Functionality is working, need to polish and write tests. Currently disabled

Emyrk · Emyrk · commit fc19a8a8e781 · 2023-06-15T13:27:56.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -620,7 +620,7 @@ func New(options *Options) *API {
 					r.Use(
 						apiKeyMiddleware,
 					)
-					r.Post("/upgrade-to-oidc", api.postUpgradeToOIDC)
+					r.Post("/", api.postConvertToOauth)
 				})
 			})
 			r.Group(func(r chi.Router) {
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1858,7 +1858,8 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
 }
 
 func (q *querier) InsertUserOauthMergeState(ctx context.Context, arg database.InsertUserOauthMergeStateParams) (database.OauthMergeState, error) {
-	if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceSystem); err != nil {
+	// TODO: @emyrk this permission feels right?
+	if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(arg.UserID.String())); err != nil {
 		return database.OauthMergeState{}, err
 	}
 
diff --git a/coderd/database/dbmetrics/dbmetrics.go b/coderd/database/dbmetrics/dbmetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/mail"
-	"net/url"
 	"sort"
 	"strconv"
 	"strings"
@@ -34,7 +33,7 @@ import (
 	"github.com/coder/coder/codersdk"
 )
 
-func (api *API) postUpgradeToOIDC(rw http.ResponseWriter, r *http.Request) {
+func (api *API) postConvertToOauth(rw http.ResponseWriter, r *http.Request) {
 	var (
 		ctx               = r.Context()
 		auditor           = api.Auditor.Load()
@@ -111,11 +110,18 @@ func (api *API) postUpgradeToOIDC(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Redirect the user back to where they were after the account merge.
-	redirectURL := fmt.Sprintf("/api/v2/users/%s/callback?redirect=%s&oidc_merge_state=%s", oauthID, url.QueryEscape(r.URL.Path), mergeState.StateString)
+	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.OauthConversionResponse{
+		StateString: mergeState.StateString,
+		ExpiresAt:   mergeState.ExpiresAt,
+		OAuthID:     mergeState.OauthID,
+		UserID:      mergeState.UserID,
+	})
 
-	// Redirect the user to the normal OIDC flow with the special 'oidc_merge_state' state string.
-	http.Redirect(rw, r, redirectURL, http.StatusTemporaryRedirect)
+	//// Redirect the user back to where they were after the account merge.
+	//redirectURL := fmt.Sprintf("/api/v2/users/%s/callback?redirect=%s&oidc_merge_state=%s", oauthID, url.QueryEscape(r.URL.Path), mergeState.StateString)
+	//
+	//// Redirect the user to the normal OIDC flow with the special 'oidc_merge_state' state string.
+	//http.Redirect(rw, r, redirectURL, http.StatusTemporaryRedirect)
 }
 
 // Authenticates the user with an email and password.
@@ -968,7 +974,8 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 				UserID:      user.ID,
 				StateString: params.State.StateString,
 			})
-			if err == nil && mergeState.ExpiresAt.Before(time.Now()) {
+			var _ = mergeState
+			if err == nil {
 				return httpError{
 					code: http.StatusForbidden,
 					msg:  "Hey! This upgrade would have worked if I let it",
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -109,6 +109,13 @@ type LoginWithPasswordResponse struct {
 	SessionToken string `json:"session_token" validate:"required"`
 }
 
+type OauthConversionResponse struct {
+	StateString string    `json:"state_string"`
+	ExpiresAt   time.Time `json:"expires_at"`
+	OAuthID     string    `json:"oauth_id"`
+	UserID      uuid.UUID `json:"user_id"`
+}
+
 type CreateOrganizationRequest struct {
 	Name string `json:"name" validate:"required,username"`
 }
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
@@ -107,6 +107,33 @@ export const login = async (
   return response.data
 }
 
+export const convertToOauth = async (
+  email: string,
+  password: string,
+  oauth_provider: string,
+): Promise<TypesGen.OauthConversionResponse | undefined> => {
+  const payload = JSON.stringify({
+    email,
+    password,
+    oauth_provider,
+  })
+
+  try {
+    const response = await axios.post<TypesGen.OauthConversionResponse>("/api/v2/users/upgrade-to-oidc",
+    payload,
+    {
+      headers: { ...CONTENT_TYPE_JSON },
+    })
+    return response.data
+  } catch (error) {
+    if (axios.isAxiosError(error) && error.response?.status === 401) {
+      return undefined
+    }
+
+    throw error
+  }
+}
+
 export const logout = async (): Promise<void> => {
   await axios.post("/api/v2/users/logout")
 }
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -544,6 +544,14 @@ export interface OIDCConfig {
   readonly icon_url: string
 }
 
+// From codersdk/users.go
+export interface OauthConversionResponse {
+  readonly state_string: string
+  readonly expires_at: string
+  readonly oauth_id: string
+  readonly user_id: string
+}
+
 // From codersdk/organizations.go
 export interface Organization {
   readonly id: string
@@ -1005,6 +1013,11 @@ export interface UpdateWorkspaceTTLRequest {
   readonly ttl_ms?: number
 }
 
+// From codersdk/users.go
+export interface UpgradeToOIDCRequest extends LoginWithPasswordRequest {
+  readonly oauth_provider: string
+}
+
 // From codersdk/files.go
 export interface UploadResponse {
   readonly hash: string
diff --git a/site/src/pages/UserSettingsPage/AccountPage/AccountPage.tsx b/site/src/pages/UserSettingsPage/AccountPage/AccountPage.tsx
@@ -7,8 +7,9 @@ import { usePermissions } from "hooks/usePermissions"
 import { SignInForm } from "components/SignInForm/SignInForm"
 import { retrieveRedirect } from "utils/redirect"
 import { useQuery } from "@tanstack/react-query"
-import { getAuthMethods } from "api/api"
+import { convertToOauth, getAuthMethods } from "api/api"
 import { AuthMethods } from "api/typesGenerated"
+import axios from "axios"
 
 export const AccountPage: FC = () => {
   const queryKey = ["get-auth-methods"]
@@ -18,16 +19,16 @@ export const AccountPage: FC = () => {
     isLoading: authMethodsLoading,
     isFetched: authMethodsFetched,
   } = useQuery({
-    select: (res: AuthMethods) => {
-      return {
-        ...res,
-        // Disable the password auth in this account section. For merging accounts,
-        // we only want to support oidc.
-        password: {
-          enabled: false,
-        },
-      }
-    },
+    // select: (res: AuthMethods) => {
+    //   return {
+    //     ...res,
+    //     // Disable the password auth in this account section. For merging accounts,
+    //     // we only want to support oidc.
+    //     password: {
+    //       enabled: false,
+    //     },
+    //   }
+    // },
     queryKey,
     queryFn: getAuthMethods,
   })
@@ -64,9 +65,29 @@ export const AccountPage: FC = () => {
         redirectTo={redirectTo}
         isSigningIn={false}
         error={authMethodsError}
-        onSubmit={(credentials: { email: string; password: string }) => {
-          console.log(credentials)
-          return
+        onSubmit={async (credentials: { email: string; password: string }) => {
+          const mergeState = await convertToOauth(
+            credentials.email,
+            credentials.password,
+            "oidc",
+          )
+
+          window.location.href = `/api/v2/users/oidc/callback?oidc_merge_state=${
+            mergeState?.state_string
+          }&redirect=${encodeURIComponent(redirectTo)}`
+          // await axios.get(
+          //   `/api/v2/users/oidc/callback?oidc_merge_state=${
+          //     mergeState?.state_string
+          //   }&redirect=${encodeURIComponent(redirectTo)}`,
+          // )
+
+          {
+            /* <Link
+          href={`/api/v2/users/oidc/callback?redirect=${encodeURIComponent(
+            redirectTo,
+          )}`}
+        > */
+          }
         }}
       ></SignInForm>
     </Section>

Original file line number	Diff line number	Diff line change
`@@ -620,7 +620,7 @@ func New(options Options) API {`
`620`	`620`	`r.Use(`
`621`	`621`	`apiKeyMiddleware,`
`622`	`622`	`)`
`623`		`- r.Post("/upgrade-to-oidc", api.postUpgradeToOIDC)`
	`623`	`+ r.Post("/", api.postConvertToOauth)`
`624`	`624`	`})`
`625`	`625`	`})`
`626`	`626`	`r.Group(func(r chi.Router) {`
Original file line number	Diff line number	Diff line change
`@@ -1858,7 +1858,8 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin`
`1858`	`1858`	`}`
`1859`	`1859`
`1860`	`1860`	`func (q *querier) InsertUserOauthMergeState(ctx context.Context, arg database.InsertUserOauthMergeStateParams) (database.OauthMergeState, error) {`
`1861`		`- if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceSystem); err != nil {`
	`1861`	`+ // TODO: @emyrk this permission feels right?`
	`1862`	`+ if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(arg.UserID.String())); err != nil {`
`1862`	`1863`	`return database.OauthMergeState{}, err`
`1863`	`1864`	`}`
`1864`	`1865`
Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,13 @@ type LoginWithPasswordResponse struct {`
`109`	`109`	SessionToken string `json:"session_token" validate:"required"`
`110`	`110`	`}`
`111`	`111`
	`112`	`+type OauthConversionResponse struct {`
	`113`	+ StateString string `json:"state_string"`
	`114`	+ ExpiresAt time.Time `json:"expires_at"`
	`115`	+ OAuthID string `json:"oauth_id"`
	`116`	+ UserID uuid.UUID `json:"user_id"`
	`117`	`+}`
	`118`	`+`
`112`	`119`	`type CreateOrganizationRequest struct {`
`113`	`120`	Name string `json:"name" validate:"required,username"`
`114`	`121`	`}`