coder
diff --git a/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 4 additions & 6 deletions b/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 4 additions & 6 deletions
diff --git a/‎enterprise/coderd/identityprovider/secrets.go
Lines changed: 69 additions & 0 deletions b/‎enterprise/coderd/identityprovider/secrets.go
Lines changed: 69 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 48 additions & 40 deletions b/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 48 additions & 40 deletions
diff --git a/‎enterprise/coderd/oauth2.go
Lines changed: 9 additions & 11 deletions b/‎enterprise/coderd/oauth2.go
Lines changed: 9 additions & 11 deletions
@@ -15,7 +15,6 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
 type authorizeParams struct {
@@ -80,15 +79,13 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 
 		// TODO: Ignoring scope for now, but should look into implementing.
-		// 40 characters matches the length of GitHub's client secrets.
-		rawCode, err := cryptorand.String(40)
+		code, err := GenerateSecret()
 		if err != nil {
 			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Failed to generate OAuth2 app authorization code.",
 			})
 			return
 		}
-		hashedCode := Hash(rawCode, app.ID)
 		err = db.InTx(func(tx database.Store) error {
 			// Delete any previous codes.
 			err = tx.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams{
@@ -105,7 +102,8 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 				CreatedAt: dbtime.Now(),
 				// TODO: Configurable expiration?  Ten minutes matches GitHub.
 				ExpiresAt:    dbtime.Now().Add(time.Duration(10) * time.Minute),
-				HashedSecret: hashedCode[:],
+				SecretPrefix: []byte(code.Prefix),
+				HashedSecret: []byte(code.Hashed),
 				AppID:        app.ID,
 				UserID:       apiKey.UserID,
 			})
@@ -124,7 +122,7 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 
 		newQuery := params.redirectURL.Query()
-		newQuery.Add("code", rawCode)
+		newQuery.Add("code", code.Formatted)
 		newQuery.Add("state", params.state)
 		params.redirectURL.RawQuery = newQuery.Encode()
 
 
@@ -0,0 +1,69 @@
+package identityprovider
+
+import (
+	"fmt"
+	"strings"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/userpassword"
+	"github.com/coder/coder/v2/cryptorand"
+)
+
+type OAuth2ProviderAppSecret struct {
+	Formatted string
+	Prefix    string
+	Hashed    string
+}
+
+// GenerateSecret generates a secret to be used as a client secret, refresh
+// token, or authorization code.
+func GenerateSecret() (OAuth2ProviderAppSecret, error) {
+	// 40 characters matches the length of GitHub's client secrets.
+	secret, err := cryptorand.String(40)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	// This ID is prefixed to the secret so it can be used to look up the secret
+	// when the user provides it, since we cannot just re-hash it to match as we
+	// will not have the salt.
+	prefix, err := cryptorand.String(10)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	hashed, err := userpassword.Hash(secret)
+	if err != nil {
+		return OAuth2ProviderAppSecret{}, err
+	}
+
+	return OAuth2ProviderAppSecret{
+		Formatted: fmt.Sprintf("coder_%s_%s", prefix, secret),
+		Prefix:    prefix,
+		Hashed:    hashed,
+	}, nil
+}
+
+type parsedSecret struct {
+	prefix string
+	secret string
+}
+
+// parseSecret extracts the ID and original secret from a secret.
+func parseSecret(secret string) (parsedSecret, error) {
+	parts := strings.Split(secret, "_")
+	if len(parts) != 3 {
+		return parsedSecret{}, xerrors.Errorf("incorrect number of parts: %d", len(parts))
+	}
+	if parts[0] != "coder" {
+		return parsedSecret{}, xerrors.Errorf("incorrect scheme: %s", parts[0])
+	}
+	if len(parts[1]) == 0 {
+		return parsedSecret{}, xerrors.Errorf("prefix is invalid")
+	}
+	if len(parts[2]) == 0 {
+		return parsedSecret{}, xerrors.Errorf("invalid")
+	}
+	return parsedSecret{parts[1], parts[2]}, nil
+}
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"golang.org/x/crypto/argon2"
 	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
 
@@ -21,10 +20,16 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
+// errBadSecret means the user provided a bad secret.
+var errBadSecret = xerrors.New("Invalid client secret")
+
+// errBadCode means the user provided a bad code.
+var errBadCode = xerrors.New("Invalid code")
+
 type tokenParams struct {
 	clientID     string
 	clientSecret string
@@ -86,12 +91,12 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 		switch params.grantType {
 		// TODO: Client creds, device code, refresh.
 		default:
-			token, err = authorizationCodeGrant(ctx, db, app, defaultLifetime, params.clientSecret, params.code)
+			token, err = authorizationCodeGrant(ctx, db, app, defaultLifetime, params)
 		}
 
-		if err != nil && errors.Is(err, sql.ErrNoRows) {
+		if errors.Is(err, errBadCode) || errors.Is(err, errBadSecret) {
 			httpapi.Write(r.Context(), rw, http.StatusUnauthorized, codersdk.Response{
-				Message: "Invalid client secret or code",
+				Message: err.Error(),
 			})
 			return
 		}
@@ -109,47 +114,59 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 	}
 }
 
-func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, clientSecret, code string) (oauth2.Token, error) {
+func authorizationCodeGrant(ctx context.Context, db database.Store, app database.OAuth2ProviderApp, defaultLifetime time.Duration, params tokenParams) (oauth2.Token, error) {
 	// Validate the client secret.
-	secretHash := Hash(clientSecret, app.ID)
-	secret, err := db.GetOAuth2ProviderAppSecretByAppIDAndSecret(
-		//nolint:gocritic // Users cannot read secrets so we must use the system.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppSecretByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: secretHash[:],
-		})
+	secret, err := parseSecret(params.clientSecret)
+	if err != nil {
+		return oauth2.Token{}, errBadSecret
+	}
+	//nolint:gocritic // Users cannot read secrets so we must use the system.
+	dbSecret, err := db.GetOAuth2ProviderAppSecretByPrefix(dbauthz.AsSystemRestricted(ctx), []byte(secret.prefix))
+	if errors.Is(err, sql.ErrNoRows) {
+		return oauth2.Token{}, errBadSecret
+	}
 	if err != nil {
 		return oauth2.Token{}, err
 	}
+	equal, err := userpassword.Compare(string(dbSecret.HashedSecret), secret.secret)
+	if err != nil {
+		return oauth2.Token{}, xerrors.Errorf("unable to compare secret: %w", err)
+	}
+	if !equal {
+		return oauth2.Token{}, errBadSecret
+	}
 
 	// Validate the authorization code.
-	codeHash := Hash(code, app.ID)
+	code, err := parseSecret(params.code)
 	if err != nil {
-		return oauth2.Token{}, err
+		return oauth2.Token{}, errBadCode
+	}
+	//nolint:gocritic // There is no user yet so we must use the system.
+	dbCode, err := db.GetOAuth2ProviderAppCodeByPrefix(dbauthz.AsSystemRestricted(ctx), []byte(code.prefix))
+	if errors.Is(err, sql.ErrNoRows) {
+		return oauth2.Token{}, errBadCode
 	}
-	dbCode, err := db.GetOAuth2ProviderAppCodeByAppIDAndSecret(
-		//nolint:gocritic // There is no user yet so we must use the system.
-		dbauthz.AsSystemRestricted(ctx),
-		database.GetOAuth2ProviderAppCodeByAppIDAndSecretParams{
-			AppID:        app.ID,
-			HashedSecret: codeHash[:],
-		})
 	if err != nil {
 		return oauth2.Token{}, err
 	}
+	equal, err = userpassword.Compare(string(dbCode.HashedSecret), code.secret)
+	if err != nil {
+		return oauth2.Token{}, xerrors.Errorf("unable to compare code: %w", err)
+	}
+	if !equal {
+		return oauth2.Token{}, errBadCode
+	}
 
-	// Ensure the code has not expired.  Make it look like no code.
+	// Ensure the code has not expired.
 	if dbCode.ExpiresAt.Before(dbtime.Now()) {
-		return oauth2.Token{}, sql.ErrNoRows
+		return oauth2.Token{}, errBadCode
 	}
 
 	// Generate a refresh token.
 	// The refresh token is not currently used or exposed though as API keys can
 	// already be refreshed by just using them.
 	// TODO: However, should we implement the refresh grant anyway?
-	// 40 characters matches the length of GitHub's client secrets.
-	rawRefreshToken, err := cryptorand.String(40)
+	refreshToken, err := GenerateSecret()
 	if err != nil {
 		return oauth2.Token{}, err
 	}
@@ -208,13 +225,13 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 			return xerrors.Errorf("insert oauth2 access token: %w", err)
 		}
 
-		hashed := Hash(rawRefreshToken, app.ID)
 		_, err = tx.InsertOAuth2ProviderAppToken(ctx, database.InsertOAuth2ProviderAppTokenParams{
 			ID:          uuid.New(),
 			CreatedAt:   dbtime.Now(),
 			ExpiresAt:   key.ExpiresAt,
-			RefreshHash: hashed[:],
-			AppSecretID: secret.ID,
+			HashPrefix:  []byte(refreshToken.Prefix),
+			RefreshHash: []byte(refreshToken.Hashed),
+			AppSecretID: dbSecret.ID,
F438
 			APIKeyID:    newKey.ID,
 		})
 		if err != nil {
@@ -230,16 +247,7 @@ func authorizationCodeGrant(ctx context.Context, db database.Store, app database
 		AccessToken: sessionToken,
 		TokenType:   "Bearer",
 		// TODO: Exclude until refresh grant is implemented.
-		// RefreshToken: rawRefreshToken,
+		// RefreshToken: refreshToken.formatted,
 		// Expiry:       key.ExpiresAt,
 	}, nil
 }
-
-/**
- * Hash uses argon2 to hash the secret using the ID as the salt.
- */
-func Hash(secret string, id uuid.UUID) []byte {
-	b := []byte(secret)
-	// TODO: Expose iterations, memory, and threads as configuration values?
-	return argon2.IDKey(b, []byte(id.String()), 1, 64*1024, 2, uint32(len(b)))
-}
 
@@ -13,7 +13,6 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
 )
 
@@ -233,24 +232,23 @@ func (api *API) oAuth2ProviderAppSecrets(rw http.ResponseWriter, r *http.Request
 func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	app := httpmw.OAuth2ProviderApp(r)
-	// 40 characters matches the length of GitHub's client secrets.
-	rawSecret, err := cryptorand.String(40)
+	secret, err := identityprovider.GenerateSecret()
 	if err != nil {
 		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Failed to generate OAuth2 client secret.",
+			Detail:  err.Error(),
 		})
 		return
 	}
-	hashed := identityprovider.Hash(rawSecret, app.ID)
-	secret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
+	dbSecret, err := api.Database.InsertOAuth2ProviderAppSecret(ctx, database.InsertOAuth2ProviderAppSecretParams{
 		ID:           uuid.New(),
 		CreatedAt:    dbtime.Now(),
-		SecretPrefix: []byte(""), // TODO: Currently unused.
-		HashedSecret: hashed[:],
+		SecretPrefix: []byte(secret.Prefix),
+		HashedSecret: []byte(secret.Hashed),
 		// DisplaySecret is the last six characters of the original unhashed secret.
 		// This is done so they can be differentiated and it matches how GitHub
 		// displays their client secrets.
-		DisplaySecret: rawSecret[len(rawSecret)-6:],
+		DisplaySecret: secret.Formatted[len(secret.Formatted)-6:],
 		AppID:         app.ID,
 	})
 	if err != nil {
@@ -261,8 +259,8 @@ func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Requ
 		return
 	}
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.OAuth2ProviderAppSecretFull{
-		ID:               secret.ID,
-		ClientSecretFull: rawSecret,
+		ID:               dbSecret.ID,
+		ClientSecretFull: secret.Formatted,
 	})
 }