add login_type to users table

coder · sreya · Aug 17, 2022 · Aug 9, 2022 · Aug 9, 2022 · Aug 9, 2022
commit f2f76e97c30f9e8c4943097fa5818c37215f9fe8
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000034_linked_user_id.up.sql b/coderd/database/migrations/000034_linked_user_id.up.sql
@@ -51,4 +51,19 @@ ALTER TABLE api_keys
 	DROP COLUMN oauth_id_token,
 	DROP COLUMN oauth_expiry;
 
+ALTER TABLE users ADD COLUMN login_type login_type NOT NULL DEFAULT 'password';
+
+UPDATE
+  users
+SET
+  login_type =  (
+    SELECT
+      login_type
+    FROM
+      user_links
+    WHERE
+      user_links.user_id = users.id
+    LIMIT 1
+  );
+
 COMMIT;
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/postgres/postgres.go b/coderd/database/postgres/postgres.go
@@ -136,7 +136,6 @@ func Open() (string, func(), error) {
 		}
 		err = database.MigrateUp(db)
 		if err != nil {
-			fmt.Printf("err: %v\n", err)
 			return xerrors.Errorf("migrate db: %w", err)
 		}
 

diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -37,10 +37,11 @@ INSERT INTO
 		hashed_password,
 		created_at,
 		updated_at,
-		rbac_roles
+		rbac_roles,
+    login_type
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6, $7) RETURNING *;
+	($1, $2, $3, $4, $5, $6, $7, $8) RETURNING *;
 
 -- name: UpdateUserProfile :one
 UPDATE

diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -137,7 +137,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, link, err := findLinkedUser(ctx, api.Database, database.LoginTypeGithub, githubLinkedID(ghUser), verifiedEmails...)
+	user, link, err := findLinkedUser(ctx, api.Database, githubLinkedID(ghUser), verifiedEmails...)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "An internal error occurred.",
@@ -146,9 +146,9 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if link.UserID != uuid.Nil && link.LoginType != database.LoginTypeGithub {
-		httpapi.Write(rw, http.StatusConflict, codersdk.Response{
-			Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypeOIDC, link.LoginType),
+	if user.ID != uuid.Nil && user.LoginType != database.LoginTypeGithub {
+		httpapi.Write(rw, http.StatusForbidden, codersdk.Response{
+			Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypeOIDC, user.LoginType),
 		})
 		return
 	}
@@ -184,10 +184,13 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			})
 			return
 		}
-		user, _, err = api.createUser(r.Context(), codersdk.CreateUserRequest{
-			Email:          *verifiedEmail.Email,
-			Username:       *ghUser.Login,
-			OrganizationID: organizationID,
+		user, _, err = api.createUser(ctx, createUserRequest{
+			CreateUserRequest: codersdk.CreateUserRequest{
+				Email:          *verifiedEmail.Email,
+				Username:       *ghUser.Login,
+				OrganizationID: organizationID,
+			},
+			LoginType: database.LoginTypeGithub,
 		})
 		if err != nil {
 			httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
@@ -332,7 +335,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	user, link, err := findLinkedUser(ctx, api.Database, database.LoginTypeOIDC, oidcLinkedID(idToken), claims.Email)
+	user, link, err := findLinkedUser(ctx, api.Database, oidcLinkedID(idToken), claims.Email)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Failed to find user.",
@@ -348,9 +351,9 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if link.UserID != uuid.Nil && link.LoginType != database.LoginTypeOIDC {
-		httpapi.Write(rw, http.StatusConflict, codersdk.Response{
-			Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypeOIDC, link.LoginType),
+	if user.ID != uuid.Nil && user.LoginType != database.LoginTypeOIDC {
+		httpapi.Write(rw, http.StatusForbidden, codersdk.Response{
+			Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypeOIDC, user.LoginType),
 		})
 		return
 	}
@@ -365,10 +368,13 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 			organizationID = organizations[0].ID
 		}
 
-		user, _, err = api.createUser(ctx, codersdk.CreateUserRequest{
-			Email:          claims.Email,
-			Username:       claims.Username,
-			OrganizationID: organizationID,
+		user, _, err = api.createUser(ctx, createUserRequest{
+			CreateUserRequest: codersdk.CreateUserRequest{
+				Email:          claims.Email,
+				Username:       claims.Username,
+				OrganizationID: organizationID,
+			},
+			LoginType: database.LoginTypeOIDC,
 		})
 		if err != nil {
 			httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
@@ -477,7 +483,7 @@ func oidcLinkedID(tok *oidc.IDToken) string {
 
 // findLinkedUser tries to find a user by their unique OAuth-linked ID.
 // If it doesn't not find it, it returns the user by their email.
-func findLinkedUser(ctx context.Context, db database.Store, loginType database.LoginType, linkedID string, emails ...string) (database.User, database.UserLink, error) {
+func findLinkedUser(ctx context.Context, db database.Store, linkedID string, emails ...string) (database.User, database.UserLink, error) {
 	var (
 		user database.User
 		link database.UserLink
@@ -518,7 +524,7 @@ func findLinkedUser(ctx context.Context, db database.Store, loginType database.L
 	// possible that a user_link exists without a populated 'linked_id'.
 	link, err = db.GetUserLinkByUserIDLoginType(ctx, database.GetUserLinkByUserIDLoginTypeParams{
 		UserID:    user.ID,
-		LoginType: loginType,
+		LoginType: user.LoginType,
 	})
 	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		return database.User{}, database.UserLink{}, xerrors.Errorf("get user link by user id and login type: %w", err)

diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -175,7 +175,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		resp := oauth2Callback(t, client)
 		require.Equal(t, http.StatusForbidden, resp.StatusCode)
 	})
-	t.Run("Login", func(t *testing.T) {
+	t.Run("MultiLoginNotAllowed", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, &coderdtest.Options{
 			GithubOAuth2Config: &coderd.GithubOAuth2Config{
@@ -199,6 +199,7 @@ func TestUserOAuth2Github(t *testing.T) {
 				},
 			},
 		})
+		// Creates the first user with login_type 'password'.
 		_ = coderdtest.CreateFirstUser(t, client)
 		resp := oauth2Callback(t, client)
 		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)

diff --git a/coderd/users.go b/coderd/users.go
@@ -77,10 +77,13 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, organizationID, err := api.createUser(r.Context(), codersdk.CreateUserRequest{
-		Email:    createUser.Email,
-		Username: createUser.Username,
-		Password: createUser.Password,
+	user, organizationID, err := api.createUser(r.Context(), createUserRequest{
+		CreateUserRequest: codersdk.CreateUserRequest{
+			Email:    createUser.Email,
+			Username: createUser.Username,
+			Password: createUser.Password,
+		},
+		LoginType: database.LoginTypePassword,
 	})
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
@@ -243,7 +246,10 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, _, err := api.createUser(r.Context(), req)
+	user, _, err := api.createUser(r.Context(), createUserRequest{
+		CreateUserRequest: req,
+		LoginType:         database.LoginTypePassword,
+	})
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error creating user.",
@@ -684,6 +690,13 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if user.LoginType != database.LoginTypePassword {
+		httpapi.Write(rw, http.StatusForbidden, codersdk.Response{
+			Message: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q", database.LoginTypeOIDC, user.LoginType),
+		})
+		return
+	}
+
 	// If the user doesn't exist, it will be a default struct.
 	equal, err := userpassword.Compare(string(user.HashedPassword), loginWithPassword.Password)
 	if err != nil {
@@ -896,7 +909,12 @@ func (api *API) createAPIKey(rw http.ResponseWriter, r *http.Request, params cre
 	return sessionToken, true
 }
 
-func (api *API) createUser(ctx context.Context, req codersdk.CreateUserRequest) (database.User, uuid.UUID, error) {
+type createUserRequest struct {
+	codersdk.CreateUserRequest
+	LoginType database.LoginType
+}
+
+func (api *API) createUser(ctx context.Context, req createUserRequest) (database.User, uuid.UUID, error) {
 	var user database.User
 	return user, req.OrganizationID, api.Database.InTx(func(db database.Store) error {
 		orgRoles := make([]string, 0)
@@ -923,6 +941,7 @@ func (api *API) createUser(ctx context.Context, req codersdk.CreateUserRequest)
 			UpdatedAt: database.Now(),
 			// All new users are defaulted to members of the site.
 			RBACRoles: []string{},
+			LoginType: req.LoginType,
 		}
 		// If a user signs up with OAuth, they can have no password!
 		if req.Password != "" {