fix(auth): use (issuer, name) to check for uniqueness of oidc teams (#2152)

The change introduced in #2150 introduces a bug where a Team would be re-created every time a user logs in, as the check if a team already exists was based on both the unique `oidcID` and the `name`. This PR proposes to only base the check on the ID, as this should be unique.

Co-authored-by: Daniel Herrmann <daniel.herrmann1@gmail.com>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/2152
Reviewed-by: konrad <k@knt.li>
Co-authored-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>
Co-committed-by: waza-ari <daniel.herrmann@makerspace-darmstadt.de>

pkg/models/error.go

@@ -1177,10 +1177,10 @@ func (err ErrTeamDoesNotHaveAccessToProject) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusForbidden, Code: ErrCodeTeamDoesNotHaveAccessToProject, Message: "This team does not have access to the project."}
 }
 
-// ErrOIDCTeamDoesNotExist represents an error where a team with specified name and specified oidcId property does not exist
+// ErrOIDCTeamDoesNotExist represents an error where a team with specified oidcId property does not exist for a given issuer
 type ErrOIDCTeamDoesNotExist struct {
 	OidcID string
-	Name   string
+	Issuer string
 }
 
 // IsErrOIDCTeamDoesNotExist checks if an error is ErrOIDCTeamDoesNotExist.
@@ -1191,7 +1191,7 @@ func IsErrOIDCTeamDoesNotExist(err error) bool {
 
 // ErrTeamDoesNotExist represents an error where a team does not exist
 func (err ErrOIDCTeamDoesNotExist) Error() string {
-	return fmt.Sprintf("No team with that name and valid oidcId could be found. [Team Name: %v] [OidcID : %v] ", err.Name, err.OidcID)
+	return fmt.Sprintf("No team could be found for the given oidcId and issuer. [OIDC ID : %v] [Issuer: %v] ", err.OidcID, err.Issuer)
 }
 
 // ErrCodeTeamDoesNotExist holds the unique world-error code of this error
@@ -1199,7 +1199,7 @@ const ErrCodeOIDCTeamDoesNotExist = 6008
 
 // HTTPError holds the http error description
 func (err ErrOIDCTeamDoesNotExist) HTTPError() web.HTTPError {
-	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team with that name and valid oidcId could be found."}
+	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team could be found for the given OIDC ID and issuer."}
 }
 
 // ErrOIDCTeamsDoNotExistForUser represents an error where an oidcTeam does not exist for the user

pkg/models/teams.go

@@ -40,6 +40,8 @@ type Team struct {
 	CreatedByID int64  `xorm:"bigint not null INDEX" json:"-"`
 	// The team's oidc id delivered by the oidc provider
 	OidcID string `xorm:"varchar(250) null" maxLength:"250" json:"oidc_id"`
+	// Contains the issuer extracted from the vikunja_groups claim if this team was created through oidc
+	Issuer string `xorm:"text null" json:"-"`
 
 	// The user who created this team.
 	CreatedBy *user.User `xorm:"-" json:"created_by"`
@@ -129,16 +131,16 @@ func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
 	return
 }
 
-// GetTeamByOidcIDAndName gets teams where oidc_id and name match parameters
+// GetTeamByOidcID returns a team matching the given oidc_id
 // For oidc team creation oidcID and Name need to be set
-func GetTeamByOidcIDAndName(s *xorm.Session, oidcID string, teamName string) (*Team, error) {
+func GetTeamByOidcIDAndIssuer(s *xorm.Session, oidcID string, issuer string) (*Team, error) {
 	team := &Team{}
 	has, err := s.
 		Table("teams").
-		Where("oidc_id = ? AND name = ?", oidcID, teamName).
+		Where("oidc_id = ? AND issuer = ?", oidcID, issuer).
 		Get(team)
 	if !has || err != nil {
-		return nil, ErrOIDCTeamDoesNotExist{teamName, oidcID}
+		return nil, ErrOIDCTeamDoesNotExist{issuer, oidcID}
 	}
 	return team, nil
 }