- **Use helper scripts**:

- `./coderd/database/migrations/create_migration.sh "migration name"` - Creates new migration files

- `./coderd/database/migrations/fix_migration_numbers.sh` - Renumbers migrations to avoid conflicts

- `./coderd/database/migrations/create_fixture.sh "fixture name"` - Creates test fixtures for migrations

### In-Memory Database Testing

When adding new database fields:

- **CRITICAL**: Update `coderd/database/dbmem/dbmem.go` in-memory implementations

- The `Insert*` functions must include ALL new fields, not just basic ones

- Common issue: Tests pass with real database but fail with in-memory database due to missing field mappings

- Always verify in-memory database functions match the real database schema after migrations

Example pattern:

6. **RFC 8707 Resource Indicators**:

- Store resource parameters in database for server-side validation (opaque tokens)

- Validate resource consistency between authorization and token requests

- Support audience validation in refresh token flows

- Resource parameter is optional but must be consistent when provided

7. **OAuth2 tests failing but scripts working** - Check in-memory database implementations in `dbmem.go`

8. **Resource indicator validation failing** - Ensure database stores and retrieves resource parameters correctly

9. **PKCE tests failing** - Verify both authorization code storage and token exchange handle PKCE fields

func (q *querier) GetOAuth2ProviderAppTokenByAPIKeyID(ctx context.Context, apiKeyID string) (database.OAuth2ProviderAppToken, error) {

token, err := q.db.GetOAuth2ProviderAppTokenByAPIKeyID(ctx, apiKeyID)

if err != nil {

return database.OAuth2ProviderAppToken{}, err

}

// Get the associated API key to check ownership

apiKey, err := q.db.GetAPIKeyByID(ctx, token.APIKeyID)

if err != nil {

return database.OAuth2ProviderAppToken{}, err

}

if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken.WithOwner(apiKey.UserID.String())); err != nil {

return database.OAuth2ProviderAppToken{}, err

}

return token, nil

}

// New OAuth2 resource-indicator methods (RFC 8707); tests to be added

"GetOAuth2ProviderAppTokenByAPIKeyID": "Not relevant",

func (q *FakeQuerier) GetOAuth2ProviderAppTokenByAPIKeyID(_ context.Context, apiKeyID string) (database.OAuth2ProviderAppToken, error) {

q.mutex.Lock()

defer q.mutex.Unlock()

for _, token := range q.oauth2ProviderAppTokens {

if token.APIKeyID == apiKeyID {

return token, nil

}

}

return database.OAuth2ProviderAppToken{}, sql.ErrNoRows

}

SELECT * FROM oauth2_provider_app_tokens WHERE api_key_id = $1;

// Validate OAuth2 provider app token audience (RFC 8707) if applicable

if key.LoginType == database.LoginTypeOAuth2ProviderApp {

if err := validateOAuth2ProviderAppTokenAudience(ctx, cfg.DB, *key, r); err != nil {

return optionalWrite(http.StatusForbidden, codersdk.Response{

Message: "Token audience mismatch",

Detail: err.Error(),

})

}

}

func validateOAuth2ProviderAppTokenAudience(ctx context.Context, db database.Store, key database.APIKey, r *http.Request) error {

// Get the OAuth2 provider app token to check its audience

//nolint:gocritic // System needs to access token for audience validation

token, err := db.GetOAuth2ProviderAppTokenByAPIKeyID(dbauthz.AsSystemRestricted(ctx), key.ID)

if err != nil {

return xerrors.Errorf("failed to get OAuth2 token: %w", err)

}

// If no audience is set, allow the request (for backward compatibility)

if !token.Audience.Valid || token.Audience.String == "" {

return nil

}

// Extract the expected audience from the request

expectedAudience := extractExpectedAudience(r)

// Validate that the token's audience matches the expected audience

if token.Audience.String != expectedAudience {

return xerrors.Errorf("token audience %q does not match expected audience %q",

token.Audience.String, expectedAudience)

}

return nil

}

func extractExpectedAudience(r *http.Request) string {

// For MCP compliance, the audience should be the canonical URI of the resource server

// This typically matches the access URL of the Coder deployment

scheme := "https"

if r.TLS == nil {

scheme = "http"

}

// Use the Host header to construct the canonical audience URI

return fmt.Sprintf("%s://%s", scheme, r.Host)

}

// Validate resource indicator syntax (RFC 8707): must be absolute URI without fragment

if params.resource != "" {

if u, err := url.Parse(params.resource); err != nil || u.Scheme == "" || u.Fragment != "" {

p.Errors = append(p.Errors, codersdk.ValidationError{

Field: "resource",

Detail: "must be an absolute URI without fragment",

})

}

}

// errInvalidResource means the resource parameter validation failed.

errInvalidResource = xerrors.New("invalid resource parameter")

// Validate resource parameter syntax (RFC 8707): must be absolute URI without fragment

if params.resource != "" {

if u, err := url.Parse(params.resource); err != nil || u.Scheme == "" || u.Fragment != "" {

p.Errors = append(p.Errors, codersdk.ValidationError{

Field: "resource",

Detail: "must be an absolute URI without fragment",

})

}

}

if errors.Is(err, errInvalidResource) {

writeOAuth2Error(ctx, rw, http.StatusBadRequest, "invalid_target", "The resource parameter is invalid")

return

}

// Verify resource parameter consistency (RFC 8707)

if dbCode.ResourceUri.Valid && dbCode.ResourceUri.String != "" {

// Resource was specified during authorization - it must match in token request

if params.resource == "" {

return oauth2.Token{}, errInvalidResource

}

if params.resource != dbCode.ResourceUri.String {

return oauth2.Token{}, errInvalidResource

}

} else if params.resource != "" {

// Resource was not specified during authorization but is now provided

return oauth2.Token{}, errInvalidResource

}

// Verify resource parameter consistency for refresh tokens (RFC 8707)

if params.resource != "" {

// If resource is provided in refresh request, it must match the original token's audience

if !dbToken.Audience.Valid || dbToken.Audience.String != params.resource {

return oauth2.Token{}, errInvalidResource

}

}