enforced
at the application level, critical for provisional users where sub is
assigned on first login.

src/backend/core/external_api/viewsets.py

@@ -98,6 +98,7 @@ class ApplicationViewSet(viewsets.GenericViewSet):
             if (
                 settings.APPLICATION_ALLOW_USER_CREATION
                 and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION
+                and not settings.OIDC_USER_SUB_FIELD_IMMUTABLE
             ):
                 # Create a pending user without sub, but with an email.
                 user = models.User(

src/backend/meet/settings.py

@@ -406,6 +406,10 @@ class Base(Configuration):
         default=False,
         environ_name="OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION",
     )
+    OIDC_USER_SUB_FIELD_IMMUTABLE = values.BooleanValue(
+        default=True,
+        environ_name="OIDC_USER_SUB_FIELD_IMMUTABLE",
+    )
     OIDC_TIMEOUT = values.IntegerValue(
         5, environ_name="OIDC_TIMEOUT", environ_prefix=None
     )