Profile: Analyze impact of introducing system users

[olebhansen]

Take inspiration from Altinn/altinn-storage#501

Check with Martin if 404 is a good response, or if apps will crash with null-reference, and we should diffrentiate with "unservicable" requests (e.g. getCurrent() for a system user, who does not have a profile - and will never get it by design...)

Analysis

• Requests reaching the endpoints in the UsersController needs to have a valid bearer token, but there are no form of authorization. Any user can ask for the profile of any other. (Also required is an access token.) We should have at least one test where the caller is a system user to verify this.
• The TelemetryHelpers.EnrichFromRequest method needs to be updated so that the telemetry being registered have correct information about the caller.
• The "current" endpoint in UserController finds the user id from the ClaimsPrincipal. This can remain as is. Calls with a ClaimsPrincipal without a user id claim will get a 400 response.

Identified tasks

• Implement a test of the UsersController GetUserById where the claims principal has a system user claim instead of a user id or org claim.
• Update TelemetryHelpers.EnrichFromRequest to support requests performed with a system user. (Logging of caller information.)

[SandGrainOne]

Tasks transfered to #208