coder
diff --git a/‎coderd/apikey/apikey_test.go
Lines changed: 51 additions & 42 deletions b/‎coderd/apikey/apikey_test.go
Lines changed: 51 additions & 42 deletions
diff --git a/‎coderd/coderdtest/oidctest/helper.go
Lines changed: 1 addition & 2 deletions b/‎coderd/coderdtest/oidctest/helper.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/modelmethods.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎enterprise/coderd/coderd.go
Lines changed: 0 additions & 1 deletion b/‎enterprise/coderd/coderd.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 11 additions & 17 deletions b/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 11 additions & 17 deletions
diff --git a/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 2 additions & 0 deletions b/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 1 addition & 1 deletion b/‎enterprise/coderd/identityprovider/tokens.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎enterprise/coderd/oauth2_test.go
Lines changed: 8 additions & 11 deletions b/‎enterprise/coderd/oauth2_test.go
Lines changed: 8 additions & 11 deletions
diff --git a/‎scripts/renderstatics/main.go
Lines changed: 9 additions & 3 deletions b/‎scripts/renderstatics/main.go
Lines changed: 9 additions & 3 deletions
diff --git a/‎site/src/pages/UserSettingsPage/OAuth2ProviderPage/OAuth2ProviderPage.tsx
Lines changed: 0 additions & 1 deletion b/‎site/src/pages/UserSettingsPage/OAuth2ProviderPage/OAuth2ProviderPage.tsx
Lines changed: 0 additions & 1 deletion
@@ -10,11 +10,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/codersdk"
 )
 
 func TestGenerate(t *testing.T) {
@@ -30,69 +28,80 @@ func TestGenerate(t *testing.T) {
 		{
 			name: "OK",
 			params: apikey.CreateParams{
-				UserID:           uuid.New(),
-				LoginType:        database.LoginTypeOIDC,
-				DeploymentValues: &codersdk.DeploymentValues{},
-				ExpiresAt:        time.Now().Add(time.Hour),
-				LifetimeSeconds:  int64(time.Hour.Seconds()),
-				TokenName:        "hello",
-				RemoteAddr:       "1.2.3.4",
-				Scope:            database.APIKeyScopeApplicationConnect,
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Duration(0),
+				ExpiresAt:       time.Now().Add(time.Hour),
+				LifetimeSeconds: int64(time.Hour.Seconds()),
+				TokenName:       "hello",
+				RemoteAddr:      "1.2.3.4",
+				Scope:           database.APIKeyScopeApplicationConnect,
 			},
 		},
 		{
 			name: "InvalidScope",
 			params: apikey.CreateParams{
-				UserID:           uuid.New(),
-				LoginType:        database.LoginTypeOIDC,
-				DeploymentValues: &codersdk.DeploymentValues{},
-				ExpiresAt:        time.Now().Add(time.Hour),
-				LifetimeSeconds:  int64(time.Hour.Seconds()),
-				TokenName:        "hello",
-				RemoteAddr:       "1.2.3.4",
-				Scope:            database.APIKeyScope("test"),
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Duration(0),
+				ExpiresAt:       time.Now().Add(time.Hour),
+				LifetimeSeconds: int64(time.Hour.Seconds()),
+				TokenName:       "hello",
+				RemoteAddr:      "1.2.3.4",
+				Scope:           database.APIKeyScope("test"),
 			},
 			fail: true,
 		},
 		{
 			name: "DeploymentSessionDuration",
 			params: apikey.CreateParams{
-				UserID:    uuid.New(),
-				LoginType: database.LoginTypeOIDC,
-				DeploymentValues: &codersdk.DeploymentValues{
-					SessionDuration: clibase.Duration(time.Hour),
-				},
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Hour,
 				LifetimeSeconds: 0,
 				ExpiresAt:       time.Time{},
 				TokenName:       "hello",
 				RemoteAddr:      "1.2.3.4",
 				Scope:           database.APIKeyScopeApplicationConnect,
 			},
 		},
+		{
+			name: "LifetimeSeconds",
+			params: apikey.CreateParams{
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Duration(0),
+				LifetimeSeconds: int64(time.Hour.Seconds()),
+				ExpiresAt:       time.Time{},
+				TokenName:       "hello",
+				RemoteAddr:      "1.2.3.4",
+				Scope:           database.APIKeyScopeApplicationConnect,
+			},
+		},
 		{
 			name: "DefaultIP",
 			params: apikey.CreateParams{
-				UserID:           uuid.New(),
-				LoginType:        database.LoginTypeOIDC,
-				DeploymentValues: &codersdk.DeploymentValues{},
-				ExpiresAt:        time.Now().Add(time.Hour),
-				LifetimeSeconds:  int64(time.Hour.Seconds()),
-				TokenName:        "hello",
-				RemoteAddr:       "",
-				Scope:            database.APIKeyScopeApplicationConnect,
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Duration(0),
+				ExpiresAt:       time.Now().Add(time.Hour),
+				LifetimeSeconds: int64(time.Hour.Seconds()),
+				TokenName:       "hello",
+				RemoteAddr:      "",
+				Scope:           database.APIKeyScopeApplicationConnect,
 			},
 		},
 		{
 			name: "DefaultScope",
 			params: apikey.CreateParams{
-				UserID:           uuid.New(),
-				LoginType:        database.LoginTypeOIDC,
-				DeploymentValues: &codersdk.DeploymentValues{},
-				ExpiresAt:        time.Now().Add(time.Hour),
-				LifetimeSeconds:  int64(time.Hour.Seconds()),
-				TokenName:        "hello",
-				RemoteAddr:       "1.2.3.4",
-				Scope:            "",
+				UserID:          uuid.New(),
+				LoginType:       database.LoginTypeOIDC,
+				DefaultLifetime: time.Duration(0),
+				ExpiresAt:       time.Now().Add(time.Hour),
+				LifetimeSeconds: int64(time.Hour.Seconds()),
+				TokenName:       "hello",
+				RemoteAddr:      "1.2.3.4",
+				Scope:           "",
 			},
 		},
 	}
@@ -131,15 +140,15 @@ func TestGenerate(t *testing.T) {
 				// Should not be a delta greater than 5 seconds.
 				assert.InDelta(t, time.Until(tc.params.ExpiresAt).Seconds(), key.LifetimeSeconds, 5)
 			} else {
-				assert.Equal(t, int64(tc.params.DeploymentValues.SessionDuration.Value().Seconds()), key.LifetimeSeconds)
+				assert.Equal(t, int64(tc.params.DefaultLifetime.Seconds()), key.LifetimeSeconds)
 			}
 
 			if !tc.params.ExpiresAt.IsZero() {
 				assert.Equal(t, tc.params.ExpiresAt.UTC(), key.ExpiresAt)
 			} else if tc.params.LifetimeSeconds > 0 {
-				assert.WithinDuration(t, dbtime.Now().Add(time.Duration(tc.params.LifetimeSeconds)), key.ExpiresAt, time.Second*5)
+				assert.WithinDuration(t, dbtime.Now().Add(time.Duration(tc.params.LifetimeSeconds)*time.Second), key.ExpiresAt, time.Second*5)
 			} else {
-				assert.WithinDuration(t, dbtime.Now().Add(tc.params.DeploymentValues.SessionDuration.Value()), key.ExpiresAt, time.Second*5)
+				assert.WithinDuration(t, dbtime.Now().Add(tc.params.DefaultLifetime), key.ExpiresAt, time.Second*5)
 			}
 
 			if tc.params.RemoteAddr != "" {
 
@@ -4,7 +4,6 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"net/url"
 	"testing"
@@ -162,7 +161,7 @@ func OAuth2GetCode(authURL string, state string, doRequest func(req *http.Reques
 
 	newState := toURL.Query().Get("state")
 	if newState != state {
-		return "", fmt.Errorf("expected state %q, got %q", state, newState)
+		return "", xerrors.Errorf("expected state %q, got %q", state, newState)
 	}
 	return code, nil
 }
@@ -424,7 +424,7 @@ func (f *FakeIDP) ExternalLogin(t testing.TB, client *codersdk.Client, opts ...f
 // unit tests, it's easier to skip this step sometimes. It does make an actual
 // request to the IDP, so it should be equivalent to doing this "manually" with
 // actual requests.
-func (f *FakeIDP) CreateAuthCode(t testing.TB, state string, opts ...func(r *http.Request)) string {
+func (f *FakeIDP) CreateAuthCode(t testing.TB, state string) string {
 	// We need to store some claims, because this is also an OIDC provider, and
 	// it expects some claims to be present.
 	f.stateToIDTokenClaims.Store(state, jwt.MapClaims{})
 
@@ -234,7 +234,7 @@ func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) cod
 		Icon:        dbApp.Icon,
 		Endpoints: codersdk.OAuth2ProviderAppEndpoints{
 			Authorization: accessURL.ResolveReference(&url.URL{
-				Path: fmt.Sprintf("/login/oauth2/authorize"),
+				Path: "/login/oauth2/authorize",
 			}).String(),
 			Token: accessURL.ResolveReference(&url.URL{
 				Path: "/login/oauth2/tokens",
 
@@ -281,11 +281,11 @@ func (c OAuth2ProviderAppCode) RBACObject() rbac.Object {
 	return rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(c.UserID.String())
 }
 
-func (s OAuth2ProviderAppSecret) RBACObject() rbac.Object {
+func (OAuth2ProviderAppSecret) RBACObject() rbac.Object {
 	return rbac.ResourceOAuth2ProviderAppSecret
 }
 
-func (s OAuth2ProviderApp) RBACObject() rbac.Object {
+func (OAuth2ProviderApp) RBACObject() rbac.Object {
 	return rbac.ResourceOAuth2ProviderApp
 }
 
 
@@ -167,7 +167,6 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
 				r.Post("/tokens", api.postOAuth2ProviderAppToken())
 			})
-
 		})
 	})
 
 
@@ -18,13 +18,14 @@ import (
 	"github.com/coder/coder/v2/cryptorand"
 )
 
-// TODO: Comment this up
+/**
+ * Authorize displays an HTML for authorizing an application when the user has
+ * first been redirected to this path and generates a code and redirects to the
+ * app's callback URL after the user clicks "allow" on that page.
+ */
 func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 	handler := func(rw http.ResponseWriter, r *http.Request) {
 		// TODO: audit?  and other endpoints?
-		// TODO: @Emyrk this has to serve the html payload for clicking "allow".
-		// 		We need a method to determine if someone hit this endpoint clicking "Allow",
-		//		or they got here for the first time.
 		ctx := r.Context()
 		apiKey, ok := httpmw.APIKeyOptional(r)
 		if !ok {
@@ -34,17 +35,13 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 			return
 		}
 
-		// If this request is coming from a different host, we need to show the
-		// user an html page where they can click allow.
-		// TODO: Is there a smarter way to do this?
-		// TODO: Skip this step if the user has already clicked allow before, and we
-		// 	can just reuse the token.
-
 		app := httpmw.OAuth2ProviderApp(r)
 
 		// TODO: @emyrk this should always work, maybe make callbackURL a *url.URL?
 		callbackURL, _ := url.Parse(app.CallbackURL)
 
+		// TODO: Should validate these on the HTML page as well and show errors
+		// there rather than wait until this endpoint to show them.
 		p := httpapi.NewQueryParamParser()
 		vals := r.URL.Query()
 		p.Required("state", "response_type")
@@ -75,7 +72,7 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 		}
 
 		// TODO: @emyrk handle scope?
-		var _ = scope
+		_ = scope
 
 		if err := validateRedirectURL(app.CallbackURL, redirectURL.String()); err != nil {
 			httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
@@ -91,7 +88,6 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 			})
 			return
 		}
-		// TODO: We are ignoring scopes for now.
 		hashed := sha256.Sum256([]byte(rawSecret))
 		_, err = db.InsertOAuth2ProviderAppCode(ctx, database.InsertOAuth2ProviderAppCodeParams{
 			ID:        uuid.New(),
@@ -110,8 +106,6 @@ func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
 			return
 		}
 
-		// TODO: @emyrk we need to possibly serve an html page from this endpoint.
-		// this currently skips the user in the loop part where they click allow.
 		newQuery := redirectURL.Query()
 		newQuery.Add("code", rawSecret)
 		newQuery.Add("state", state)
@@ -135,9 +129,9 @@ func validateRedirectURL(baseURL string, redirectURL string) error {
 	if err != nil {
 		return err
 	}
-	// It can be a sub-domain or a sub-directory.
-	if (redirect.Host != base.Host && !strings.HasSuffix(redirect.Host, "."+base.Host)) ||
-		!strings.HasPrefix(redirect.Path, base.Path) {
+	// It can be a sub-directory but not a sub-domain, as we have apps on
+	// sub-domains so it seems too dangerous.
+	if redirect.Host != base.Host || !strings.HasPrefix(redirect.Path, base.Path) {
 		return xerrors.New("invalid redirect URL")
 	}
 	return nil
 
@@ -39,6 +39,8 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
 
 			app := httpmw.OAuth2ProviderApp(r)
 			// If the request comes from outside, then we show the html allow page.
+			// TODO: Skip this step if the user has already clicked allow before, and
+			// we can just reuse the token.
 			if originU.Hostname() != accessURL.Hostname() && refererU.Path != "/login/oauth2/authorize" {
 				if r.URL.Query().Get("redirected") != "" {
 					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
 
@@ -55,7 +55,7 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {
 		}
 
 		// TODO: Not sure what to do with this yet.
-		var _ = redirectURL
+		_ = redirectURL
 
 		var token oauth2.Token
 		switch codersdk.OAuth2ProviderGrantType(grantType) {
 
@@ -202,12 +202,16 @@ func TestOAuth2ProviderApps(t *testing.T) {
 
 		// Should be able to add apps.
 		expected := generateApps(ctx, t, client)
+		expectedOrder := []codersdk.OAuth2ProviderApp{
+			expected.Default, expected.NoPort, expected.Subdomain,
+			expected.Extra[0], expected.Extra[1],
+		}
 
 		// Should get all the apps now.
 		apps, err = another.OAuth2ProviderApps(ctx, codersdk.OAuth2ProviderAppFilter{})
 		require.NoError(t, err)
 		require.Len(t, apps, 5)
-		require.Equal(t, expected, apps)
+		require.Equal(t, expectedOrder, apps)
 
 		// Should be able to keep the same name when updating.
 		req := codersdk.PutOAuth2ProviderAppRequest{
@@ -252,13 +256,7 @@ func TestOAuth2ProviderApps(t *testing.T) {
 		require.NoError(t, err)
 		require.Len(t, newApps, 4)
 
-		filtered := make([]codersdk.OAuth2ProviderApp, 0, len(newApps))
-		for _, app := range newApps {
-			if app.ID != expected.Default.ID {
-				filtered = append(filtered, app)
-			}
-		}
-		require.Equal(t, filtered, newApps)
+		require.Equal(t, expectedOrder[1:], newApps)
 	})
 
 	t.Run("ByUser", func(t *testing.T) {
@@ -632,14 +630,13 @@ func TestOAuth2ProviderTokenExchange(t *testing.T) {
 				code = *test.defaultCode
 			} else {
 				code, err = authorizationFlow(userClient, valid)
-				if test.authError == "" {
-					require.NoError(t, err)
-				} else {
+				if test.authError != "" {
 					require.Error(t, err)
 					require.ErrorContains(t, err, test.authError)
 					// If this errors the token exchange will fail. So end here.
 					return
 				}
+				require.NoError(t, err)
 			}
 
 			// Mutate the valid config for the exchange.
 
@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net/http"
+	"time"
 
 	"github.com/go-chi/chi/v5"
 
@@ -26,12 +27,17 @@ func main() {
 				Warnings:     []string{"The world will end in 7 days.", "Please panic."},
 			})
 		default:
-			site.RenderOAuthAllowPage(rw, r, http.StatusOK, site.RenderOAuthAllowData{
-				AppName:     "Netflix Backstage",
+			site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
+				AppName:     "Backstage",
 				Icon:        "",
 				RedirectURI: "https://google.com",
 			})
 		}
 	}))
-	log.Fatal(http.ListenAndServe(":7775", r))
+	server := &http.Server{
+		Addr:              ":7775",
+		ReadHeaderTimeout: 20 * time.Second,
+		Handler:           r,
+	}
+	log.Fatal(server.ListenAndServe())
 }
@@ -2,7 +2,6 @@ import { type FC, useState } from "react";
 import { useMutation, useQuery, useQueryClient } from "react-query";
 import { getErrorMessage } from "api/errors";
 import { getApps, revokeApp } from "api/queries/oauth2";
-import type * as TypesGen from "api/typesGenerated";
 import { DeleteDialog } from "components/Dialogs/DeleteDialog/DeleteDialog";
 import { displayError, displaySuccess } from "components/GlobalSnackbar/utils";
 import { useMe } from "hooks";
Original file line number	Diff line number	Diff line change
`@@ -281,11 +281,11 @@ func (c OAuth2ProviderAppCode) RBACObject() rbac.Object {`
`281`	`281`	`return rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(c.UserID.String())`
`282`	`282`	`}`
`283`	`283`
`284`		`-func (s OAuth2ProviderAppSecret) RBACObject() rbac.Object {`
	`284`	`+func (OAuth2ProviderAppSecret) RBACObject() rbac.Object {`
`285`	`285`	`return rbac.ResourceOAuth2ProviderAppSecret`
`286`	`286`	`}`
`287`	`287`
`288`		`-func (s OAuth2ProviderApp) RBACObject() rbac.Object {`
	`288`	`+func (OAuth2ProviderApp) RBACObject() rbac.Object {`
`289`	`289`	`return rbac.ResourceOAuth2ProviderApp`
`290`	`290`	`}`
`291`	`291`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func Tokens(db database.Store, defaultLifetime time.Duration) http.HandlerFunc {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`// TODO: Not sure what to do with this yet.`
`58`		`- var _ = redirectURL`
	`58`	`+ _ = redirectURL`
`59`	`59`
`60`	`60`	`var token oauth2.Token`
`61`	`61`	`switch codersdk.OAuth2ProviderGrantType(grantType) {`