From 3b79239a456d4d8e076c4e256d5e901a09f61386 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Thu, 18 Aug 2022 22:13:49 +0000 Subject: [PATCH 1/2] fix: avoid processing updates to usernames - With the support of OIDC we began processing updates to a user's email and username to stay in sync with the upstream provider. This can cause issues in templates that use the user's username as a stable identifier, potentially causing the deletion of user's home volumes. - Fix some faulty error wrapping. --- coderd/userauth.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index 865f2afeb90fa..d560732c962f3 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -235,7 +235,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) { if err != nil { httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{ Message: "A database error occurred.", - Detail: xerrors.Errorf("update user link: %w", err.Error).Error(), + Detail: fmt.Sprintf("update user link: %s", err.Error()), }) return } @@ -443,7 +443,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { if err != nil { httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{ Message: "A database error occurred.", - Detail: xerrors.Errorf("update user link: %w", err.Error).Error(), + Detail: fmt.Sprintf("update user link: %s", err.Error()), }) return } @@ -479,7 +479,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { user, err = api.Database.UpdateUserProfile(ctx, database.UpdateUserProfileParams{ ID: user.ID, Email: claims.Email, - Username: claims.Username, + // TODO: This should run in a transaction. + Username: user.Username, UpdatedAt: database.Now(), }) if err != nil { From e09966d2e81e61b62dfbf7b2849399db969f6d6b Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Thu, 18 Aug 2022 22:39:05 +0000 Subject: [PATCH 2/2] set correct login type for OIDC --- coderd/userauth.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index d560732c962f3..58d101671cf20 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -229,8 +229,8 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) { if link.LinkedID == "" { link, err = api.Database.UpdateUserLinkedID(ctx, database.UpdateUserLinkedIDParams{ UserID: user.ID, - LinkedID: githubLinkedID(ghUser), LoginType: database.LoginTypeGithub, + LinkedID: githubLinkedID(ghUser), }) if err != nil { httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{ @@ -437,8 +437,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { if link.LinkedID == "" { link, err = api.Database.UpdateUserLinkedID(ctx, database.UpdateUserLinkedIDParams{ UserID: user.ID, + LoginType: database.LoginTypeOIDC, LinkedID: oidcLinkedID(idToken), - LoginType: database.LoginTypeGithub, }) if err != nil { httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{ @@ -477,8 +477,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { // longer sign in until an administrator finds the offending built-in // user and changes their username. user, err = api.Database.UpdateUserProfile(ctx, database.UpdateUserProfileParams{ - ID: user.ID, - Email: claims.Email, + ID: user.ID, + Email: claims.Email, // TODO: This should run in a transaction. Username: user.Username, UpdatedAt: database.Now(),