Problem

Required external auth (coder_external_auth with optional = false) is only enforced by client-side preflight checks in the CLI and dashboard. Creating a workspace directly through the REST API (POST /api/v2/users/{user}/workspaces) succeeds even when the workspace owner has never authenticated with a required provider. Token injection at job acquisition silently skips missing or invalid tokens, so the build "succeeds" with an empty token and produces a broken workspace.

Fix

Workspace creation now validates the workspace owner's external auth server-side:

• The existing GET /templateversions/{id}/external-auth handler logic is refactored into a reusable templateVersionExternalAuthForUser helper that accepts an explicit user ID. Endpoint behavior is unchanged.
• createWorkspace resolves the exact template version in use (req.TemplateVersionID, falling back to template.ActiveVersionID) and rejects the request with 403 when any non-optional provider is unauthenticated for the owner. The check runs before any workspace row is inserted and before any prebuilt workspace is claimed, and outside any retrying DB transaction (token refresh makes remote OAuth calls and must not be replayed).
• The owner is the subject of the check, not the initiator, because build-time token injection uses the owner's links. Reading another user's links requires a system-restricted context (external auth links are personal data under dbauthz).
• The 403 response carries one validations entry per missing provider (field: "external_auth", detail: <provider-id>), with display names in the human-readable detail (falling back to the provider ID), so API clients can react programmatically and fetch authenticate URLs from the existing preflight endpoint.

Customer-visible behavior (release note worthy)

• Creating a workspace via the API for a user who has not connected required external auth now returns 403 and no workspace is created. This includes admins creating workspaces on behalf of other users and prebuilt workspace claims.
• If a template intentionally supports pre-provisioning workspaces for users who have not authenticated yet, mark the provider optional = true in the template.

Follow-ups (intentionally not in this PR)

• An admin-accessible endpoint to query external auth status for an arbitrary user (today the preflight endpoint only reflects the API key user, so admin-on-behalf-of preflights check the wrong user).
• Enforcement on workspace start/restart/rebuild, which needs re-auth UX support in the CLI and dashboard first.
• Restricted provisioner-side defense-in-depth (fail required-provider injection for user-initiated start builds) to close the window between the API check and job acquisition.

Tests

• New TestCreateWorkspaceExternalAuth in coderd/workspaces_test.go: missing required auth returns 403 with structured validations and no workspace row; owner-vs-initiator (authenticated admin creating for an unauthenticated member is rejected, succeeds after the member authenticates); optional providers do not block; invalid/revoked tokens (via a failing ValidateURL) are treated as unauthenticated; display-name fallback to provider ID.
• TestWorkspaceDeleteSuspendedUser expectations updated: creation now performs one additional token validation.
• Prebuild claim coverage is not included; claims go through createWorkspace and are gated by the same check, but exercising a real claim requires the enterprise prebuilds harness, which is disproportionate for this PR.
• Ran: go test ./coderd -run 'TestCreateWorkspaceExternalAuth|TestTemplateVersionsExternalAuth|TestWorkspaceDeleteSuspendedUser|TestPostWorkspacesByOrganization|TestWorkspace$|TestWorkspacesByUser' (also with -race), go test ./cli -run TestCreateWithGitAuth, make lint/go, make lint/emdash, full pre-commit hooks.

Fixes PLAT-241.