coder
diff --git a/‎codersdk/oauth2.go
Lines changed: 45 additions & 0 deletions b/‎codersdk/oauth2.go
Lines changed: 45 additions & 0 deletions
diff --git a/‎enterprise/coderd/coderd.go
Lines changed: 22 additions & 0 deletions b/‎enterprise/coderd/coderd.go
Lines changed: 22 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 159 additions & 0 deletions b/‎enterprise/coderd/identityprovider/authorize.go
Lines changed: 159 additions & 0 deletions
diff --git a/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 117 additions & 0 deletions b/‎enterprise/coderd/identityprovider/middleware.go
Lines changed: 117 additions & 0 deletions
@@ -179,3 +179,48 @@ func (c *Client) DeleteOAuth2ProviderAppSecret(ctx context.Context, appID uuid.U
 	}
 	return nil
 }
+
+type OAuth2ProviderGrantType string
+
+const (
+	OAuth2ProviderGrantTypeAuthorizationCode OAuth2ProviderGrantType = "authorization_code"
+)
+
+func (e OAuth2ProviderGrantType) Valid() bool {
+	switch e {
+	case OAuth2ProviderGrantTypeAuthorizationCode:
+		return true
+	}
+	return false
+}
+
+type OAuth2ProviderResponseType string
+
+const (
+	OAuth2ProviderResponseTypeCode OAuth2ProviderResponseType = "code"
+)
+
+func (e OAuth2ProviderResponseType) Valid() bool {
+	switch e {
+	case OAuth2ProviderResponseTypeCode:
+		return true
+	}
+	return false
+}
+
+// RevokeOAuth2ProviderApp completely revokes an app's access for the user.
+func (c *Client) RevokeOAuth2ProviderApp(ctx context.Context, appID uuid.UUID) error {
+	res, err := c.Request(ctx, http.MethodDelete, "/login/oauth2/tokens", nil, func(r *http.Request) {
+		q := r.URL.Query()
+		q.Set("client_id", appID.String())
+		r.URL.RawQuery = q.Encode()
+	})
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusNoContent {
+		return ReadBodyAsError(res)
+	}
+	return nil
+}
@@ -164,6 +164,28 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 		return nil, xerrors.Errorf("failed to get deployment ID: %w", err)
 	}
 
+	api.AGPL.RootHandler.Group(func(r chi.Router) {
+		r.Use(
+			api.oAuth2ProviderMiddleware,
+			// Fetch the app as system because in the /tokens route there will be no
+			// authenticated user.
+			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+		)
+		// Oauth2 linking routes do not make sense under the /api/v2 path.
+		r.Route("/login", func(r chi.Router) {
+			r.Route("/oauth2", func(r chi.Router) {
+				r.Group(func(r chi.Router) {
+					r.Use(apiKeyMiddleware)
+					r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
+					r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
+				})
+				// The /tokens endpoint will be called from an unauthorized client so we
+				// cannot require an API key.
+				r.Post("/tokens", api.postOAuth2ProviderAppToken())
+			})
+		})
+	})
+
 	api.AGPL.APIHandler.Group(func(r chi.Router) {
 		r.Get("/entitlements", api.serveEntitlements)
 		// /regions overrides the AGPL /regions endpoint
 
@@ -0,0 +1,159 @@
+package identityprovider
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/cryptorand"
+)
+
+type authorizeParams struct {
+	clientID     string
+	redirectURL  *url.URL
+	responseType codersdk.OAuth2ProviderResponseType
+	scope        []string
+	state        string
+}
+
+func extractAuthorizeParams(r *http.Request, callbackURL string) (authorizeParams, []codersdk.ValidationError, error) {
+	p := httpapi.NewQueryParamParser()
+	vals := r.URL.Query()
+
+	p.Required("state", "response_type", "client_id")
+
+	// TODO: Can we make this a URL straight out of the database?
+	cb, err := url.Parse(callbackURL)
+	if err != nil {
+		return authorizeParams{}, nil, err
+	}
+	params := authorizeParams{
+		clientID:     p.String(vals, "", "client_id"),
+		redirectURL:  p.URL(vals, cb, "redirect_uri"),
+		responseType: httpapi.ParseCustom(p, vals, "", "response_type", httpapi.ParseEnum[codersdk.OAuth2ProviderResponseType]),
+		scope:        p.Strings(vals, []string{}, "scope"),
+		state:        p.String(vals, "", "state"),
+	}
+
+	// We add "redirected" when coming from the authorize page.
+	_ = p.String(vals, "", "redirected")
+
+	if err := validateRedirectURL(cb, params.redirectURL.String()); err != nil {
+		p.Errors = append(p.Errors, codersdk.ValidationError{
+			Field:  "redirect_uri",
+			Detail: fmt.Sprintf("Query param %q is invalid", "redirect_uri"),
+		})
+	}
+
+	p.ErrorExcessParams(vals)
+	return params, p.Errors, nil
+}
+
+/**
+ * Authorize displays an HTML for authorizing an application when the user has
+ * first been redirected to this path and generates a code and redirects to the
+ * app's callback URL after the user clicks "allow" on that page.
+ */
+func Authorize(db database.Store, accessURL *url.URL) http.HandlerFunc {
+	handler := func(rw http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		apiKey := httpmw.APIKey(r)
+		app := httpmw.OAuth2ProviderApp(r)
+
+		params, validationErrs, err := extractAuthorizeParams(r, app.CallbackURL)
+		if err != nil {
+			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to validate query parameters.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+		if len(validationErrs) > 0 {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message:     "Invalid query params.",
+				Validations: validationErrs,
+			})
+			return
+		}
+
+		// TODO: Ignoring scope for now, but should look into implementing.
+		// 40 characters matches the length of GitHub's client secrets.
+		rawCode, err := cryptorand.String(40)
+		if err != nil {
+			httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to generate OAuth2 app authorization code.",
+			})
+			return
+		}
+		hashedCode := Hash(rawCode, app.ID)
+		err = db.InTx(func(tx database.Store) error {
+			// Delete any previous codes.
+			err = tx.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams{
+				AppID:  app.ID,
+				UserID: apiKey.UserID,
+			})
+			if err != nil && !errors.Is(err, sql.ErrNoRows) {
+				return xerrors.Errorf("delete oauth2 app codes: %w", err)
+			}
+
+			// Insert the new code.
+			_, err = tx.InsertOAuth2ProviderAppCode(ctx, database.InsertOAuth2ProviderAppCodeParams{
+				ID:        uuid.New(),
+				CreatedAt: dbtime.Now(),
+				// TODO: Configurable expiration?  Ten minutes matches GitHub.
+				ExpiresAt:    dbtime.Now().Add(time.Duration(10) * time.Minute),
+				HashedSecret: hashedCode[:],
+				AppID:        app.ID,
+				UserID:       apiKey.UserID,
+			})
+			if err != nil {
+				return xerrors.Errorf("insert oauth2 authorization code: %w", err)
+			}
+
+			return nil
+		}, nil)
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Failed to generate OAuth2 authorization code.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+
+		newQuery := params.redirectURL.Query()
+		newQuery.Add("code", rawCode)
+		newQuery.Add("state", params.state)
+		params.redirectURL.RawQuery = newQuery.Encode()
+
+		http.Redirect(rw, r, params.redirectURL.String(), http.StatusTemporaryRedirect)
+	}
+
+	// Always wrap with its custom mw.
+	return authorizeMW(accessURL)(http.HandlerFunc(handler)).ServeHTTP
+}
+
+// validateRedirectURL validates that the redirectURL is contained in baseURL.
+func validateRedirectURL(baseURL *url.URL, redirectURL string) error {
+	redirect, err := url.Parse(redirectURL)
+	if err != nil {
+		return err
+	}
+	// It can be a sub-directory but not a sub-domain, as we have apps on
+	// sub-domains so it seems too dangerous.
+	if redirect.Host != baseURL.Host || !strings.HasPrefix(redirect.Path, baseURL.Path) {
+		return xerrors.New("invalid redirect URL")
+	}
+	return nil
+}
@@ -0,0 +1,117 @@
+package identityprovider
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
+)
+
+// authorizeMW serves to remove some code from the primary authorize handler.
+// It decides when to show the html allow page, and when to just continue.
+func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			origin := r.Header.Get(httpmw.OriginHeader)
+			originU, err := url.Parse(origin)
+			if err != nil {
+				// TODO: Curl requests will not have this. One idea is to always show
+				// html here??
+				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Invalid or missing origin header.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+
+			referer := r.Referer()
+			refererU, err := url.Parse(referer)
+			if err != nil {
+				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+					Message: "Invalid or missing referer header.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+
+			app := httpmw.OAuth2ProviderApp(r)
+			ua := httpmw.UserAuthorization(r)
+
+			// If the request comes from outside, then we show the html allow page.
+			// TODO: Skip this step if the user has already clicked allow before, and
+			// we can just reuse the token.
+			if originU.Hostname() != accessURL.Hostname() && refererU.Path != "/login/oauth2/authorize" {
+				if r.URL.Query().Get("redirected") != "" {
+					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+						Status:       http.StatusInternalServerError,
+						HideStatus:   false,
+						Title:        "Oauth Redirect Loop",
+						Description:  "Oauth redirect loop detected.",
+						RetryEnabled: false,
+						DashboardURL: accessURL.String(),
+						Warnings:     nil,
+					})
+					return
+				}
+
+				// Extract the form parameters for two reasons:
+				// 1. We need the redirect URI to build the cancel URI.
+				// 2. Since validation will run once the user clicks "allow", it is
+				//    better to validate now to avoid wasting the user's time clicking a
+				//    button that will just error anyway.
+				params, errs, err := extractAuthorizeParams(r, app.CallbackURL)
+				if err != nil {
+					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+						Status:       http.StatusInternalServerError,
+						HideStatus:   false,
+						Title:        "Internal Server Error",
+						Description:  err.Error(),
+						RetryEnabled: false,
+						DashboardURL: accessURL.String(),
+						Warnings:     nil,
+					})
+					return
+				}
+				if len(errs) > 0 {
+					errStr := make([]string, len(errs))
+					for i, err := range errs {
+						errStr[i] = err.Detail
+					}
+					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+						Status:       http.StatusBadRequest,
+						HideStatus:   false,
+						Title:        "Invalid Query Parameters",
+						Description:  "One or more query parameters are missing or invalid.",
+						RetryEnabled: false,
+						DashboardURL: accessURL.String(),
+						Warnings:     errStr,
+					})
+					return
+				}
+
+				cancel := params.redirectURL
+				cancelQuery := params.redirectURL.Query()
+				cancelQuery.Add("error", "access_denied")
+				cancel.RawQuery = cancelQuery.Encode()
+
+				redirect := r.URL
+				vals := redirect.Query()
+				vals.Add("redirected", "true")
+				r.URL.RawQuery = vals.Encode()
+				site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
+					AppIcon:     app.Icon,
+					AppName:     app.Name,
+					CancelURI:   cancel.String(),
+					RedirectURI: r.URL.String(),
+					Username:    ua.ActorName,
+				})
+				return
+			}
+
+			next.ServeHTTP(rw, r)
+		})
+	}
+}