feat: add ability for users to convert their password login type to oauth/github login (#8105)

* Currently toggled by experiment flag

---------

Co-authored-by: Bruno Quaresma <bruno@coder.com>

coderd/database/querier_test.go

@@ -441,6 +441,53 @@ func TestUserLastSeenFilter(t *testing.T) {
 	})
 }
 
+func TestUserChangeLoginType(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.SkipNow()
+	}
+
+	sqlDB := testSQLDB(t)
+	err := migrations.Up(sqlDB)
+	require.NoError(t, err)
+	db := database.New(sqlDB)
+	ctx := context.Background()
+
+	alice := dbgen.User(t, db, database.User{
+		LoginType: database.LoginTypePassword,
+	})
+	bob := dbgen.User(t, db, database.User{
+		LoginType: database.LoginTypePassword,
+	})
+	bobExpPass := bob.HashedPassword
+	require.NotEmpty(t, alice.HashedPassword, "hashed password should not start empty")
+	require.NotEmpty(t, bob.HashedPassword, "hashed password should not start empty")
+
+	alice, err = db.UpdateUserLoginType(ctx, database.UpdateUserLoginTypeParams{
+		NewLoginType: database.LoginTypeOIDC,
+		UserID:       alice.ID,
+	})
+	require.NoError(t, err)
+
+	require.Empty(t, alice.HashedPassword, "hashed password should be empty")
+
+	// First check other users are not affected
+	bob, err = db.GetUserByID(ctx, bob.ID)
+	require.NoError(t, err)
+	require.Equal(t, bobExpPass, bob.HashedPassword, "hashed password should not change")
+
+	// Then check password -> password is a noop
+	bob, err = db.UpdateUserLoginType(ctx, database.UpdateUserLoginTypeParams{
+		NewLoginType: database.LoginTypePassword,
+		UserID:       bob.ID,
+	})
+	require.NoError(t, err)
+
+	bob, err = db.GetUserByID(ctx, bob.ID)
+	require.NoError(t, err)
+	require.Equal(t, bobExpPass, bob.HashedPassword, "hashed password should not change")
+}
+
 func requireUsersMatch(t testing.TB, expected []database.User, found []database.GetUsersRow, msg string) {
 	t.Helper()
 	require.ElementsMatch(t, expected, database.ConvertUserRows(found), msg)