coder
diff --git a/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 1 addition & 2 deletions b/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎enterprise/coderd/oauth2.go
Lines changed: 1 addition & 124 deletions b/‎enterprise/coderd/oauth2.go
Lines changed: 1 addition & 124 deletions
@@ -6,7 +6,6 @@ import (
 	"database/sql"
 	"errors"
 	"net/http"
-	"net/url"
 	"time"
 
 	"github.com/google/uuid"
@@ -24,7 +23,7 @@ import (
 	"github.com/coder/coder/v2/cryptorand"
 )
 
-func Tokens(db database.Store, accessURL *url.URL, defaultLifetime time.Duration) http.HandlerFunc {
+func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 	return func(rw http.ResponseWriter, r *http.Request) {
 		// TODO: audit?
 		// TODO: swagger document these form values?
 
@@ -1,26 +1,19 @@
 package coderd
 
 import (
-	"context"
 	"crypto/sha256"
 	"database/sql"
 	"errors"
 	"fmt"
 	"net/http"
-	"net/url"
-	"strings"
 
 	"github.com/google/uuid"
-	"golang.org/x/xerrors"
 
-	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
-	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
@@ -308,123 +301,7 @@ func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
 // @Success 200 {object} oauth2.Token
 // @Router /login/oauth2/tokens [post]
 func (api *API) postOAuth2ProviderAppToken() http.HandlerFunc {
-	return identityprovider.Tokens(api.Database, api.AccessURL, api.DeploymentValues.SessionDuration.Value())
-}
-
-func (api *API) authorizationCodeGrant(ctx context.Context, app database.OAuth2ProviderApp, clientSecret, code string) (string, error) {
-	// Validate the client secret.
-	secretHash := sha256.Sum256([]byte(clientSecret))
-	secret, err := api.Database.GetOAuth2ProviderAppSecretByAppIDAndSecret(
-		//nolint:gocritic // System needs to validate the client secret.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: secretHash[:],
-		})
-	if err != nil {
-		return "", err
-	}
-
-	// Validate the authorization code.
-	codeHash := sha256.Sum256([]byte(code))
-	dbCode, err := api.Database.GetOAuth2ProviderAppCodeByAppIDAndSecret(
-		//nolint:gocritic // System needs to validate the code.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: codeHash[:],
-		})
-	if err != nil {
-		return "", err
-	}
-
-	// Generate a refresh token.
-	// The refresh token is not currently used or exposed though as API keys can
-	// already be refreshed by just using them.
-	// TODO: However, should we implement the refresh grant anyway?
-	// 40 characters matches the length of GitHub's client secrets.
-	rawRefreshToken, err := cryptorand.String(40)
-	if err != nil {
-		return "", err
-	}
-
-	// Generate the API key we will swap for the code.
-	// TODO: We are ignoring scopes for now.
-	// TODO: Should we add a name and only allow one at a time?
-	key, sessionToken, err := apikey.Generate(apikey.CreateParams{
-		UserID:          dbCode.UserID,
-		LoginType:       database.LoginTypeOAuth2ProviderApp,
-		DefaultLifetime: api.DeploymentValues.SessionDuration.Value(),
-	})
-	if err != nil {
-		return "", err
-	}
-
-	// Grab the user roles so we can perform the exchange as the user.
-	//nolint:gocritic // System needs to fetch user roles.
-	roles, err := api.Database.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), dbCode.UserID)
-	if err != nil {
-		return "", err
-	}
-	userSubj := rbac.Subject{
-		ID:     dbCode.UserID.String(),
-		Roles:  rbac.RoleNames(roles.Roles),
-		Groups: roles.Groups,
-		Scope:  rbac.ScopeAll,
-	}
-
-	// Do the actual token exchange in the database.
-	err = api.Database.InTx(func(tx database.Store) error {
-		err = tx.DeleteOAuth2ProviderAppCodeByID(dbauthz.As(ctx, userSubj), dbCode.ID)
-		if err != nil {
-			return xerrors.Errorf("delete oauth2 app code: %w", err)
-		}
-
-		newKey, err := tx.InsertAPIKey(dbauthz.As(ctx, userSubj), key)
-		if err != nil {
-			return xerrors.Errorf("insert oauth2 access token: %w", err)
-		}
-
-		hashed := sha256.Sum256([]byte(rawRefreshToken))
-		_, err = tx.InsertOAuth2ProviderAppToken(
-			dbauthz.As(ctx, userSubj),
-			database.InsertOAuth2ProviderAppTokenParams{
-				ID:           uuid.New(),
-				CreatedAt:    dbtime.Now(),
-				ExpiresAt:    key.ExpiresAt,
-				HashedSecret: hashed[:],
-				AppSecretID:  secret.ID,
-				APIKeyID:     newKey.ID,
-			})
-		if err != nil {
-			return xerrors.Errorf("insert oauth2 refresh token: %w", err)
-		}
-		return nil
-	}, nil)
-	if err != nil {
-		return "", err
-	}
-
-	return sessionToken, nil
-}
-
-// validateRedirectURL validates that the redirectURL is contained in baseURL.
-func validateRedirectURL(baseURL string, redirectURL string) error {
-	base, err := url.Parse(baseURL)
-	if err != nil {
-		return err
-	}
-
-	redirect, err := url.Parse(redirectURL)
-	if err != nil {
-		return err
-	}
-	// It can be a sub-domain or a sub-directory.
-	if (redirect.Host != base.Host && !strings.HasSuffix(redirect.Host, "."+base.Host)) ||
-		!strings.HasPrefix(redirect.Path, base.Path) {
-		return xerrors.New("invalid redirect URL")
-	}
-	return nil
+	return identityprovider.Tokens(api.Database, api.DeploymentValues.SessionDuration.Value())
 }
 
 // @Summary Delete OAuth2 application tokens.