Fix `/machine/map` endpoint vulnerability (#2642)

* Improve map auth logic

* Bugfix

* Add comment, improve error message

* noise: make func, get by node

this commit splits the additional validation into a
separate function so it can be reused if we add more
endpoints in the future.

It swaps the check, so we still look up by NodeKey, but before
accepting the connection, we validate the known machinekey from
the db against the noise connection.

The reason for this is that when a node logs in or out, the node key
is replaced and it will no longer be possible to look it up, breaking
reauthentication.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>

users: harden, test, and add cleaner of identifier (#2593)

* users: harden, test, and add cleaner of identifier

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* db: migrate badly joined provider identifiers

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

bring back last_seen in database (#2579)

* db: add back last_seen to the database

Fixes #2574

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* integration: ensure last_seen is set

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

app: throw away not found body (#2566)

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

changelog 0.25.1

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

date in changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

update changelog (#2414)

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

update changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

drop versions older than 1.62 (#2405)

Remove routes without a node_id (#2386)

The routes table has a NOT NULL constraint on node_id.

Fixes: #2376