coder
diff --git a/‎cli/cliui/agent.go
Lines changed: 19 additions & 0 deletions b/‎cli/cliui/agent.go
Lines changed: 19 additions & 0 deletions
diff --git a/‎cli/login.go
Lines changed: 13 additions & 0 deletions b/‎cli/login.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎cli/login_test.go
Lines changed: 39 additions & 0 deletions b/‎cli/login_test.go
Lines changed: 39 additions & 0 deletions
diff --git a/‎cli/root.go
Lines changed: 2 additions & 2 deletions b/‎cli/root.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/server.go
Lines changed: 9 additions & 2 deletions b/‎cli/server.go
Lines changed: 9 additions & 2 deletions
diff --git a/‎cli/server_test.go
Lines changed: 6 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 4 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 9 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 9 deletions
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
+	"os/signal"
 	"sync"
 	"time"
 
@@ -46,6 +48,23 @@ func Agent(ctx context.Context, writer io.Writer, opts AgentOptions) error {
 	spin.Start()
 	defer spin.Stop()
 
+	ctx, cancelFunc := context.WithCancel(ctx)
+	defer cancelFunc()
+	stopSpin := make(chan os.Signal, 1)
+	signal.Notify(stopSpin, os.Interrupt)
+	defer signal.Stop(stopSpin)
+	go func() {
+		select {
+		case <-ctx.Done():
+			return
+		case <-stopSpin:
+		}
+		signal.Stop(stopSpin)
+		spin.Stop()
+		// nolint:revive
+		os.Exit(1)
+	}()
+
 	ticker := time.NewTicker(opts.FetchInterval)
 	defer ticker.Stop()
 	timer := time.NewTimer(opts.WarnInterval)
 
@@ -117,6 +117,19 @@ func login() *cobra.Command {
 				if err != nil {
 					return xerrors.Errorf("specify password prompt: %w", err)
 				}
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
+					Secret: true,
+					Validate: func(s string) error {
+						if s != password {
+							return xerrors.Errorf("Passwords do not match")
+						}
+						return nil
+					},
+				})
+				if err != nil {
+					return xerrors.Errorf("confirm password prompt: %w", err)
+				}
 
 				_, err = client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
 					Email:            email,
 
@@ -43,6 +43,7 @@ func TestLogin(t *testing.T) {
 			"username", "testuser",
 			"email", "user@coder.com",
 			"password", "password",
+			"password", "password", // Confirm.
 		}
 		for i := 0; i < len(matches); i += 2 {
 			match := matches[i]
@@ -54,6 +55,44 @@ func TestLogin(t *testing.T) {
 		<-doneChan
 	})
 
+	t.Run("InitialUserTTYConfirmPasswordFailAndReprompt", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", "--force-tty", client.URL.String())
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.ExecuteContext(ctx)
+			require.ErrorIs(t, err, context.Canceled)
+		}()
+
+		matches := []string{
+			"first user?", "yes",
+			"username", "testuser",
+			"email", "user@coder.com",
+			"password", "mypass",
+			"password", "wrongpass", // Confirm.
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		pty.ExpectMatch("Passwords do not match")
+		pty.ExpectMatch("password") // Re-prompt password.
+		cancel()
+		<-doneChan
+	})
+
 	t.Run("ExistingUserValidTokenTTY", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 
@@ -90,8 +90,8 @@ func Root() *cobra.Command {
 		workspaceAgent(),
 	)
 
-	cliflag.String(cmd.PersistentFlags(), varURL, "", "CODER_URL", "", "Specify the URL to your deployment.")
-	cliflag.String(cmd.PersistentFlags(), varToken, "", "CODER_TOKEN", "", "Specify an authentication token.")
+	cmd.PersistentFlags().String(varURL, "", "Specify the URL to your deployment.")
+	cmd.PersistentFlags().String(varToken, "", "Specify an authentication token.")
 	cliflag.String(cmd.PersistentFlags(), varAgentToken, "", "CODER_AGENT_TOKEN", "", "Specify an agent authentication token.")
 	cliflag.String(cmd.PersistentFlags(), varAgentURL, "", "CODER_AGENT_URL", "", "Specify the URL for an agent to access your deployment.")
 	cliflag.String(cmd.PersistentFlags(), varGlobalConfig, "", "CODER_CONFIG_DIR", configdir.LocalConfig("coderv2"), "Specify the path to the global `coder` config directory.")
 
@@ -342,6 +342,12 @@ func server() *cobra.Command {
 				return xerrors.Errorf("notify systemd: %w", err)
 			}
 
+			// Because the graceful shutdown includes cleaning up workspaces in dev mode, we're
+			// going to make it harder to accidentally skip the graceful shutdown by hitting ctrl+c
+			// two or more times.  So the stopChan is unlimited in size and we don't call
+			// signal.Stop() until graceful shutdown finished--this means we swallow additional
+			// SIGINT after the first.  To get out of a graceful shutdown, the user can send SIGQUIT
+			// with ctrl+\ or SIGTERM with `kill`.
 			stopChan := make(chan os.Signal, 1)
 			defer signal.Stop(stopChan)
 			signal.Notify(stopChan, os.Interrupt)
@@ -358,12 +364,13 @@ func server() *cobra.Command {
 				return err
 			case <-stopChan:
 			}
-			signal.Stop(stopChan)
 			_, err = daemon.SdNotify(false, daemon.SdNotifyStopping)
 			if err != nil {
 				return xerrors.Errorf("notify systemd: %w", err)
 			}
-			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "\n\n"+cliui.Styles.Bold.Render("Interrupt caught. Gracefully exiting..."))
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "\n\n"+
+				cliui.Styles.Bold.Render(
+					"Interrupt caught, gracefully exiting.  Use ctrl+\\ to force quit"))
 
 			if dev {
 				organizations, err := client.OrganizationsByUser(cmd.Context(), codersdk.Me)
 
@@ -271,6 +271,12 @@ func TestServer(t *testing.T) {
 		require.NoError(t, err)
 		err = currentProcess.Signal(os.Interrupt)
 		require.NoError(t, err)
+		// Send a two more signal, which should be ignored.  Send 2 because the channel has a buffer
+		// of 1 and we want to make sure that nothing strange happens if we exceed the buffer.
+		err = currentProcess.Signal(os.Interrupt)
+		require.NoError(t, err)
+		err = currentProcess.Signal(os.Interrupt)
+		require.NoError(t, err)
 		<-done
 	})
 	t.Run("DatadogTracerNoLeak", func(t *testing.T) {
 
@@ -240,6 +240,10 @@ func New(options *Options) (http.Handler, func()) {
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 					r.Put("/suspend", api.putUserSuspend)
+					r.Route("/password", func(r chi.Router) {
+						r.Use(httpmw.WithRBACObject(rbac.ResourceUserPasswordRole))
+						r.Put("/", authorize(api.putUserPassword, rbac.ActionUpdate))
+					})
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
 					// These roles apply to the site wide permissions.
 
@@ -174,21 +174,22 @@ func NewProvisionerDaemon(t *testing.T, client *codersdk.Client) io.Closer {
 	return closer
 }
 
+var FirstUserParams = codersdk.CreateFirstUserRequest{
+	Email:            "testuser@coder.com",
+	Username:         "testuser",
+	Password:         "testpass",
+	OrganizationName: "testorg",
+}
+
 // CreateFirstUser creates a user with preset credentials and authenticates
 // with the passed in codersdk client.
 func CreateFirstUser(t *testing.T, client *codersdk.Client) codersdk.CreateFirstUserResponse {
-	req := codersdk.CreateFirstUserRequest{
-		Email:            "testuser@coder.com",
-		Username:         "testuser",
-		Password:         "testpass",
-		OrganizationName: "testorg",
-	}
-	resp, err := client.CreateFirstUser(context.Background(), req)
+	resp, err := client.CreateFirstUser(context.Background(), FirstUserParams)
 	require.NoError(t, err)
 
 	login, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
-		Email:    req.Email,
-		Password: req.Password,
+		Email:    FirstUserParams.Email,
+		Password: FirstUserParams.Password,
 	})
 	require.NoError(t, err)
 	client.SessionToken = login.SessionToken
 
@@ -1314,6 +1314,21 @@ func (q *fakeQuerier) UpdateUserStatus(_ context.Context, arg database.UpdateUse
 	return database.User{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) UpdateUserHashedPassword(_ context.Context, arg database.UpdateUserHashedPasswordParams) error {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for i, user := range q.users {
+		if user.ID != arg.ID {
+			continue
+		}
+		user.HashedPassword = arg.HashedPassword
+		q.users[i] = user
+		return nil
+	}
+	return sql.ErrNoRows
+}
+
 func (q *fakeQuerier) InsertWorkspace(_ context.Context, arg database.InsertWorkspaceParams) (database.Workspace, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()