fix: allow orgs with default github provider (#16755)

hugodutka · web-flow · commit 95347b2b93f3 · 2025-03-03T16:05:45.000+01:00
This PR fixes 2 bugs:

## Problem 1

The server would fail to start when the default github provider was
configured and the flag `--oauth2-github-allowed-orgs` was set. The
error was

```
error: configure github oauth2: allow everyone and allowed orgs cannot be used together
```

This PR fixes it by enabling "allow everone" with the default provider
only if "allowed orgs" isn't set.

## Problem 2

The default github provider uses the device flow to authorize users, and
that's handled differently by our web UI than the standard oauth flow.
In particular, the web UI only handles JSON responses rather than HTTP
redirects. There were 2 code paths that returned redirects, and the PR
changes them to return JSON messages instead if the device flow is
configured.
diff --git a/cli/server.go b/cli/server.go
@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c
 	}
 
 	params.clientID = GithubOAuth2DefaultProviderClientID
-	params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
 	params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow
+	if len(params.allowOrgs) == 0 {
+		params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone
+	}
 
 	return &params, nil
 }
diff --git a/cli/server_test.go b/cli/server_test.go
@@ -314,6 +314,7 @@ func TestServer(t *testing.T) {
 			githubDefaultProviderEnabled          string
 			githubClientID                        string
 			githubClientSecret                    string
+			allowedOrg                            string
 			expectGithubEnabled                   bool
 			expectGithubDefaultProviderConfigured bool
 			createUserPreStart                    bool
@@ -355,7 +356,9 @@ func TestServer(t *testing.T) {
 			if tc.githubDefaultProviderEnabled != "" {
 				args = append(args, fmt.Sprintf("--oauth2-github-default-provider-enable=%s", tc.githubDefaultProviderEnabled))
 			}
-
+			if tc.allowedOrg != "" {
+				args = append(args, fmt.Sprintf("--oauth2-github-allowed-orgs=%s", tc.allowedOrg))
+			}
 			inv, cfg := clitest.New(t, args...)
 			errChan := make(chan error, 1)
 			go func() {
@@ -439,6 +442,12 @@ func TestServer(t *testing.T) {
 				expectGithubEnabled:                   true,
 				expectGithubDefaultProviderConfigured: false,
 			},
+			{
+				name:                                  "AllowedOrg",
+				allowedOrg:                            "coder",
+				expectGithubEnabled:                   true,
+				expectGithubDefaultProviderConfigured: true,
+			},
 		} {
 			tc := tc
 			t.Run(tc.name, func(t *testing.T) {
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -922,7 +922,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if len(selectedMemberships) == 0 {
-			httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)
+			status := http.StatusUnauthorized
+			msg := "You aren't a member of the authorized Github organizations!"
+			if api.GithubOAuth2Config.DeviceFlowEnabled {
+				// In the device flow, the error is rendered client-side.
+				httpapi.Write(ctx, rw, status, codersdk.Response{
+					Message: "Unauthorized",
+					Detail:  msg,
+				})
+			} else {
+				httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+			}
 			return
 		}
 	}
@@ -959,7 +969,17 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if allowedTeam == nil {
-			httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)
+			msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)
+			status := http.StatusUnauthorized
+			if api.GithubOAuth2Config.DeviceFlowEnabled {
+				// In the device flow, the error is rendered client-side.
+				httpapi.Write(ctx, rw, status, codersdk.Response{
+					Message: "Unauthorized",
+					Detail:  msg,
+				})
+			} else {
+				httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)
+			}
 			return
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c`
`1911`	`1911`	`}`
`1912`	`1912`
`1913`	`1913`	`params.clientID = GithubOAuth2DefaultProviderClientID`
`1914`		`- params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone`
`1915`	`1914`	`params.deviceFlow = GithubOAuth2DefaultProviderDeviceFlow`
	`1915`	`+ if len(params.allowOrgs) == 0 {`
	`1916`	`+ params.allowEveryone = GithubOAuth2DefaultProviderAllowEveryone`
	`1917`	`+ }`
`1916`	`1918`
`1917`	`1919`	`return &params, nil`
`1918`	`1920`	`}`
Original file line number	Diff line number	Diff line change
`@@ -922,7 +922,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`922`	`922`	`}`
`923`	`923`	`}`
`924`	`924`	`if len(selectedMemberships) == 0 {`
`925`		`- httpmw.CustomRedirectToLogin(rw, r, redirect, "You aren't a member of the authorized Github organizations!", http.StatusUnauthorized)`
	`925`	`+ status := http.StatusUnauthorized`
	`926`	`+ msg := "You aren't a member of the authorized Github organizations!"`
	`927`	`+ if api.GithubOAuth2Config.DeviceFlowEnabled {`
	`928`	`+ // In the device flow, the error is rendered client-side.`
	`929`	`+ httpapi.Write(ctx, rw, status, codersdk.Response{`
	`930`	`+ Message: "Unauthorized",`
	`931`	`+ Detail: msg,`
	`932`	`+ })`
	`933`	`+ } else {`
	`934`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)`
	`935`	`+ }`
`926`	`936`	`return`
`927`	`937`	`}`
`928`	`938`	`}`
`@@ -959,7 +969,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`959`	`969`	`}`
`960`	`970`	`}`
`961`	`971`	`if allowedTeam == nil {`
`962`		`- httpmw.CustomRedirectToLogin(rw, r, redirect, fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames), http.StatusUnauthorized)`
	`972`	`+ msg := fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!", organizationNames)`
	`973`	`+ status := http.StatusUnauthorized`
	`974`	`+ if api.GithubOAuth2Config.DeviceFlowEnabled {`
	`975`	`+ // In the device flow, the error is rendered client-side.`
	`976`	`+ httpapi.Write(ctx, rw, status, codersdk.Response{`
	`977`	`+ Message: "Unauthorized",`
	`978`	`+ Detail: msg,`
	`979`	`+ })`
	`980`	`+ } else {`
	`981`	`+ httpmw.CustomRedirectToLogin(rw, r, redirect, msg, status)`
	`982`	`+ }`
`963`	`983`	`return`
`964`	`984`	`}`
`965`	`985`	`}`