fix: move oauth2 routes (#12240)

* fix: move oauth2 routes

From /login/oauth2/* to /oauth2/*.

/login/oauth2 causes /login to no longer get served by the frontend,
even if nothing is actually served on /login itself.

* Add forgotten comment on delete

enterprise/coderd/coderd.go

@@ -168,24 +168,25 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	}
 
 	api.AGPL.RootHandler.Group(func(r chi.Router) {
-		r.Use(
-			api.oAuth2ProviderMiddleware,
-			// Fetch the app as system because in the /tokens route there will be no
-			// authenticated user.
-			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
-		)
 		// Oauth2 linking routes do not make sense under the /api/v2 path.
-		r.Route("/login", func(r chi.Router) {
-			r.Route("/oauth2", func(r chi.Router) {
-				r.Group(func(r chi.Router) {
-					r.Use(apiKeyMiddleware)
-					r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
-					r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
-				})
-				// The /tokens endpoint will be called from an unauthorized client so we
-				// cannot require an API key.
-				r.Post("/tokens", api.postOAuth2ProviderAppToken())
+		r.Route("/oauth2", func(r chi.Router) {
+			r.Use(
+				api.oAuth2ProviderMiddleware,
+				// Fetch the app as system because in the /tokens route there will be no
+				// authenticated user.
+				httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+			)
+			r.Group(func(r chi.Router) {
+				r.Use(apiKeyMiddleware)
+				r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
+				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+				// route used to revoke permissions from an application.  It is here for
+				// parity with POST on /tokens.
+				r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
 			})
+			// The /tokens endpoint will be called from an unauthorized client so we
+			// cannot require an API key.
+			r.Post("/tokens", api.postOAuth2ProviderAppToken())
 		})
 	})
 

enterprise/coderd/identityprovider/middleware.go

@@ -44,7 +44,7 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
 			// a minimum in order to detect whether "allow" has been pressed, however.
 			cameFromSelf := (origin == "" || originU.Hostname() == accessURL.Hostname()) &&
 				refererU.Hostname() == accessURL.Hostname() &&
-				refererU.Path == "/login/oauth2/authorize"
+				refererU.Path == "/oauth2/authorize"
 
 			// If we were redirected here from this same page it means the user
 			// pressed the allow button so defer to the authorize handler which

enterprise/coderd/oauth2.go

@@ -291,7 +291,7 @@ func (api *API) deleteOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Re
 // @Param redirect_uri query string false "Redirect here after authorization"
 // @Param scope query string false "Token scopes (currently ignored)"
 // @Success 302
-// @Router /login/oauth2/authorize [post]
+// @Router /oauth2/authorize [post]
 func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
 	return identityprovider.Authorize(api.Database, api.AccessURL)
 }
@@ -306,7 +306,7 @@ func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
 // @Param refresh_token formData string false "Refresh token, required if grant_type=refresh_token"
 // @Param grant_type formData codersdk.OAuth2ProviderGrantType true "Grant type"
 // @Success 200 {object} oauth2.Token
-// @Router /login/oauth2/tokens [post]
+// @Router /oauth2/tokens [post]
 func (api *API) postOAuth2ProviderAppToken() http.HandlerFunc {
 	return identityprovider.Tokens(api.Database, api.DeploymentValues.SessionDuration.Value())
 }
@@ -317,7 +317,7 @@ func (api *API) postOAuth2ProviderAppToken() http.HandlerFunc {
 // @Tags Enterprise
 // @Param client_id query string true "Client ID"
 // @Success 204
-// @Router /login/oauth2/tokens [delete]
+// @Router /oauth2/tokens [delete]
 func (api *API) deleteOAuth2ProviderAppTokens() http.HandlerFunc {
 	return identityprovider.RevokeApp(api.Database)
 }