Address PR review feedback

- Fix comparison operators: Use >= instead of > for maxDepth and maxEncodingLevels
  This correctly blocks URLs when they meet or exceed the threshold
- Replace empty() with ! for enabled check (cleaner intent)
- All tests still pass (312 tests, 926 assertions)

Addresses feedback from @ADmad and @Copilot in PR #752

Author: dereuromark

src/AuthenticationService.php

@@ -503,21 +503,21 @@ protected function validateRedirect(string $redirect): ?string
         $config = $this->getConfig('redirectValidation');
 
         // If validation is disabled, return the URL as-is (backward compatibility)
-        if (empty($config['enabled'])) {
+        if (!$config['enabled']) {
             return $redirect;
         }
 
         $decodedUrl = urldecode($redirect);
 
         // Check for nested redirect parameters
         $redirectCount = substr_count($decodedUrl, 'redirect=');
-        if ($redirectCount > $config['maxDepth']) {
+        if ($redirectCount >= $config['maxDepth']) {
             return null;
         }
 
         // Check for multiple encoding levels (e.g., %25 = percent-encoded %)
         $encodingCount = substr_count($redirect, '%25');
-        if ($encodingCount > $config['maxEncodingLevels']) {
+        if ($encodingCount >= $config['maxEncodingLevels']) {
             return null;
         }