package coderd

import (

"context"

"database/sql"

"errors"

"fmt"

"net/http"

"net/mail"

"slices"

"strconv"

"strings"

"sync"

"sync/atomic"

"time"

"github.com/coreos/go-oidc/v3/oidc"

"github.com/go-jose/go-jose/v4"

"github.com/go-jose/go-jose/v4/jwt"

"github.com/google/go-github/v43/github"

"github.com/google/uuid"

"golang.org/x/oauth2"

"golang.org/x/xerrors"

"cdr.dev/slog/v3"

"github.com/coder/coder/v2/coderd/apikey"

"github.com/coder/coder/v2/coderd/audit"

"github.com/coder/coder/v2/coderd/cryptokeys"

"github.com/coder/coder/v2/coderd/database"

"github.com/coder/coder/v2/coderd/database/dbauthz"

"github.com/coder/coder/v2/coderd/database/dbtime"

"github.com/coder/coder/v2/coderd/externalauth"

"github.com/coder/coder/v2/coderd/httpapi"

"github.com/coder/coder/v2/coderd/httpmw"

"github.com/coder/coder/v2/coderd/idpsync"

"github.com/coder/coder/v2/coderd/jwtutils"

"github.com/coder/coder/v2/coderd/notifications"

"github.com/coder/coder/v2/coderd/promoauth"

"github.com/coder/coder/v2/coderd/rbac"

"github.com/coder/coder/v2/coderd/render"

"github.com/coder/coder/v2/coderd/telemetry"

"github.com/coder/coder/v2/coderd/userpassword"

"github.com/coder/coder/v2/coderd/util/namesgenerator"

"github.com/coder/coder/v2/coderd/util/ptr"

"github.com/coder/coder/v2/codersdk"

"github.com/coder/coder/v2/cryptorand"

"github.com/coder/coder/v2/site"

)

type MergedClaimsSource string

var (

MergedClaimsSourceNone MergedClaimsSource = "none"

MergedClaimsSourceUserInfo MergedClaimsSource = "user_info"

MergedClaimsSourceAccessToken MergedClaimsSource = "access_token"

)

const (

userAuthLoggerName = "userauth"

OAuthConvertCookieValue = "coder_oauth_convert_jwt"

mergeStateStringPrefix = "convert-"

)

type OAuthConvertStateClaims struct {

jwtutils.RegisteredClaims

UserID uuid.UUID `json:"user_id"`

State string `json:"state"`

FromLoginType codersdk.LoginType `json:"from_login_type"`

ToLoginType codersdk.LoginType `json:"to_login_type"`

}

func (o *OAuthConvertStateClaims) Validate(e jwt.Expected) error {

return o.RegisteredClaims.Validate(e)

}

// postConvertLoginType replies with an oauth state token capable of converting

// the user to an oauth user.

//

// @Summary Convert user from password to oauth authentication

// @ID convert-user-from-password-to-oauth-authentication

// @Security CoderSessionToken

// @Accept json

// @Produce json

// @Tags Authorization

// @Param request body codersdk.ConvertLoginRequest true "Convert request"

// @Param user path string true "User ID, name, or me"

// @Success 201 {object} codersdk.OAuthConversionResponse

// @Router /users/{user}/convert-login [post]

func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {

var (

user = httpmw.UserParam(r)

ctx = r.Context()

auditor = api.Auditor.Load()

aReq, commitAudit = audit.InitRequest[database.AuditOAuthConvertState](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionCreate,

})

)

aReq.Old = database.AuditOAuthConvertState{}

defer commitAudit()

var req codersdk.ConvertLoginRequest

if !httpapi.Read(ctx, rw, r, &req) {

return

}

switch req.ToType {

case codersdk.LoginTypeGithub, codersdk.LoginTypeOIDC:

// Allowed!

case codersdk.LoginTypeNone, codersdk.LoginTypePassword, codersdk.LoginTypeToken:

// These login types are not allowed to be converted to at this time.

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: fmt.Sprintf("Cannot convert to login type %q.", req.ToType),

})

return

default:

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: fmt.Sprintf("Unknown login type %q.", req.ToType),

})

return

}

// This handles the email/pass checking.

user, _, ok := api.loginRequest(ctx, rw, codersdk.LoginWithPasswordRequest{

Email: user.Email,

Password: req.Password,

})

if !ok {

return

}

// Only support converting from password auth.

if user.LoginType != database.LoginTypePassword {

// This is checked in loginRequest, but checked again here in case that shared

// function changes its checks. Just some defensive programming.

// This login type is **required** to be password based to prevent

// users from converting other login types to OIDC.

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "User account must have password based authentication.",

})

return

}

stateString, err := cryptorand.String(32)

if err != nil {

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error generating state string.",

Detail: err.Error(),

})

return

}

// The prefix is used to identify this state string as a conversion state

// without needing to hit the database. The random string is the CSRF protection.

stateString = fmt.Sprintf("%s%s", mergeStateStringPrefix, stateString)

// This JWT is the signed payload to authorize the convert to oauth request.

// When the user does the oauth flow, this jwt will be sent back to coderd.

// The included information in this payload links it to a state string, so

// this request is tied 1:1 with an oauth state.

// This JWT also includes information to tie it 1:1 with a coder deployment

// and user account. This is mainly to inform the user if they are accidentally

// switching between coder deployments if the OIDC is misconfigured.

// Eg: Developers with more than 1 deployment.

now := time.Now()

claims := &OAuthConvertStateClaims{

RegisteredClaims: jwtutils.RegisteredClaims{

Issuer: api.DeploymentID,

Subject: stateString,

Audience: []string{user.ID.String()},

Expiry: jwt.NewNumericDate(now.Add(time.Minute * 5)),

NotBefore: jwt.NewNumericDate(now.Add(time.Second * -1)),

IssuedAt: jwt.NewNumericDate(now),

ID: uuid.NewString(),

},

UserID: user.ID,

State: stateString,

FromLoginType: codersdk.LoginType(user.LoginType),

ToLoginType: req.ToType,

}

token, err := jwtutils.Sign(ctx, api.OIDCConvertKeyCache, claims)

if err != nil {

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error signing state jwt.",

Detail: err.Error(),

})

return

}

aReq.New = database.AuditOAuthConvertState{

CreatedAt: claims.IssuedAt.Time(),

ExpiresAt: claims.Expiry.Time(),

FromLoginType: database.LoginType(claims.FromLoginType),

ToLoginType: database.LoginType(claims.ToLoginType),

UserID: claims.UserID,

}

http.SetCookie(rw, &http.Cookie{

Name: OAuthConvertCookieValue,

Path: "/",

Value: token,

Expires: claims.Expiry.Time(),

Secure: api.DeploymentValues.HTTPCookies.Secure.Value(),

HttpOnly: true,

// Must be SameSite to work on the redirected auth flow from the

// oauth provider.

SameSite: http.SameSiteLaxMode,

})

httpapi.Write(ctx, rw, http.StatusCreated, codersdk.OAuthConversionResponse{

StateString: stateString,

ExpiresAt: claims.Expiry.Time(),

ToType: claims.ToLoginType,

UserID: claims.UserID,

})

}

// Requests a one-time passcode for a user.

//

// @Summary Request one-time passcode

// @ID request-one-time-passcode

// @Accept json

// @Tags Authorization

// @Param request body codersdk.RequestOneTimePasscodeRequest true "One-time passcode request"

// @Success 204

// @Router /users/otp/request [post]

func (api *API) postRequestOneTimePasscode(rw http.ResponseWriter, r *http.Request) {

var (

ctx = r.Context()

auditor = api.Auditor.Load()

logger = api.Logger.Named(userAuthLoggerName)

aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionRequestPasswordReset,

})

)

defer commitAudit()

if api.DeploymentValues.DisablePasswordAuth {

httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{

Message: "Password authentication is disabled.",

})

return

}

var req codersdk.RequestOneTimePasscodeRequest

if !httpapi.Read(ctx, rw, r, &req) {

return

}

defer func() {

// We always send the same response. If we give a more detailed response

// it would open us up to an enumeration attack.

rw.WriteHeader(http.StatusNoContent)

}()

//nolint:gocritic // In order to request a one-time passcode, we need to get the user first - and can only do that in the system auth context.

user, err := api.Database.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{

Email: req.Email,

})

if err != nil && !errors.Is(err, sql.ErrNoRows) {

logger.Error(ctx, "unable to get user by email", slog.Error(err))

return

}

// We continue if err == sql.ErrNoRows to help prevent a timing-based attack.

aReq.Old = user

aReq.UserID = user.ID

passcode := uuid.New()

passcodeExpiresAt := dbtime.Now().Add(api.OneTimePasscodeValidityPeriod)

hashedPasscode, err := userpassword.Hash(passcode.String())

if err != nil {

logger.Error(ctx, "unable to hash passcode", slog.Error(err))

return

}

//nolint:gocritic // We need the system auth context to be able to save the one-time passcode.

err = api.Database.UpdateUserHashedOneTimePasscode(dbauthz.AsSystemRestricted(ctx), database.UpdateUserHashedOneTimePasscodeParams{

ID: user.ID,

HashedOneTimePasscode: []byte(hashedPasscode),

OneTimePasscodeExpiresAt: sql.NullTime{Time: passcodeExpiresAt, Valid: true},

})

if err != nil {

logger.Error(ctx, "unable to set user hashed one-time passcode", slog.Error(err))

return

}

auditUser := user

auditUser.HashedOneTimePasscode = []byte(hashedPasscode)

auditUser.OneTimePasscodeExpiresAt = sql.NullTime{Time: passcodeExpiresAt, Valid: true}

aReq.New = auditUser

if user.ID != uuid.Nil {

// Send the one-time passcode to the user.

err = api.notifyUserRequestedOneTimePasscode(ctx, user, passcode.String())

if err != nil {

logger.Error(ctx, "unable to notify user about one-time passcode request", slog.Error(err))

}

} else {

logger.Warn(ctx, "password reset requested for account that does not exist", slog.F("email", req.Email))

}

}

func (api *API) notifyUserRequestedOneTimePasscode(ctx context.Context, user database.User, passcode string) error {

_, err := api.NotificationsEnqueuer.Enqueue(

//nolint:gocritic // We need the notifier auth context to be able to send the user their one-time passcode.

dbauthz.AsNotifier(ctx),

user.ID,

notifications.TemplateUserRequestedOneTimePasscode,

map[string]string{"one_time_passcode": passcode},

"change-password-with-one-time-passcode",

user.ID,

)

if err != nil {

return xerrors.Errorf("enqueue notification: %w", err)

}

return nil

}

// Change a users password with a one-time passcode.

//

// @Summary Change password with a one-time passcode

// @ID change-password-with-a-one-time-passcode

// @Accept json

// @Tags Authorization

// @Param request body codersdk.ChangePasswordWithOneTimePasscodeRequest true "Change password request"

// @Success 204

// @Router /users/otp/change-password [post]

func (api *API) postChangePasswordWithOneTimePasscode(rw http.ResponseWriter, r *http.Request) {

var (

err error

ctx = r.Context()

auditor = api.Auditor.Load()

logger = api.Logger.Named(userAuthLoggerName)

aReq, commitAudit = audit.InitRequest[database.User](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionWrite,

})

)

defer commitAudit()

if api.DeploymentValues.DisablePasswordAuth {

httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{

Message: "Password authentication is disabled.",

})

return

}

var req codersdk.ChangePasswordWithOneTimePasscodeRequest

if !httpapi.Read(ctx, rw, r, &req) {

return

}

if err := userpassword.Validate(req.Password); err != nil {

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "Invalid password.",

Validations: []codersdk.ValidationError{

{

Field: "password",

Detail: err.Error(),

},

},

})

return

}

err = api.Database.InTx(func(tx database.Store) error {

//nolint:gocritic // In order to change a user's password, we need to get the user first - and can only do that in the system auth context.

user, err := tx.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{

Email: req.Email,

})

if err != nil && !errors.Is(err, sql.ErrNoRows) {

logger.Error(ctx, "unable to fetch user by email", slog.F("email", req.Email), slog.Error(err))

return xerrors.Errorf("get user by email: %w", err)

}

// We continue if err == sql.ErrNoRows to help prevent a timing-based attack.

aReq.Old = user

aReq.UserID = user.ID

equal, err := userpassword.Compare(string(user.HashedOneTimePasscode), req.OneTimePasscode)

if err != nil {

logger.Error(ctx, "unable to compare one-time passcode", slog.Error(err))

return xerrors.Errorf("compare one-time passcode: %w", err)

}

now := dbtime.Now()

if !equal || now.After(user.OneTimePasscodeExpiresAt.Time) {

logger.Warn(ctx, "password reset attempted with invalid or expired one-time passcode", slog.F("email", req.Email))

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "Incorrect email or one-time passcode.",

})

return nil

}

equal, err = userpassword.Compare(string(user.HashedPassword), req.Password)

if err != nil {

logger.Error(ctx, "unable to compare password", slog.Error(err))

return xerrors.Errorf("compare password: %w", err)

}

if equal {

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "New password cannot match old password.",

})

return nil

}

newHashedPassword, err := userpassword.Hash(req.Password)

if err != nil {

logger.Error(ctx, "unable to hash user's password", slog.Error(err))

return xerrors.Errorf("hash user password: %w", err)

}

//nolint:gocritic // We need the system auth context to be able to update the user's password.

err = tx.UpdateUserHashedPassword(dbauthz.AsSystemRestricted(ctx), database.UpdateUserHashedPasswordParams{

ID: user.ID,

HashedPassword: []byte(newHashedPassword),

})

if err != nil {

logger.Error(ctx, "unable to delete user's hashed password", slog.Error(err))

return xerrors.Errorf("update user hashed password: %w", err)

}

//nolint:gocritic // We need the system auth context to be able to delete all API keys for the user.

err = tx.DeleteAPIKeysByUserID(dbauthz.AsSystemRestricted(ctx), user.ID)

if err != nil {

logger.Error(ctx, "unable to delete user's api keys", slog.Error(err))

return xerrors.Errorf("delete api keys for user: %w", err)

}

auditUser := user

auditUser.HashedPassword = []byte(newHashedPassword)

auditUser.OneTimePasscodeExpiresAt = sql.NullTime{}

auditUser.HashedOneTimePasscode = nil

aReq.New = auditUser

rw.WriteHeader(http.StatusNoContent)

return nil

}, nil)

if err != nil {

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error.",

Detail: err.Error(),

})

return

}

}

// ValidateUserPassword validates the complexity of a user password and that it is secured enough.

//

// @Summary Validate user password

// @ID validate-user-password

// @Security CoderSessionToken

// @Produce json

// @Accept json

// @Tags Authorization

// @Param request body codersdk.ValidateUserPasswordRequest true "Validate user password request"

// @Success 200 {object} codersdk.ValidateUserPasswordResponse

// @Router /users/validate-password [post]

func (*API) validateUserPassword(rw http.ResponseWriter, r *http.Request) {

var (

ctx = r.Context()

valid = true

details = ""

)

var req codersdk.ValidateUserPasswordRequest

if !httpapi.Read(ctx, rw, r, &req) {

return

}

err := userpassword.Validate(req.Password)

if err != nil {

valid = false

details = err.Error()

}

httpapi.Write(ctx, rw, http.StatusOK, codersdk.ValidateUserPasswordResponse{

Valid: valid,

Details: details,

})

}

// Authenticates the user with an email and password.

//

// @Summary Log in user

// @ID log-in-user

// @Accept json

// @Produce json

// @Tags Authorization

// @Param request body codersdk.LoginWithPasswordRequest true "Login request"

// @Success 201 {object} codersdk.LoginWithPasswordResponse

// @Router /users/login [post]

func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {

var (

ctx = r.Context()

auditor = api.Auditor.Load()

logger = api.Logger.Named(userAuthLoggerName)

aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionLogin,

})

)

aReq.Old = database.APIKey{}

defer commitAudit()

var loginWithPassword codersdk.LoginWithPasswordRequest

if !httpapi.Read(ctx, rw, r, &loginWithPassword) {

return

}

user, actor, ok := api.loginRequest(ctx, rw, loginWithPassword)

// 'user.ID' will be empty, or will be an actual value. Either is correct

// here.

aReq.UserID = user.ID

if !ok {

// user failed to login

return

}

//nolint:gocritic // Creating the API key as the user instead of as system.

cookie, key, err := api.createAPIKey(dbauthz.As(ctx, actor), apikey.CreateParams{

UserID: user.ID,

LoginType: database.LoginTypePassword,

RemoteAddr: r.RemoteAddr,

DefaultLifetime: api.DeploymentValues.Sessions.DefaultDuration.Value(),

})

if err != nil {

logger.Error(ctx, "unable to create API key", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Failed to create API key.",

Detail: err.Error(),

})

return

}

aReq.New = *key

http.SetCookie(rw, cookie)

httpapi.Write(ctx, rw, http.StatusCreated, codersdk.LoginWithPasswordResponse{

SessionToken: cookie.Value,

})

}

// loginRequest will process a LoginWithPasswordRequest and return the user if

// the credentials are correct. If 'false' is returned, the authentication failed

// and the appropriate error will be written to the ResponseWriter.

//

// The user struct is always returned, even if authentication failed. This is

// to support knowing what user attempted to login.

func (api *API) loginRequest(ctx context.Context, rw http.ResponseWriter, req codersdk.LoginWithPasswordRequest) (database.User, rbac.Subject, bool) {

logger := api.Logger.Named(userAuthLoggerName)

//nolint:gocritic // In order to login, we need to get the user first!

user, err := api.Database.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{

Email: req.Email,

})

if err != nil && !xerrors.Is(err, sql.ErrNoRows) {

logger.Error(ctx, "unable to fetch user by email", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error.",

})

return user, rbac.Subject{}, false

}

// If the user doesn't exist, it will be a default struct.

equal, err := userpassword.Compare(string(user.HashedPassword), req.Password)

if err != nil {

logger.Error(ctx, "unable to compare passwords", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error.",

})

return user, rbac.Subject{}, false

}

if !equal {

// This message is the same as above to remove ease in detecting whether

// users are registered or not. Attackers still could with a timing attack.

httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{

Message: "Incorrect email or password.",

})

return user, rbac.Subject{}, false

}

// If password authentication is disabled and the user does not have the

// owner role, block the request.

if api.DeploymentValues.DisablePasswordAuth {

httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{

Message: "Password authentication is disabled.",

})

return user, rbac.Subject{}, false

}

if user.LoginType != database.LoginTypePassword {

httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{

Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypePassword, user.LoginType),

})

return user, rbac.Subject{}, false

}

user, err = ActivateDormantUser(api.Logger, &api.Auditor, api.Database)(ctx, user)

if err != nil {

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error.",

Detail: err.Error(),

})

return user, rbac.Subject{}, false

}

subject, userStatus, err := httpmw.UserRBACSubject(ctx, api.Database, user.ID, rbac.ScopeAll)

if err != nil {

logger.Error(ctx, "unable to fetch authorization user roles", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error.",

})

return user, rbac.Subject{}, false

}

// If the user logged into a suspended account, reject the login request.

if userStatus != database.UserStatusActive {

httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{

Message: fmt.Sprintf("Your account is %s. Contact an admin to reactivate your account.", userStatus),

})

return user, rbac.Subject{}, false

}

return user, subject, true

}

func ActivateDormantUser(logger slog.Logger, auditor *atomic.Pointer[audit.Auditor], db database.Store) func(ctx context.Context, user database.User) (database.User, error) {

return func(ctx context.Context, user database.User) (database.User, error) {

if user.ID == uuid.Nil || user.Status != database.UserStatusDormant {

return user, nil

}

//nolint:gocritic // System needs to update status of the user account (dormant -> active).

newUser, err := db.UpdateUserStatus(dbauthz.AsSystemRestricted(ctx), database.UpdateUserStatusParams{

ID: user.ID,

Status: database.UserStatusActive,

UpdatedAt: dbtime.Now(),

UserIsSeen: true,

})

if err != nil {

logger.Error(ctx, "unable to update user status to active", slog.Error(err))

return user, xerrors.Errorf("update user status: %w", err)

}

oldAuditUser := user

newAuditUser := user

newAuditUser.Status = database.UserStatusActive

audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.User]{

Audit: *auditor.Load(),

Log: logger,

UserID: user.ID,

Action: database.AuditActionWrite,

Old: oldAuditUser,

New: newAuditUser,

Status: http.StatusOK,

AdditionalFields: audit.BackgroundTaskFieldsBytes(ctx, logger, audit.BackgroundSubsystemDormancy),

})

return newUser, nil

}

}

// Clear the user's session cookie.

//

// @Summary Log out user

// @ID log-out-user

// @Security CoderSessionToken

// @Produce json

// @Tags Users

// @Success 200 {object} codersdk.Response

// @Router /users/logout [post]

func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {

var (

ctx = r.Context()

auditor = api.Auditor.Load()

aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionLogout,

})

)

defer commitAudit()

// Get a blank token cookie.

cookie := &http.Cookie{

// MaxAge < 0 means to delete the cookie now.

MaxAge: -1,

Name: codersdk.SessionTokenCookie,

Path: "/",

}

http.SetCookie(rw, api.DeploymentValues.HTTPCookies.Apply(cookie))

// Delete the session token from database.

apiKey := httpmw.APIKey(r)

aReq.Old = apiKey

logger := api.Logger.Named(userAuthLoggerName)

err := api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)

if err != nil {

logger.Error(ctx, "unable to delete API key", slog.F("api_key", apiKey.ID), slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error deleting API key.",

Detail: err.Error(),

})

return

}

// Invalidate all subdomain app tokens. This saves us from having to

// track which app tokens are associated which this browser session and

// doesn't inconvenience the user as they'll just get redirected if they try

// to access the app again.

err = api.Database.DeleteApplicationConnectAPIKeysByUserID(ctx, apiKey.UserID)

if err != nil {

logger.Error(ctx, "unable to invalidate subdomain app tokens", slog.F("user_id", apiKey.UserID), slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error deleting app tokens.",

Detail: err.Error(),

})

return

}

aReq.New = database.APIKey{}

httpapi.Write(ctx, rw, http.StatusOK, codersdk.Response{

Message: "Logged out!",

})

}

// GithubOAuth2Team represents a team scoped to an organization.

type GithubOAuth2Team struct {

Organization string

Slug string

}

// GithubOAuth2Provider exposes required functions for the Github authentication flow.

type GithubOAuth2Config struct {

promoauth.OAuth2Config

AuthenticatedUser func(ctx context.Context, client *http.Client) (*github.User, error)

ListEmails func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error)

ListOrganizationMemberships func(ctx context.Context, client *http.Client) ([]*github.Membership, error)

TeamMembership func(ctx context.Context, client *http.Client, org, team, username string) (*github.Membership, error)

DeviceFlowEnabled bool

ExchangeDeviceCode func(ctx context.Context, deviceCode string) (*oauth2.Token, error)

AuthorizeDevice func(ctx context.Context) (*codersdk.ExternalAuthDevice, error)

AllowSignups bool

AllowEveryone bool

AllowOrganizations []string

AllowTeams []GithubOAuth2Team

DefaultProviderConfigured bool

}

func (*GithubOAuth2Config) PKCESupported() []promoauth.Oauth2PKCEChallengeMethod {

return []promoauth.Oauth2PKCEChallengeMethod{promoauth.PKCEChallengeMethodSha256}

}

func (c *GithubOAuth2Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {

if !c.DeviceFlowEnabled {

return c.OAuth2Config.Exchange(ctx, code, opts...)

}

return c.ExchangeDeviceCode(ctx, code)

}

func (c *GithubOAuth2Config) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {

if !c.DeviceFlowEnabled {

return c.OAuth2Config.AuthCodeURL(state, opts...)

}

// This is an absolute path in the Coder app. The device flow is orchestrated

// by the Coder frontend, so we need to redirect the user to the device flow page.

return "/login/device?state=" + state

}

// @Summary Get authentication methods

// @ID get-authentication-methods

// @Security CoderSessionToken

// @Produce json

// @Tags Users

// @Success 200 {object} codersdk.AuthMethods

// @Router /users/authmethods [get]

func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {

var signInText string

var iconURL string

if api.OIDCConfig != nil {

signInText = api.OIDCConfig.SignInText

}

if api.OIDCConfig != nil {

iconURL = api.OIDCConfig.IconURL

}

httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AuthMethods{

TermsOfServiceURL: api.DeploymentValues.TermsOfServiceURL.Value(),

Password: codersdk.AuthMethod{

Enabled: !api.DeploymentValues.DisablePasswordAuth.Value(),

},

Github: codersdk.GithubAuthMethod{

Enabled: api.GithubOAuth2Config != nil,

DefaultProviderConfigured: api.GithubOAuth2Config != nil && api.GithubOAuth2Config.DefaultProviderConfigured,

},

OIDC: codersdk.OIDCAuthMethod{

AuthMethod: codersdk.AuthMethod{Enabled: api.OIDCConfig != nil},

SignInText: signInText,

IconURL: iconURL,

},

})

}

// @Summary Get Github device auth.

// @ID get-github-device-auth

// @Security CoderSessionToken

// @Produce json

// @Tags Users

// @Success 200 {object} codersdk.ExternalAuthDevice

// @Router /users/oauth2/github/device [get]

func (api *API) userOAuth2GithubDevice(rw http.ResponseWriter, r *http.Request) {

var (

ctx = r.Context()

auditor = api.Auditor.Load()

aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionLogin,

})

)

aReq.Old = database.APIKey{}

defer commitAudit()

if api.GithubOAuth2Config == nil {

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "Github OAuth2 is not enabled.",

})

return

}

if !api.GithubOAuth2Config.DeviceFlowEnabled {

httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{

Message: "Device flow is not enabled for Github OAuth2.",

})

return

}

deviceAuth, err := api.GithubOAuth2Config.AuthorizeDevice(ctx)

if err != nil {

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Failed to authorize device.",

Detail: err.Error(),

})

return

}

httpapi.Write(ctx, rw, http.StatusOK, deviceAuth)

}

// @Summary OAuth 2.0 GitHub Callback

// @ID oauth-20-github-callback

// @Security CoderSessionToken

// @Tags Users

// @Success 307

// @Router /users/oauth2/github/callback [get]

func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {

var (

// userOAuth2Github is a system function.

//nolint:gocritic

ctx = dbauthz.AsSystemRestricted(r.Context())

state = httpmw.OAuth2(r)

auditor = api.Auditor.Load()

aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{

Audit: *auditor,

Log: api.Logger,

Request: r,

Action: database.AuditActionLogin,

})

)

aReq.Old = database.APIKey{}

defer commitAudit()

oauthClient := oauth2.NewClient(ctx, oauth2.StaticTokenSource(state.Token))

logger := api.Logger.Named(userAuthLoggerName)

var selectedMemberships []*github.Membership

var organizationNames []string

redirect := state.Redirect

if !api.GithubOAuth2Config.AllowEveryone {

memberships, err := api.GithubOAuth2Config.ListOrganizationMemberships(ctx, oauthClient)

if err != nil {

logger.Error(ctx, "unable to list organization members", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error fetching authenticated Github user organizations.",

Detail: err.Error(),

})

return

}

for _, membership := range memberships {

if membership.GetState() != "active" {

continue

}

for _, allowed := range api.GithubOAuth2Config.AllowOrganizations {

if *membership.Organization.Login != allowed {

continue

}

selectedMemberships = append(selectedMemberships, membership)

organizationNames = append(organizationNames, membership.Organization.GetLogin())

break

}

}

if len(selectedMemberships) == 0 {

status := http.StatusUnauthorized

msg := "You aren't a member of the authorized Github organizations!"

if api.GithubOAuth2Config.DeviceFlowEnabled {

// In the device flow, the error is rendered client-side.

httpapi.Write(ctx, rw, status, codersdk.Response{

Message: "Unauthorized",

Detail: msg,

})

} else {

httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)

}

return

}

}

ghUser, err := api.GithubOAuth2Config.AuthenticatedUser(ctx, oauthClient)

if err != nil {

logger.Error(ctx, "oauth2: unable to fetch authenticated user", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error fetching authenticated Github user.",

Detail: err.Error(),

})

return

}

// The default if no teams are specified is to allow all.

if !api.GithubOAuth2Config.AllowEveryone && len(api.GithubOAuth2Config.AllowTeams) > 0 {

var allowedTeam *github.Membership

for _, allowTeam := range api.GithubOAuth2Config.AllowTeams {

if allowedTeam != nil {

break

}

for _, selectedMembership := range selectedMemberships {

if allowTeam.Organization != *selectedMembership.Organization.Login {

// This needs to continue because multiple organizations

// could exist in the allow/team listings.

continue

}

allowedTeam, err = api.GithubOAuth2Config.TeamMembership(ctx, oauthClient, allowTeam.Organization, allowTeam.Slug, *ghUser.Login)

// The calling user may not have permission to the requested team!

if err != nil {

continue

}

}

}

if allowedTeam == nil {

msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)

status := http.StatusUnauthorized

if api.GithubOAuth2Config.DeviceFlowEnabled {

// In the device flow, the error is rendered client-side.

httpapi.Write(ctx, rw, status, codersdk.Response{

Message: "Unauthorized",

Detail: msg,

})

} else {

httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)

}

return

}

}

emails, err := api.GithubOAuth2Config.ListEmails(ctx, oauthClient)

if err != nil {

logger.Error(ctx, "oauth2: unable to list emails", slog.Error(err))

httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{

Message: "Internal error fetching personal Github user.",

Detail: err.Error(),

})

return

}