coder · kylecarbs · Sep 4, 2022 · Sep 3, 2022
diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -1859,6 +1859,7 @@ func (q *fakeQuerier) UpdateUserProfile(_ context.Context, arg database.UpdateUs
 		}
 		user.Email = arg.Email
 		user.Username = arg.Username
+		user.AvatarURL = arg.AvatarURL
 		q.users[index] = user
 		return user, nil
 	}

diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000044_user_avatars.down.sql b/coderd/database/migrations/000044_user_avatars.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+    DROP COLUMN avatar_url;
diff --git a/coderd/database/migrations/000044_user_avatars.up.sql b/coderd/database/migrations/000044_user_avatars.up.sql
@@ -0,0 +1,2 @@
+ALTER TABLE users
+    ADD COLUMN avatar_url varchar(64);
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -57,7 +57,8 @@ UPDATE
 SET
 	email = $2,
 	username = $3,
-	updated_at = $4
+	avatar_url = $4,
+	updated_at = $5
 WHERE
 	id = $1 RETURNING *;
 

diff --git a/coderd/database/sqlc.yaml b/coderd/database/sqlc.yaml
@@ -18,6 +18,7 @@ packages:
 
 rename:
   api_key: APIKey
+  avatar_url: AvatarURL
   login_type_oidc: LoginTypeOIDC
   oauth_access_token: OAuthAccessToken
   oauth_expiry: OAuthExpiry

diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -144,6 +144,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		AllowSignups: api.GithubOAuth2Config.AllowSignups,
 		Email:        verifiedEmail.GetEmail(),
 		Username:     ghUser.GetLogin(),
+		AvatarURL:    ghUser.GetAvatarURL(),
 	})
 	var httpErr httpError
 	if xerrors.As(err, &httpErr) {
@@ -207,6 +208,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		Email    string `json:"email"`
 		Verified bool   `json:"email_verified"`
 		Username string `json:"preferred_username"`
+		Picture  string `json:"picture"`
 	}
 	err = idToken.Claims(&claims)
 	if err != nil {
@@ -256,6 +258,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		AllowSignups: api.OIDCConfig.AllowSignups,
 		Email:        claims.Email,
 		Username:     claims.Username,
+		AvatarURL:    claims.Picture,
 	})
 	var httpErr httpError
 	if xerrors.As(err, &httpErr) {
@@ -292,6 +295,7 @@ type oauthLoginParams struct {
 	AllowSignups bool
 	Email        string
 	Username     string
+	AvatarURL    string
 }
 
 type httpError struct {
@@ -410,13 +414,27 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 			}
 		}
 
+		needsUpdate := false
+		if user.AvatarURL.String != params.AvatarURL {
+			user.AvatarURL = sql.NullString{
+				String: params.AvatarURL,
+				Valid:  true,
+			}
+			needsUpdate = true
+		}
+
 		// If the upstream email or username has changed we should mirror
 		// that in Coder. Many enterprises use a user's email/username as
 		// security auditing fields so they need to stay synced.
 		// NOTE: username updating has been halted since it can have infrastructure
 		// provisioning consequences (updates to usernames may delete persistent
 		// resources such as user home volumes).
 		if user.Email != params.Email {
+			user.Email = params.Email
+			needsUpdate = true
+		}
+
+		if needsUpdate {
 			// TODO(JonA): Since we're processing updates to a user's upstream
 			// email/username, it's possible for a different built-in user to
 			// have already claimed the username.
@@ -425,9 +443,10 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 			// user and changes their username.
 			user, err = tx.UpdateUserProfile(ctx, database.UpdateUserProfileParams{
 				ID:        user.ID,
-				Email:     params.Email,
+				Email:     user.Email,
 				Username:  user.Username,
 				UpdatedAt: database.Now(),
+				AvatarURL: user.AvatarURL,
 			})
 			if err != nil {
 				return xerrors.Errorf("update user profile: %w", err)

diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -226,10 +226,11 @@ func TestUserOAuth2Github(t *testing.T) {
 						},
 					}}, nil
 				},
-				AuthenticatedUser: func(ctx context.Context, client *http.Client) (*github.User, error) {
+				AuthenticatedUser: func(ctx context.Context, _ *http.Client) (*github.User, error) {
 					return &github.User{
-						Login: github.String("kyle"),
-						ID:    i64ptr(1234),
+						Login:     github.String("kyle"),
+						ID:        i64ptr(1234),
+						AvatarURL: github.String("/hello-world"),
 					}, nil
 				},
 				ListEmails: func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error) {
@@ -249,6 +250,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, "kyle@coder.com", user.Email)
 		require.Equal(t, "kyle", user.Username)
+		require.Equal(t, "/hello-world", user.AvatarURL)
 	})
 	t.Run("SignupAllowedTeam", func(t *testing.T) {
 		t.Parallel()
@@ -297,6 +299,7 @@ func TestUserOIDC(t *testing.T) {
 		AllowSignups bool
 		EmailDomain  string
 		Username     string
+		AvatarURL    string
 		StatusCode   int
 	}{{
 		Name: "EmailNotVerified",
@@ -357,6 +360,18 @@ func TestUserOIDC(t *testing.T) {
 		Username:     "kyle",
 		AllowSignups: true,
 		StatusCode:   http.StatusTemporaryRedirect,
+	}, {
+		Name: "WithPicture",
+		Claims: jwt.MapClaims{
+			"email":          "kyle@kwc.io",
+			"email_verified": true,
+			"username":       "kyle",
+			"picture":        "/example.png",
+		},
+		Username:     "kyle",
+		AllowSignups: true,
+		AvatarURL:    "/example.png",
+		StatusCode:   http.StatusTemporaryRedirect,
 	}} {
 		tc := tc
 		t.Run(tc.Name, func(t *testing.T) {
@@ -379,6 +394,13 @@ func TestUserOIDC(t *testing.T) {
 				require.NoError(t, err)
 				require.Equal(t, tc.Username, user.Username)
 			}
+
+			if tc.AvatarURL != "" {
+				client.SessionToken = resp.Cookies()[0].Value
+				user, err := client.User(ctx, "me")
+				require.NoError(t, err)
+				require.Equal(t, tc.AvatarURL, user.AvatarURL)
+			}
 		})
 	}
 

diff --git a/coderd/users.go b/coderd/users.go
@@ -391,6 +391,7 @@ func (api *API) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 	updatedUserProfile, err := api.Database.UpdateUserProfile(r.Context(), database.UpdateUserProfileParams{
 		ID:        user.ID,
 		Email:     user.Email,
+		AvatarURL: user.AvatarURL,
 		Username:  params.Username,
 		UpdatedAt: database.Now(),
 	})
@@ -1075,6 +1076,7 @@ func convertUser(user database.User, organizationIDs []uuid.UUID) codersdk.User
 		Status:          codersdk.UserStatus(user.Status),
 		OrganizationIDs: organizationIDs,
 		Roles:           make([]codersdk.Role, 0, len(user.RBACRoles)),
+		AvatarURL:       user.AvatarURL.String,
 	}
 
 	for _, roleName := range user.RBACRoles {

diff --git a/codersdk/users.go b/codersdk/users.go
@@ -50,6 +50,7 @@ type User struct {
 	Status          UserStatus  `json:"status" table:"status"`
 	OrganizationIDs []uuid.UUID `json:"organization_ids"`
 	Roles           []Role      `json:"roles"`
+	AvatarURL       string      `json:"avatar_url"`
 }
 
 type APIKey struct {

diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go
@@ -83,6 +83,7 @@ var AuditableResources = auditMap(map[any]map[string]Action{
 		"status":          ActionTrack,
 		"rbac_roles":      ActionTrack,
 		"login_type":      ActionIgnore,
+		"avatar_url":      ActionIgnore,
 	},
 	&database.Workspace{}: {
 		"id":                 ActionTrack,
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE users
		ADD COLUMN avatar_url varchar(64);