feat(@xen-orchestra/rest-api): expose get user and get users

[MelissaFrncJrg]

Description

Short explanation of this PR (feel free to re-use commit message)

Checklist

• Commit
  • Title follows commit conventions
  • Reference the relevant issue (Fixes #007, See xoa-support#42, See https://...)
  • If bug fix, add Introduced by
• Changelog
  • If visible by XOA users, add changelog entry
  • Update "Packages to release" in CHANGELOG.unreleased.md
• PR
  • If UI changes, add screenshots
  • If not finished or not tested, open as Draft

Review process

This 2-passes review process aims to:

• develop skills of junior reviewers
• limit the workload for senior reviewers
• limit the number of unnecessary changes by the author

1. The author creates a PR.
2. Review process:
   1. The author assigns the junior reviewer.
   2. The junior reviewer conducts their review:
      • Resolves their comments if they are addressed.
      • Adds comments if necessary or approves the PR.
   3. The junior reviewer assigns the senior reviewer.
   4. The senior reviewer conducts their review:
      • If there are no unresolved comments on the PR → merge.
      • Otherwise, we continue with 3.
3. The author responds to comments and/or makes corrections, and we go back to 2.

Notes:

1. The author can request a review at any time, even if the PR is still a Draft.
2. In theory, there should not be more than one reviewer at a time.
3. The author should not make any changes:
   • When a reviewer is assigned.
   • Between the junior and senior reviews.

[b-Nollet]

Is this a valid value?

[MathieuRA]

Please update @vates/type#xoUser.
Properties name and pw_hash are optional. Maybe there are other error in the type definition

[MathieuRA]

These methods will return the pw_hash of a user.
I don't think it's a good practice to return the password (even if it's a hash).
@fbeauchamp Are you agree to not return the hashed password? (The JSON-RPC API does not return it)

[fbeauchamp]

I agree, even if it's only a salted hash, it has no value , and only add one more risks (at leats questions by user asking if it's safe)

[MathieuRA]

You need to update the XoUser type in vates/types.
The pw_hash property is optional. Make sure there are no other errors in the XoUser type.

[MathieuRA]

The type is not valid.
Partial<T> means that all properties of T become optional.
We don't want all other props to be optional simply because of pw_hash

[MathieuRA]

Only use Unbrand<T> when documenting an endpoint.
Unbrand is a type that converts Branded<string> to string to make it compatible with OpenAPI.

[MathieuRA]

Avoid to use the as keyword expect if no other solution

[MathieuRA]

IMO, these methods should return sanitized users. This way, every time we call this.getObject/this.getObjects, we will get a sanitized user. The REST API does not need to manage user passwords.

[MathieuRA]

Try to add another user in your example.
You should have the same number of result between userIds and partialUsers.

[MathieuRA]

pw_hash can be undefined. Don't obfuscate the password if no password is defined