fix: prevent refreshing tokens that don't exist

sreya · sreya · commit bf1c3a68c4bc · 2022-10-20T01:16:58.000Z
- When logging in with Google OIDC refresh tokens are not
  provided unless explicitly asked for. This PR updates
  the logic to avoid attempting to refresh the token if
  a refresh token does not exist.

  A session should only be dependent on a valid Coder API
  key, the state of its OAuth token (beyond initial authentication)
  should be irrelevant.
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -203,7 +203,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 					return
 				}
 				// Check if the OAuth token is expired
-				if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() {
+				if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
 					var oauthConfig OAuth2Config
 					switch key.LoginType {
 					case database.LoginTypeGithub:

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`203`	`203`	`return`
`204`	`204`	`}`
`205`	`205`	`// Check if the OAuth token is expired`
`206`		`- if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() {`
	`206`	`+ if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {`
`207`	`207`	`var oauthConfig OAuth2Config`
`208`	`208`	`switch key.LoginType {`
`209`	`209`	`case database.LoginTypeGithub:`