fix: move oauth2 routes (#12240)

* fix: move oauth2 routes

From /login/oauth2/* to /oauth2/*.

/login/oauth2 causes /login to no longer get served by the frontend,
even if nothing is actually served on /login itself.

* Add forgotten comment on delete

enterprise/coderd/coderd.go

@@ -168,24 +168,25 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	}
 
 	api.AGPL.RootHandler.Group(func(r chi.Router) {
-		r.Use(
-			api.oAuth2ProviderMiddleware,
-			// Fetch the app as system because in the /tokens route there will be no
-			// authenticated user.
-			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
-		)
 		// Oauth2 linking routes do not make sense under the /api/v2 path.
-		r.Route("/login", func(r chi.Router) {
-			r.Route("/oauth2", func(r chi.Router) {
-				r.Group(func(r chi.Router) {
-					r.Use(apiKeyMiddleware)
-					r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
-					r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
-				})
-				// The /tokens endpoint will be called from an unauthorized client so we
-				// cannot require an API key.
-				r.Post("/tokens", api.postOAuth2ProviderAppToken())
+		r.Route("/oauth2", func(r chi.Router) {
+			r.Use(
+				api.oAuth2ProviderMiddleware,
+				// Fetch the app as system because in the /tokens route there will be no
+				// authenticated user.
+				httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+			)
+			r.Group(func(r chi.Router) {
+				r.Use(apiKeyMiddleware)
+				r.Get("/authorize", api.postOAuth2ProviderAppAuthorize())
+				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+				// route used to revoke permissions from an application.  It is here for
+				// parity with POST on /tokens.
+				r.Delete("/tokens", api.deleteOAuth2ProviderAppTokens())
 			})
+			// The /tokens endpoint will be called from an unauthorized client so we
+			// cannot require an API key.
+			r.Post("/tokens", api.postOAuth2ProviderAppToken())
 		})
 	})