feat: add ability for users to convert their password login type to oauth/github login (#8105)

* Currently toggled by experiment flag --------- Co-authored-by: Bruno Quaresma <bruno@coder.com>
2025-07-03 16:13:58 +00:00 · 2023-06-30 08:38:48 -04:00
parent 357f3b38f7
commit b5f26d9bdf
50 changed files with 2043 additions and 261 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -132,6 +132,11 @@ type Options struct {
 	HealthcheckTimeout time.Duration
 	HealthcheckRefresh time.Duration

+	// OAuthSigningKey is the crypto key used to sign and encrypt state strings
+	// related to OAuth. This is a symmetric secret key using hmac to sign payloads.
+	// So this secret should **never** be exposed to the client.
+	OAuthSigningKey [32]byte
+
 	// APIRateLimit is the minutely throughput rate limit per user or ip.
 	// Setting a rate limit <0 will disable the rate limiter across the entire
 	// app. Some specific routes have their own configurable rate limits.
@ -309,9 +314,16 @@ func New(options *Options) *API {

 	ctx, cancel := context.WithCancel(context.Background())
 	r := chi.NewRouter()
+
+	// nolint:gocritic // Load deployment ID. This never changes
+	depID, err := options.Database.GetDeploymentID(dbauthz.AsSystemRestricted(ctx))
+	if err != nil {
+		panic(xerrors.Errorf("get deployment ID: %w", err))
+	}
 	api := &API{
-		ctx:    ctx,
-		cancel: cancel,
+		ctx:          ctx,
+		cancel:       cancel,
+		DeploymentID: depID,

 		ID:          uuid.New(),
 		Options:     options,
@ -608,6 +620,7 @@ func New(options *Options) *API {
 			r.Get("/first", api.firstUser)
 			r.Post("/first", api.postFirstUser)
 			r.Get("/authmethods", api.userAuthMethods)
+
 			r.Group(func(r chi.Router) {
 				// We use a tight limit for password login to protect against
 				// audit-log write DoS, pbkdf2 DoS, and simple brute-force
@ -640,8 +653,10 @@ func New(options *Options) *API {
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database, false))
+					r.Post("/convert-login", api.postConvertLoginType)
 					r.Delete("/", api.deleteUser)
 					r.Get("/", api.userByName)
+					r.Get("/login-type", api.userLoginType)
 					r.Put("/profile", api.putUserProfile)
 					r.Route("/status", func(r chi.Router) {
 						r.Put("/suspend", api.putSuspendUserAccount())
@ -858,6 +873,9 @@ type API struct {
 	ctx    context.Context
 	cancel context.CancelFunc

+	// DeploymentID is loaded from the database on startup.
+	DeploymentID string
+
 	*Options
 	// ID is a uniquely generated ID on initialization.
 	// This is used to associate objects with a specific