Do not reveal existance of trusted networks provider (#302)

* Skip welcome page if the only other provider is trusted networks

* Add test

tests/test_hass_auth_provider.py

@@ -194,6 +194,43 @@ async def test_provider_is_trusted_network_host_false_without_trusted_provider(
         assert provider.is_trusted_network_host() is False
 
 
+@pytest.mark.asyncio
+async def test_welcome_redirects_when_only_trusted_networks_and_not_in_trusted_network(
+    hass: HomeAssistant, hass_client
+):
+    """When only trusted_networks is present, welcome should redirect regardless of IP."""
+
+    class TrustedNetworksDenyProvider:
+        def async_validate_access(self, _ip_addr):
+            raise InvalidAuthError("Not in trusted_networks")
+
+    # Simulate that only trusted_networks is registered before OIDC provider setup
+    # pylint: disable=protected-access
+    hass.auth._providers = OrderedDict(
+        [
+            (("trusted_networks", None), TrustedNetworksDenyProvider()),
+        ]
+    )
+    # pylint: enable=protected-access
+
+    # Now setup the OIDC provider which should detect trusted_networks as the only other provider
+    await setup(hass, DEFAULT_CONFIG, True)
+
+    client = await hass_client()
+    encoded_redirect_uri = base64.b64encode(FAKE_REDIR_URL.encode("utf-8")).decode(
+        "utf-8"
+    )
+
+    resp = await client.get(
+        f"/auth/oidc/welcome?redirect_uri={encoded_redirect_uri}",
+        allow_redirects=False,
+    )
+
+    # Should redirect straight to the OIDC redirect endpoint
+    assert resp.status == 302
+    assert resp.headers["Location"].endswith("/auth/oidc/redirect")
+
+
 async def login_user(hass: HomeAssistant, state_id: str):
     """Helper to login a user from the stored OIDC state."""