enforce uniqness with username and provider id

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
juanfont · Oct 21, 2024 · a06fd49 · a06fd49
1 parent efa697c
commit a06fd49
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/hscontrol/db/db.go b/hscontrol/db/db.go
@@ -474,6 +474,8 @@ func NewHeadscaleDatabase(
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
 			{
+				// Pick up new user fields used for OIDC and to
+				// populate the user with more interesting information.
 				ID: "202407191627",
 				Migrate: func(tx *gorm.DB) error {
 					err := tx.AutoMigrate(&types.User{})
@@ -485,6 +487,21 @@ func NewHeadscaleDatabase(
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			{
+				// The unique constraint of Name has been dropped
+				// in favour of a unique together of name and
+				// provider identity.
+				ID: "202408181235",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.User{})
+					if err != nil {
+						return err
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)
 

diff --git a/hscontrol/types/users.go b/hscontrol/types/users.go
@@ -19,11 +19,14 @@ type UserID uint64
 // that contain our machines.
 type User struct {
 	gorm.Model
+	// The index `idx_name_provider_identifier` is to enforce uniqueness
+	// between Name and ProviderIdentifier. This ensures that
+	// you can have multiple usersnames of the same name in OIDC,
+	// but not if you only run with CLI users.
 
 	// Username for the user, is used if email is empty
 	// Should not be used, please use Username().
-	// TODO(kradalby): Figure out how do deal with uniqueness.
-	Name string `gorm:"index"`
+	Name string `gorm:"index,uniqueIndex:idx_name_provider_identifier"`
 
 	// Typically the full name of the user
 	DisplayName string
@@ -35,7 +38,7 @@ type User struct {
 	// Unique identifier of the user from OIDC,
 	// comes from `sub` claim in the OIDC token
 	// and is used to lookup the user.
-	ProviderIdentifier string `gorm:"index"`
+	ProviderIdentifier string `gorm:"index,uniqueIndex:idx_name_provider_identifier"`
 
 	// Provider is the origin of the user account,
 	// same as RegistrationMethod, without authkey.