coder
diff --git a/‎.vscode/settings.json
+2 b/‎.vscode/settings.json
+2
diff --git a/‎cli/start.go
+42 b/‎cli/start.go
+42
diff --git a/‎coderd/coderd.go
+18-15 b/‎coderd/coderd.go
+18-15
diff --git a/‎coderd/coderdtest/coderdtest.go
+2-2 b/‎coderd/coderdtest/coderdtest.go
+2-2
diff --git a/‎coderd/database/databasefake/databasefake.go
+15-18 b/‎coderd/database/databasefake/databasefake.go
+15-18
diff --git a/‎coderd/database/dump.sql
+6-9 b/‎coderd/database/dump.sql
+6-9
diff --git a/‎coderd/database/migrations/000001_base.up.sql
+6-17 b/‎coderd/database/migrations/000001_base.up.sql
+6-17
@@ -35,6 +35,7 @@
     "nolint",
     "nosec",
     "ntqry",
+    "OIDC",
     "oneof",
     "parameterscopeid",
     "pqtype",
@@ -46,6 +47,7 @@
     "ptytest",
     "retrier",
     "sdkproto",
+    "Signup",
     "stretchr",
     "TCGETS",
     "tcpip",
 
@@ -18,7 +18,10 @@ import (
 
 	"github.com/briandowns/spinner"
 	"github.com/coreos/go-systemd/daemon"
+	"github.com/google/go-github/v43/github"
 	"github.com/spf13/cobra"
+	"golang.org/x/oauth2"
+	xgithub "golang.org/x/oauth2/github"
 	"golang.org/x/xerrors"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/api/option"
@@ -153,13 +156,19 @@ func start() *cobra.Command {
 				return xerrors.Errorf("parse ssh keygen algorithm %s: %w", sshKeygenAlgorithmRaw, err)
 			}
 
+			githubOAuth2Config, err := configureGithubOAuth2(accessURLParsed, "", "")
+			if err != nil {
+				return xerrors.Errorf("configure github oauth2: %w", err)
+			}
+
 			logger := slog.Make(sloghuman.Sink(os.Stderr))
 			options := &coderd.Options{
 				AccessURL:            accessURLParsed,
 				Logger:               logger.Named("coderd"),
 				Database:             databasefake.New(),
 				Pubsub:               database.NewPubsubInMemory(),
 				GoogleTokenValidator: validator,
+				GithubOAuth2Config:   githubOAuth2Config,
 				SecureAuthCookie:     secureAuthCookie,
 				SSHKeygenAlgorithm:   sshKeygenAlgorithm,
 			}
@@ -534,3 +543,36 @@ func configureTLS(listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFi
 
 	return tls.NewListener(listener, tlsConfig), nil
 }
+
+func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string) (*coderd.GithubOAuth2Config, error) {
+	redirectURL, err := accessURL.Parse("/api/v2/users/oauth2/github/callback")
+	if err != nil {
+		return nil, xerrors.Errorf("parse github oauth callback url: %w", err)
+	}
+	return &coderd.GithubOAuth2Config{
+		OAuth2Config: &oauth2.Config{
+			ClientID:     clientID,
+			ClientSecret: clientSecret,
+			Endpoint:     xgithub.Endpoint,
+			RedirectURL:  redirectURL.String(),
+			Scopes: []string{
+				"read:user",
+				"user:email",
+			},
+		},
+		AllowSignups:       true,
+		AllowOrganizations: []string{"coder"},
+		AuthenticatedUser: func(ctx context.Context, client *http.Client) (*github.User, error) {
+			user, _, err := github.NewClient(client).Users.Get(ctx, "")
+			return user, err
+		},
+		ListEmails: func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error) {
+			emails, _, err := github.NewClient(client).Users.ListEmails(ctx, &github.ListOptions{})
+			return emails, err
+		},
+		ListOrganizations: func(ctx context.Context, client *http.Client) ([]*github.Organization, error) {
+			orgs, _, err := github.NewClient(client).Organizations.List(ctx, "", &github.ListOptions{})
+			return orgs, err
+		},
+	}, nil
+}
@@ -34,7 +34,7 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
-	GithubOAuth2Provider GithubOAuth2Provider
+	GithubOAuth2Config   *GithubOAuth2Config
 
 	SecureAuthCookie   bool
 	SSHKeygenAlgorithm gitsshkey.Algorithm
@@ -51,6 +51,9 @@ func New(options *Options) (http.Handler, func()) {
 	api := &api{
 		Options: options,
 	}
+	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, &httpmw.OAuth2Configs{
+		Github: options.GithubOAuth2Config,
+	})
 
 	r := chi.NewRouter()
 	r.Route("/api/v2", func(r chi.Router) {
@@ -75,7 +78,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/files", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				// This number is arbitrary, but reading/writing
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),
@@ -85,7 +88,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/organizations/{organization}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractOrganizationParam(options.Database),
 			)
 			r.Get("/", api.organization)
@@ -98,7 +101,7 @@ func New(options *Options) (http.Handler, func()) {
 			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
-			r.Use(httpmw.ExtractAPIKey(options.Database, nil))
+			r.Use(apiKeyMiddleware)
 			r.Post("/", api.postParameter)
 			r.Get("/", api.parameters)
 			r.Route("/{name}", func(r chi.Router) {
@@ -107,7 +110,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/templates/{template}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractTemplateParam(options.Database),
 				httpmw.ExtractOrganizationParam(options.Database),
 			)
@@ -121,7 +124,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/templateversions/{templateversion}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractTemplateVersionParam(options.Database),
 				httpmw.ExtractOrganizationParam(options.Database),
 			)
@@ -143,14 +146,14 @@ func New(options *Options) (http.Handler, func()) {
 			r.Post("/first", api.postFirstUser)
 			r.Post("/login", api.postLogin)
 			r.Post("/logout", api.postLogout)
-			r.Route("/auth", func(r chi.Router) {
-				r.Route("/callback/github", func(r chi.Router) {
-					r.Use(httpmw.ExtractOAuth2(options.GithubOAuth2Provider))
-					r.Get("/", api.userAuthGithub)
+			r.Route("/oauth2", func(r chi.Router) {
+				r.Route("/github", func(r chi.Router) {
+					r.Use(httpmw.ExtractOAuth2(options.GithubOAuth2Config))
+					r.Get("/callback", api.userOAuth2Github)
 				})
 			})
 			r.Group(func(r chi.Router) {
-				r.Use(httpmw.ExtractAPIKey(options.Database, nil))
+				r.Use(apiKeyMiddleware)
 				r.Post("/", api.postUsers)
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
@@ -184,7 +187,7 @@ func New(options *Options) (http.Handler, func()) {
 			})
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 				r.Use(
-					httpmw.ExtractAPIKey(options.Database, nil),
+					apiKeyMiddleware,
 					httpmw.ExtractWorkspaceAgentParam(options.Database),
 				)
 				r.Get("/", api.workspaceAgent)
@@ -193,15 +196,15 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/workspaceresources/{workspaceresource}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractWorkspaceResourceParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
 			r.Get("/", api.workspaceResource)
 		})
 		r.Route("/workspaces/{workspace}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
 			r.Get("/", api.workspace)
@@ -219,7 +222,7 @@ func New(options *Options) (http.Handler, func()) {
 		})
 		r.Route("/workspacebuilds/{workspacebuild}", func(r chi.Router) {
 			r.Use(
-				httpmw.ExtractAPIKey(options.Database, nil),
+				apiKeyMiddleware,
 				httpmw.ExtractWorkspaceBuildParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
 
@@ -49,7 +49,7 @@ import (
 
 type Options struct {
 	AWSInstanceIdentity    awsidentity.Certificates
-	GithubOAuth2Provider   coderd.GithubOAuth2Provider
+	GithubOAuth2Config     *coderd.GithubOAuth2Config
 	GoogleInstanceIdentity *idtoken.Validator
 	SSHKeygenAlgorithm     gitsshkey.Algorithm
 }
@@ -116,7 +116,7 @@ func New(t *testing.T, options *Options) *codersdk.Client {
 		Pubsub:                         pubsub,
 
 		AWSCertificates:      options.AWSInstanceIdentity,
-		GithubOAuth2Provider: options.GithubOAuth2Provider,
+		GithubOAuth2Config:   options.GithubOAuth2Config,
 		GoogleTokenValidator: options.GoogleInstanceIdentity,
 		SSHKeygenAlgorithm:   options.SSHKeygenAlgorithm,
 	})
 
@@ -797,21 +797,18 @@ func (q *fakeQuerier) InsertAPIKey(_ context.Context, arg database.InsertAPIKeyP
 
 	//nolint:gosimple
 	key := database.APIKey{
-		ID:               arg.ID,
-		HashedSecret:     arg.HashedSecret,
-		UserID:           arg.UserID,
-		Application:      arg.Application,
-		Name:             arg.Name,
-		LastUsed:         arg.LastUsed,
-		ExpiresAt:        arg.ExpiresAt,
-		CreatedAt:        arg.CreatedAt,
-		UpdatedAt:        arg.UpdatedAt,
-		LoginType:        arg.LoginType,
-		OIDCAccessToken:  arg.OIDCAccessToken,
-		OIDCRefreshToken: arg.OIDCRefreshToken,
-		OIDCIDToken:      arg.OIDCIDToken,
-		OIDCExpiry:       arg.OIDCExpiry,
-		DevurlToken:      arg.DevurlToken,
+		ID:                arg.ID,
+		HashedSecret:      arg.HashedSecret,
+		UserID:            arg.UserID,
+		ExpiresAt:         arg.ExpiresAt,
+		CreatedAt:         arg.CreatedAt,
+		UpdatedAt:         arg.UpdatedAt,
+		LastUsed:          arg.LastUsed,
+		LoginType:         arg.LoginType,
+		OAuthAccessToken:  arg.OAuthAccessToken,
+		OAuthRefreshToken: arg.OAuthRefreshToken,
+		OAuthIDToken:      arg.OAuthIDToken,
+		OAuthExpiry:       arg.OAuthExpiry,
 	}
 	q.apiKeys = append(q.apiKeys, key)
 	return key, nil
@@ -1126,9 +1123,9 @@ func (q *fakeQuerier) UpdateAPIKeyByID(_ context.Context, arg database.UpdateAPI
 		}
 		apiKey.LastUsed = arg.LastUsed
 		apiKey.ExpiresAt = arg.ExpiresAt
-		apiKey.OIDCAccessToken = arg.OIDCAccessToken
-		apiKey.OIDCRefreshToken = arg.OIDCRefreshToken
-		apiKey.OIDCExpiry = arg.OIDCExpiry
+		apiKey.OAuthAccessToken = arg.OAuthAccessToken
+		apiKey.OAuthRefreshToken = arg.OAuthRefreshToken
+		apiKey.OAuthExpiry = arg.OAuthExpiry
 		q.apiKeys[index] = apiKey
 		return nil
 	}
 
@@ -4,14 +4,9 @@
 -- All tables and types are stolen from:
 -- https://github.com/coder/m/blob/47b6fc383347b9f9fab424d829c482defd3e1fe2/product/coder/pkg/database/dump.sql
 
---
--- Name: users; Type: TABLE; Schema: public; Owner: coder
---
-
 CREATE TYPE login_type AS ENUM (
-    'built-in',
-    'saml',
-    'oidc'
+    'basic',
+    'github'
 );
 
 CREATE TABLE IF NOT EXISTS users (
@@ -31,10 +26,6 @@ CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email ON users USING btree (email);
 CREATE UNIQUE INDEX IF NOT EXISTS idx_users_username ON users USING btree (username);
 CREATE UNIQUE INDEX IF NOT EXISTS users_username_lower_idx ON users USING btree (lower(username));
 
---
--- Name: organizations; Type: TABLE; Schema:  Owner: coder
---
-
 CREATE TABLE IF NOT EXISTS organizations (
     id uuid NOT NULL,
     name text NOT NULL,
@@ -68,18 +59,16 @@ CREATE TABLE IF NOT EXISTS api_keys (
     id text NOT NULL,
     hashed_secret bytea NOT NULL,
     user_id uuid NOT NULL,
-    application boolean NOT NULL,
     name text NOT NULL,
     last_used timestamp with time zone NOT NULL,
     expires_at timestamp with time zone NOT NULL,
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
     login_type login_type NOT NULL,
-    oidc_access_token text DEFAULT ''::text NOT NULL,
-    oidc_refresh_token text DEFAULT ''::text NOT NULL,
-    oidc_id_token text DEFAULT ''::text NOT NULL,
-    oidc_expiry timestamp with time zone DEFAULT '0001-01-01 00:00:00+00'::timestamp with time zone NOT NULL,
-    devurl_token boolean DEFAULT false NOT NULL,
+    oauth_access_token text DEFAULT ''::text NOT NULL,
+    oauth_refresh_token text DEFAULT ''::text NOT NULL,
+    oauth_id_token text DEFAULT ''::text NOT NULL,
+    oauth_expiry timestamp with time zone DEFAULT '0001-01-01 00:00:00+00'::timestamp with time zone NOT NULL,
     PRIMARY KEY (id)
 );