fix: move oauth2 routes (#12240)

* fix: move oauth2 routes

From /login/oauth2/* to /oauth2/*.

/login/oauth2 causes /login to no longer get served by the frontend,
even if nothing is actually served on /login itself.

* Add forgotten comment on delete
This commit is contained in:
Asher
2024-02-20 18:01:25 -08:00
committed by GitHub
parent 4d39da294e
commit 3d742f64e6
9 changed files with 414 additions and 413 deletions

View File

@ -168,24 +168,25 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
}
api.AGPL.RootHandler.Group(func(r chi.Router) {
r.Use(
api.oAuth2ProviderMiddleware,
// Fetch the app as system because in the /tokens route there will be no
// authenticated user.
httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
)
// Oauth2 linking routes do not make sense under the /api/v2 path.
r.Route("/login", func(r chi.Router) {
r.Route("/oauth2", func(r chi.Router) {
r.Group(func(r chi.Router) {
r.Use(apiKeyMiddleware)
r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
})
// The /tokens endpoint will be called from an unauthorized client so we
// cannot require an API key.
r.Post("/tokens", api.postOAuth2ProviderAppToken())
r.Route("/oauth2", func(r chi.Router) {
r.Use(
api.oAuth2ProviderMiddleware,
// Fetch the app as system because in the /tokens route there will be no
// authenticated user.
httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
)
r.Group(func(r chi.Router) {
r.Use(apiKeyMiddleware)
r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
// DELETE on /tokens is not part of the OAuth2 spec. It is our own
// route used to revoke permissions from an application. It is here for
// parity with POST on /tokens.
r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
})
// The /tokens endpoint will be called from an unauthorized client so we
// cannot require an API key.
r.Post("/tokens", api.postOAuth2ProviderAppToken())
})
})

View File

@ -44,7 +44,7 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
// a minimum in order to detect whether "allow" has been pressed, however.
cameFromSelf := (origin == "" || originU.Hostname() == accessURL.Hostname()) &&
refererU.Hostname() == accessURL.Hostname() &&
refererU.Path == "/login/oauth2/authorize"
refererU.Path == "/oauth2/authorize"
// If we were redirected here from this same page it means the user
// pressed the allow button so defer to the authorize handler which

View File

@ -291,7 +291,7 @@ func (api *API) deleteOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Re
// @Param redirect_uri query string false "Redirect here after authorization"
// @Param scope query string false "Token scopes (currently ignored)"
// @Success 302
// @Router /login/oauth2/authorize [post]
// @Router /oauth2/authorize [post]
func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
return identityprovider.Authorize(api.Database, api.AccessURL)
}
@ -306,7 +306,7 @@ func (api *API) postOAuth2ProviderAppAuthorize() http.HandlerFunc {
// @Param refresh_token formData string false "Refresh token, required if grant_type=refresh_token"
// @Param grant_type formData codersdk.OAuth2ProviderGrantType true "Grant type"
// @Success 200 {object} oauth2.Token
// @Router /login/oauth2/tokens [post]
// @Router /oauth2/tokens [post]
func (api *API) postOAuth2ProviderAppToken() http.HandlerFunc {
return identityprovider.Tokens(api.Database, api.DeploymentValues.SessionDuration.Value())
}
@ -317,7 +317,7 @@ func (api *API) postOAuth2ProviderAppToken() http.HandlerFunc {
// @Tags Enterprise
// @Param client_id query string true "Client ID"
// @Success 204
// @Router /login/oauth2/tokens [delete]
// @Router /oauth2/tokens [delete]
func (api *API) deleteOAuth2ProviderAppTokens() http.HandlerFunc {
return identityprovider.RevokeApp(api.Database)
}