From 5a8db837600a0dc8602a43e32f6660515a7f2966 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Fri, 31 Jan 2025 12:34:20 +0100
Subject: [PATCH 1/2] return an error when renaming users from OIDC

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 CHANGELOG.md          | 2 ++
 hscontrol/db/users.go | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5a56a1361e..c71f5ad5ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,8 @@
   [#2350](https://github.com/juanfont/headscale/pull/2350)
 - Print Tailscale version instead of capability versions for outdated nodes
   [#2391](https://github.com/juanfont/headscale/pull/2391)
+- Do not allow renaming of users from OIDC
+  [#2393](https://github.com/juanfont/headscale/pull/2393)
 
 ## 0.24.2 (2025-01-30)
 
diff --git a/hscontrol/db/users.go b/hscontrol/db/users.go
index c359174df6..d7f31e5b94 100644
--- a/hscontrol/db/users.go
+++ b/hscontrol/db/users.go
@@ -81,6 +81,8 @@ func (hsdb *HSDatabase) RenameUser(uid types.UserID, newName string) error {
 	})
 }
 
+var ErrCannotChangeOIDCUser = errors.New("cannot edit OIDC user")
+
 // RenameUser renames a User. Returns error if the User does
 // not exist or if another User exists with the new name.
 func RenameUser(tx *gorm.DB, uid types.UserID, newName string) error {
@@ -94,6 +96,10 @@ func RenameUser(tx *gorm.DB, uid types.UserID, newName string) error {
 		return err
 	}
 
+	if oldUser.Provider == util.RegisterMethodOIDC {
+		return ErrCannotChangeOIDCUser
+	}
+
 	oldUser.Name = newName
 
 	if err := tx.Save(&oldUser).Error; err != nil {

From 89323b517976d8c61987b3e8b9643bdf86e7450e Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Fri, 31 Jan 2025 12:36:35 +0100
Subject: [PATCH 2/2] set minimum hostname length of 2

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 CHANGELOG.md          | 2 ++
 hscontrol/util/dns.go | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c71f5ad5ad..20777beb57 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@
   [#2391](https://github.com/juanfont/headscale/pull/2391)
 - Do not allow renaming of users from OIDC
   [#2393](https://github.com/juanfont/headscale/pull/2393)
+- Change minimum hostname length to 2
+  [#2393](https://github.com/juanfont/headscale/pull/2393)
 
 ## 0.24.2 (2025-01-30)
 
diff --git a/hscontrol/util/dns.go b/hscontrol/util/dns.go
index c87714d095..54a9452d92 100644
--- a/hscontrol/util/dns.go
+++ b/hscontrol/util/dns.go
@@ -65,6 +65,11 @@ func ValidateUsername(username string) error {
 }
 
 func CheckForFQDNRules(name string) error {
+	// Ensure the username meets the minimum length requirement
+	if len(name) < 2 {
+		return errors.New("name must be at least 2 characters long")
+	}
+
 	if len(name) > LabelHostnameLength {
 		return fmt.Errorf(
 			"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",