fix(auth): prevent code requests for invalid dashboard users

Refactors the validation logic in `AuthService.initiateEmailSignIn` to
correct a critical security flaw.

Previously, the logic allowed verification codes to be sent to any email
address during a dashboard login attempt, even if the user did not exist
or lacked permissions.

This change restructures the validation into a more explicit `if-else if`
block. It now correctly throws an `UnauthorizedException` if the user is
not found or a `ForbiddenException` if they lack permissions, ensuring
that execution is halted immediately and a code is never sent for an
invalid dashboard login attempt.

Author: fulleni

lib/src/services/auth_service.dart

@@ -75,25 +75,23 @@ class AuthService {
       // For dashboard login, first validate the user exists and has permissions.
       if (isDashboardLogin) {
         final user = await _findUserByEmail(email);
+
+        // For dashboard login, the user must exist AND have permission.
+        // If either condition fails, throw the appropriate exception.
         if (user == null) {
           _log.warning('Dashboard login failed: User $email not found.');
           throw const UnauthorizedException(
             'This email address is not registered for dashboard access.',
           );
-        }
-
-        // Use the PermissionService to check for the specific dashboard login permission.
-        if (!_permissionService.hasPermission(
-          user,
-          Permissions.dashboardLogin,
-        )) {
+        } else if (!_permissionService.hasPermission(user, Permissions.dashboardLogin)) {
           _log.warning(
             'Dashboard login failed: User ${user.id} lacks required permission (${Permissions.dashboardLogin}).',
           );
           throw const ForbiddenException(
             'Your account does not have the required permissions to sign in.',
           );
         }
+
         _log.info('Dashboard user ${user.id} verified successfully.');
       }