simplify findUserByToken in ACL, add missing testcases (#2388)

* update users doc on unique constraints Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * simplify finduser func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add initial tests for findUserFromToken Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * add changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-01-30 10:35:49 +00:00 · 2025-01-30 10:35:49 +00:00 · 7ba6ad3489
commit 7ba6ad3489
parent 2c279e0a7b
4 changed files with 340 additions and 23 deletions
--- a/hscontrol/types/users.go
+++ b/hscontrol/types/users.go
@ -29,8 +29,9 @@ type User struct {
 	// you can have multiple users with the same name in OIDC,
 	// but not if you only run with CLI users.

-	// Username for the user, is used if email is empty
+	// Name (username) for the user, is used if email is empty
 	// Should not be used, please use Username().
+	// It is unique if ProviderIdentifier is not set.
 	Name string

 	// Typically the full name of the user
@ -40,9 +41,11 @@ type User struct {
 	// Should not be used, please use Username().
 	Email string

-	// Unique identifier of the user from OIDC,
-	// comes from `sub` claim in the OIDC token
-	// and is used to lookup the user.
+	// ProviderIdentifier is a unique or not set identifier of the
+	// user from OIDC. It is the combination of `iss`
+	// and `sub` claim in the OIDC token.
+	// It is unique if set.
+	// It is unique together with Name.
 	ProviderIdentifier sql.NullString

 	// Provider is the origin of the user account,