From 199b685f430910910e43476caa9ccec6a441d020 Mon Sep 17 00:00:00 2001
From: Dominik Süß <dominik@suess.wtf>
Date: Tue, 6 Dec 2022 14:15:56 +0100
Subject: [feature] overhaul the oidc system (#961)

* [feature] overhaul the oidc system

this allows for more flexible username handling and prevents account
takeover using old email addresses

* [feature] add migration path for old OIDC users

* [feature] nicer error reporting for users

* [docs] document the new OIDC flow

* [fix] return early on oidc error

* [docs]: add comments on the finalization logic
---
 internal/gtsmodel/user.go | 1 +
 1 file changed, 1 insertion(+)

(limited to 'internal/gtsmodel/user.go')

diff --git a/internal/gtsmodel/user.go b/internal/gtsmodel/user.go
index 0d108253a..94e222aaf 100644
--- a/internal/gtsmodel/user.go
+++ b/internal/gtsmodel/user.go
@@ -56,4 +56,5 @@ type User struct {
 	Approved               *bool        `validate:"-" bun:",nullzero,notnull,default:false"`                             // Has this user been approved by a moderator?
 	ResetPasswordToken     string       `validate:"required_with=ResetPasswordSentAt" bun:",nullzero"`                   // The generated token that the user can use to reset their password
 	ResetPasswordSentAt    time.Time    `validate:"required_with=ResetPasswordToken" bun:"type:timestamptz,nullzero"`    // When did we email the user their reset-password email?
+	ExternalID             string       `validate:"-" bun:",nullzero,unique"`                                            // If the login for the user is managed externally (e.g OIDC), we need to keep a stable reference to the external object (e.g OIDC sub claim)
 }
-- 
cgit v1.2.3