fix: use unique ID for linked accounts (#3441)

- move OAuth-related fields off of api_keys into a new user_links table
- restrict users to single form of login
- process updates to user email/usernames for OIDC
- added a login_type column to users

coderd/database/queries/apikeys.sql

@@ -23,11 +23,7 @@ INSERT INTO
 		expires_at,
 		created_at,
 		updated_at,
-		login_type,
-		oauth_access_token,
-		oauth_refresh_token,
-		oauth_id_token,
-		oauth_expiry
+		login_type
 	)
 VALUES
 	(@id,
@@ -36,7 +32,7 @@ VALUES
 	     WHEN 0 THEN 86400
 		 ELSE @lifetime_seconds::bigint
 	 END
-	 , @hashed_secret, @ip_address, @user_id, @last_used, @expires_at, @created_at, @updated_at, @login_type, @oauth_access_token, @oauth_refresh_token, @oauth_id_token, @oauth_expiry) RETURNING *;
+	 , @hashed_secret, @ip_address, @user_id, @last_used, @expires_at, @created_at, @updated_at, @login_type) RETURNING *;
 
 -- name: UpdateAPIKeyByID :exec
 UPDATE
@@ -44,10 +40,7 @@ UPDATE
 SET
 	last_used = $2,
 	expires_at = $3,
-	ip_address = $4,
-	oauth_access_token = $5,
-	oauth_refresh_token = $6,
-	oauth_expiry = $7
+	ip_address = $4
 WHERE
 	id = $1;
 

coderd/database/queries/user_links.sql

@@ -0,0 +1,46 @@
+-- name: GetUserLinkByLinkedID :one
+SELECT
+	*
+FROM
+	user_links
+WHERE
+	linked_id = $1;
+
+-- name: GetUserLinkByUserIDLoginType :one
+SELECT
+	*
+FROM
+	user_links
+WHERE
+	user_id = $1 AND login_type = $2;
+
+-- name: InsertUserLink :one
+INSERT INTO
+	user_links (
+		user_id,
+		login_type,
+		linked_id,
+		oauth_access_token,
+		oauth_refresh_token,
+		oauth_expiry
+	)
+VALUES
+	( $1, $2, $3, $4, $5, $6 ) RETURNING *;
+
+-- name: UpdateUserLinkedID :one
+UPDATE
+	user_links
+SET
+	linked_id = $1
+WHERE
+	user_id = $2 AND login_type = $3 RETURNING *;
+
+-- name: UpdateUserLink :one
+UPDATE
+	user_links
+SET
+	oauth_access_token = $1,
+	oauth_refresh_token = $2,
+	oauth_expiry = $3
+WHERE
+	user_id = $4 AND login_type = $5 RETURNING *;

coderd/database/queries/users.sql

@@ -37,10 +37,11 @@ INSERT INTO
 		hashed_password,
 		created_at,
 		updated_at,
-		rbac_roles
+		rbac_roles,
+		login_type
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6, $7) RETURNING *;
+	($1, $2, $3, $4, $5, $6, $7, $8) RETURNING *;
 
 -- name: UpdateUserProfile :one
 UPDATE
@@ -54,12 +55,12 @@ WHERE
 
 -- name: UpdateUserRoles :one
 UPDATE
-    users
+	users
 SET
 	-- Remove all duplicates from the roles.
 	rbac_roles = ARRAY(SELECT DISTINCT UNNEST(@granted_roles :: text[]))
 WHERE
- 	id = @id
+	id = @id
 RETURNING *;
 
 -- name: UpdateUserHashedPassword :exec
@@ -122,8 +123,8 @@ WHERE
 	END
 	-- End of filters
 ORDER BY
-    -- Deterministic and consistent ordering of all users, even if they share
-    -- a timestamp. This is to ensure consistent pagination.
+	-- Deterministic and consistent ordering of all users, even if they share
+	-- a timestamp. This is to ensure consistent pagination.
 	(created_at, id) ASC OFFSET @offset_opt
 LIMIT
 	-- A null limit means "no limit", so 0 means return all
@@ -152,10 +153,10 @@ SELECT
 			array_append(users.rbac_roles, 'member'),
 		-- All org_members get the org-member role for their orgs
 			array_append(organization_members.roles, 'organization-member:'||organization_members.organization_id::text)) :: text[]
-	    AS roles
+		AS roles
 FROM
 	users
 LEFT JOIN organization_members
 	ON id = user_id
 WHERE
-    id = @user_id;
+	id = @user_id;