Down for another approach here. The auditor will skip audit log generation if there's not a valid diff. We don't have a proper UUID onAPIKey and anyways, we bail before we actually create the model. I figured generating a garbage UUID was the fastest path forward but admittedly it's kinda gross.

Does this handler handle all authentication paths? What if a user isn't logging with a password?

There's a file calleduserauth.go with all of the other ways to login. This endpoint should probably be in there anyways.

Alright, added auditing for OAuth and OIDC. I am not sure how best to smoke-test locally, but I made sure to update all the auth tests.

I thought it was safe to lift finding the user outside of the transaction and into the callers so we can accessUser.ID in those places. If, in the callers, we don't find a user, we bail early, never enteringoauthLogin.