coder
diff --git a/‎coderd/authentication.go
Lines changed: 1 addition & 0 deletions b/‎coderd/authentication.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 3 additions & 1 deletion b/‎coderd/coderd.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 20 additions & 2 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 20 additions & 2 deletions
diff --git a/‎coderd/coderdtest/coderdtest_test.go
Lines changed: 2 additions & 1 deletion b/‎coderd/coderdtest/coderdtest_test.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/users.go
Lines changed: 144 additions & 4 deletions b/‎coderd/users.go
Lines changed: 144 additions & 4 deletions
diff --git a/‎coderd/users_test.go
Lines changed: 26 additions & 2 deletions b/‎coderd/users_test.go
Lines changed: 26 additions & 2 deletions
diff --git a/‎codersdk/authentication.go
Lines changed: 5 additions & 0 deletions b/‎codersdk/authentication.go
Lines changed: 5 additions & 0 deletions
@@ -0,0 +1 @@
+package coderd
@@ -25,13 +25,15 @@ func New(options *Options) http.Handler {
 
 	r := chi.NewRouter()
 	r.Route("/api/v2", func(r chi.Router) {
+		// The base route!
 		r.Get("/", func(w http.ResponseWriter, r *http.Request) {
 			httpapi.Write(w, http.StatusOK, httpapi.Response{
 				Message: "👋",
 			})
 		})
+		r.Post("/user", users.createInitialUser)
+		// Require an API key and authenticated user for this group.
 		r.Group(func(r chi.Router) {
-			// Require an API key and authenticated user to call this route.
 			r.Use(
 				httpmw.ExtractAPIKey(options.Database, nil),
 				httpmw.ExtractUser(options.Database),
 
@@ -1,18 +1,24 @@
 package coderdtest
 
 import (
+	"context"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/coderd"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/database"
 	"github.com/coder/coder/database/databasefake"
 )
 
 type Server struct {
+	Client   *codersdk.Client
 	Database database.Store
-	URL      string
+	URL      *url.URL
 }
 
 func New(t *testing.T) Server {
@@ -23,9 +29,21 @@ func New(t *testing.T) Server {
 		Database: db,
 	})
 	srv := httptest.NewServer(handler)
+	u, err := url.Parse(srv.URL)
+	require.NoError(t, err)
 	t.Cleanup(srv.Close)
+
+	client := codersdk.New(u, &codersdk.Options{})
+	_, err = client.CreateInitialUser(context.Background(), coderd.CreateUserRequest{
+		Email:    "testuser@coder.com",
+		Username: "testuser",
+		Password: "testpassword",
+	})
+	require.NoError(t, err)
+
 	return Server{
+		Client:   client,
 		Database: db,
-		URL:      srv.URL,
+		URL:      u,
 	}
 }
@@ -3,8 +3,9 @@ package coderdtest_test
 import (
 	"testing"
 
-	"github.com/coder/coder/coderd/coderdtest"
 	"go.uber.org/goleak"
+
+	"github.com/coder/coder/coderd/coderdtest"
 )
 
 func TestMain(m *testing.M) {
 
@@ -1,26 +1,108 @@
 package coderd
 
 import (
+	"context"
+	"database/sql"
+	"errors"
+	"fmt"
 	"net/http"
 	"time"
 
 	"github.com/go-chi/render"
+	"github.com/google/uuid"
 
+	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/database"
+	"github.com/coder/coder/httpapi"
 	"github.com/coder/coder/httpmw"
 )
 
 type User struct {
-	ID        string    `json:"id"`
-	Email     string    `json:"email"`
-	CreatedAt time.Time `json:"created_at"`
-	Username  string    `json:"username"`
+	ID        string    `json:"id" validate:"required"`
+	Email     string    `json:"email" validate:"required"`
+	CreatedAt time.Time `json:"created_at" validate:"required"`
+	Username  string    `json:"username" validate:"required"`
+}
+
+type CreateUserRequest struct {
+	Email    string `json:"email" validate:"required,email"`
+	Username string `json:"username" validate:"required,username"`
+	Password string `json:"password" validate:"required"`
+}
+
+type LoginWithPasswordRequest struct {
+	Email    string `json:"email" validate:"required,email"`
+	Password string `json:"password" validate:"required"`
+}
+
+type LoginWithPasswordResponse struct {
+	SessionToken string `json:"session_token" validate:"required"`
 }
 
 type users struct {
 	Database database.Store
 }
 
+// Creates the initial user for a Coder deployment.
+func (users *users) createInitialUser(rw http.ResponseWriter, r *http.Request) {
+	var createUser CreateUserRequest
+	if !httpapi.Read(rw, r, &createUser) {
+		return
+	}
+	userCount, err := users.Database.GetUserCount(r.Context())
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get user count: %s", err.Error()),
+		})
+		return
+	}
+	if userCount != 0 {
+		httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
+			Message: "the initial user has already been created",
+		})
+		return
+	}
+	user, err := users.Database.GetUserByEmailOrUsername(r.Context(), database.GetUserByEmailOrUsernameParams{
+		Email:    createUser.Email,
+		Username: createUser.Username,
+	})
+	if errors.Is(err, sql.ErrNoRows) {
+		err = nil
+	}
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get user: %s", err.Error()),
+		})
+		return
+	}
+	hashedPassword, err := userpassword.Hash(createUser.Password)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("hash password: %s", err.Error()),
+		})
+		return
+	}
+
+	user, err = users.Database.InsertUser(context.Background(), database.InsertUserParams{
+		ID:             uuid.NewString(),
+		Email:          createUser.Email,
+		HashedPassword: []byte(hashedPassword),
+		Username:       createUser.Username,
+		LoginType:      database.LoginTypeBuiltIn,
+		CreatedAt:      database.Now(),
+		UpdatedAt:      database.Now(),
+	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("create user: %s", err.Error()),
+		})
+		return
+	}
+	render.Status(r, http.StatusCreated)
+	render.JSON(rw, r, user)
+}
+
+// Returns the currently authenticated user.
 func (users *users) getAuthenticatedUser(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.User(r)
 
@@ -31,3 +113,61 @@ func (users *users) getAuthenticatedUser(rw http.ResponseWriter, r *http.Request
 		Username:  user.Username,
 	})
 }
+
+func (users *users) loginWithPassword(rw http.ResponseWriter, r *http.Request) {
+	var loginWithPassword LoginWithPasswordRequest
+	if !httpapi.Read(rw, r, loginWithPassword) {
+		return
+	}
+	user, err := users.Database.GetUserByEmailOrUsername(r.Context(), database.GetUserByEmailOrUsernameParams{
+		Email: loginWithPassword.Email,
+	})
+	if errors.Is(err, sql.ErrNoRows) {
+		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+			Message: "invalid email or password",
+		})
+		return
+	}
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get user: %s", err.Error()),
+		})
+		return
+	}
+	equal, err := userpassword.Compare(string(user.HashedPassword), loginWithPassword.Password)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("compare: %s", err.Error()),
+		})
+	}
+	if !equal {
+		// This message is the same as above to remove ease in detecting whether
+		// users are registered or not. Attackers still could with a timing attack.
+		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+			Message: "invalid email or password",
+		})
+		return
+	}
+
+	// key, secret := (&database.APIKey{
+	// 	UserID:           actor.ID,
+	// 	ExpiresAt:        expiresAt,
+	// 	LoginType:        actor.LoginType,
+	// 	OIDCAccessToken:  oidcCfg.AccessToken,
+	// 	OIDCRefreshToken: oidcCfg.RefreshToken,
+	// 	OIDCIDToken:      oidcCfg.IDToken,
+	// 	// OIDCExpiry indicates when we need to fetch a new OIDC token.
+	// 	OIDCExpiry:  oidcCfg.Expiry,
+	// 	DevurlToken: devurlToken,
+	// }).Fill()
+
+	users.Database.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
+		ID:           uuid.NewString(),
+		UserID:       user.ID,
+		ExpiresAt:    database.Now().Add(24 * time.Hour),
+		CreatedAt:    database.Now(),
+		UpdatedAt:    database.Now(),
+		HashedSecret: []byte(""),
+		LoginType:    database.LoginTypeBuiltIn,
+	})
+}
@@ -1,9 +1,33 @@
 package coderd_test
 
-import "testing"
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"testing"
+
+	"golang.org/x/crypto/pbkdf2"
+)
 
 func TestUsers(t *testing.T) {
-	t.Run("wow", func(t *testing.T) {
+	// t.Run("AuthenticatedUser", func(t *testing.T) {
+	// 	_ = coderdtest.New(t)
+	// })
+
+	t.Run("Pass", func(t *testing.T) {
+		salt := make([]byte, 16)
+		_, err := rand.Read(salt)
+		if err != nil {
+			panic("unexpected: crypto/rand.Read returned an error: " + err.Error())
+		}
+		hash := pbkdf2.Key([]byte("hello"), salt, 65535, 64, sha256.New)
+		str := base64.StdEncoding.EncodeToString(hash)
+
+		parts := bytes.Split(hash, []byte("$"))
+		fmt.Printf("Parts: %+v\n", len(parts))
 
+		fmt.Printf("Hash: %s %s\n", hash, str)
 	})
 }
@@ -0,0 +1,5 @@
+package codersdk
+
+func (c *Client) LoginWithPassword(email, password string) error {
+
+}
Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,9 @@ package coderdtest_test`
`3`	`3`	`import (`
`4`	`4`	`"testing"`
`5`	`5`
`6`		`- "github.com/coder/coder/coderd/coderdtest"`
`7`	`6`	`"go.uber.org/goleak"`
	`7`	`+`
	`8`	`+ "github.com/coder/coder/coderd/coderdtest"`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`func TestMain(m *testing.M) {`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +package codersdk
++
 +func (c *Client) LoginWithPassword(email, password string) error {
++
 +}