feat: allow multiple auth sources per user (#500,#477) (#612)

* feat: allow multiple auth sources per user (#500,#477) * only override isAdmin flag if it is provided by the authentication source
2026-01-29 06:36:24 +00:00 · 2026-01-21 22:22:22 +01:00
parent d2fe267be7
commit e0f6c1d04b
44 changed files with 1158 additions and 798 deletions
--- a/internal/app/users/ldap_helper.go
+++ b/internal/app/users/ldap_helper.go
@@ -2,6 +2,7 @@ package users

 import (
 	"fmt"
+	"slices"
 	"strings"
 	"time"

@@ -25,6 +26,8 @@ func convertRawLdapUser(
 		return nil, fmt.Errorf("failed to check admin group: %w", err)
 	}

+	uid := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
+
 	return &domain.User{
 		BaseModel: domain.BaseModel{
 			CreatedBy: domain.CtxSystemLdapSyncer,
@@ -32,18 +35,23 @@ func convertRawLdapUser(
 			CreatedAt: now,
 			UpdatedAt: now,
 		},
-		Identifier:   domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, "")),
-		Email:        strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
-		Source:       domain.UserSourceLdap,
-		ProviderName: providerName,
-		IsAdmin:      isAdmin,
-		Firstname:    internal.MapDefaultString(rawUser, fields.Firstname, ""),
-		Lastname:     internal.MapDefaultString(rawUser, fields.Lastname, ""),
-		Phone:        internal.MapDefaultString(rawUser, fields.Phone, ""),
-		Department:   internal.MapDefaultString(rawUser, fields.Department, ""),
-		Notes:        "",
-		Password:     "",
-		Disabled:     nil,
+		Identifier: uid,
+		Email:      strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
+		IsAdmin:    isAdmin,
+		Authentications: []domain.UserAuthentication{
+			{
+				UserIdentifier: uid,
+				Source:         domain.UserSourceLdap,
+				ProviderName:   providerName,
+			},
+		},
+		Firstname:  internal.MapDefaultString(rawUser, fields.Firstname, ""),
+		Lastname:   internal.MapDefaultString(rawUser, fields.Lastname, ""),
+		Phone:      internal.MapDefaultString(rawUser, fields.Phone, ""),
+		Department: internal.MapDefaultString(rawUser, fields.Department, ""),
+		Notes:      "",
+		Password:   "",
+		Disabled:   nil,
 	}, nil
 }

@@ -72,7 +80,9 @@ func userChangedInLdap(dbUser, ldapUser *domain.User) bool {
 		return true
 	}

-	if dbUser.ProviderName != ldapUser.ProviderName {
+	if !slices.ContainsFunc(dbUser.Authentications, func(authentication domain.UserAuthentication) bool {
+		return authentication.Source == ldapUser.Authentications[0].Source
+	}) {
 		return true
 	}