From bf1c3a68c4bc8cb0b41eb48d95b40e914084950a Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Thu, 20 Oct 2022 01:16:55 +0000 Subject: [PATCH 1/2] fix: prevent refreshing tokens that don't exist - When logging in with Google OIDC refresh tokens are not provided unless explicitly asked for. This PR updates the logic to avoid attempting to refresh the token if a refresh token does not exist. A session should only be dependent on a valid Coder API key, the state of its OAuth token (beyond initial authentication) should be irrelevant. --- coderd/httpmw/apikey.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go index cc331983ce1ee..54a28a2d1c617 100644 --- a/coderd/httpmw/apikey.go +++ b/coderd/httpmw/apikey.go @@ -203,7 +203,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler { return } // Check if the OAuth token is expired - if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() { + if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" { var oauthConfig OAuth2Config switch key.LoginType { case database.LoginTypeGithub: From e03a924299e545cd70ceba470d89c0aa8c591991 Mon Sep 17 00:00:00 2001 From: Jon Ayers Date: Thu, 20 Oct 2022 01:36:07 +0000 Subject: [PATCH 2/2] fix test --- coderd/httpmw/apikey_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go index 7bfdf360b3353..8205515e8ccbb 100644 --- a/coderd/httpmw/apikey_test.go +++ b/coderd/httpmw/apikey_test.go @@ -468,9 +468,10 @@ func TestAPIKey(t *testing.T) { }) require.NoError(t, err) _, err = db.InsertUserLink(r.Context(), database.InsertUserLinkParams{ - UserID: user.ID, - LoginType: database.LoginTypeGithub, - OAuthExpiry: database.Now().AddDate(0, 0, -1), + UserID: user.ID, + LoginType: database.LoginTypeGithub, + OAuthExpiry: database.Now().AddDate(0, 0, -1), + OAuthRefreshToken: "hello", }) require.NoError(t, err)