refactor: move OAuth2 provider code to dedicated package (#18746)

# Refactor OAuth2 Provider Code into Dedicated Package This PR refactors the OAuth2 provider functionality by moving it from the main `coderd` package into a dedicated `oauth2provider` package. The change improves code organization and maintainability without changing functionality. Key changes: - Created a new `oauth2provider` package to house all OAuth2 provider-related code - Moved existing OAuth2 provider functionality from `coderd/identityprovider` to the new package - Refactored handler functions to follow a consistent pattern of returning `http.HandlerFunc` instead of being handlers directly - Split large files into smaller, more focused files organized by functionality: - `app_secrets.go` - Manages OAuth2 application secrets - `apps.go` - Handles OAuth2 application CRUD operations - `authorize.go` - Implements the authorization flow - `metadata.go` - Provides OAuth2 metadata endpoints - `registration.go` - Handles dynamic client registration - `revoke.go` - Implements token revocation - `secrets.go` - Manages secret generation and validation - `tokens.go` - Handles token issuance and validation This refactoring improves code organization and makes the OAuth2 provider functionality more maintainable while preserving all existing behavior.
2025-07-09 11:45:56 +00:00 · 2025-07-03 20:24:45 +02:00
parent 7fbb3ced5b
commit c65013384a
17 changed files with 1095 additions and 981 deletions
--- a/coderd/oauth2provider/pkce_test.go
+++ b/coderd/oauth2provider/pkce_test.go
@ -0,0 +1,77 @@
+package oauth2provider_test
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/oauth2provider"
+)
+
+func TestVerifyPKCE(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		verifier    string
+		challenge   string
+		expectValid bool
+	}{
+		{
+			name:        "ValidPKCE",
+			verifier:    "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+			challenge:   "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
+			expectValid: true,
+		},
+		{
+			name:        "InvalidPKCE",
+			verifier:    "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+			challenge:   "wrong_challenge",
+			expectValid: false,
+		},
+		{
+			name:        "EmptyChallenge",
+			verifier:    "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+			challenge:   "",
+			expectValid: false,
+		},
+		{
+			name:        "EmptyVerifier",
+			verifier:    "",
+			challenge:   "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
+			expectValid: false,
+		},
+		{
+			name:        "BothEmpty",
+			verifier:    "",
+			challenge:   "",
+			expectValid: false,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			result := oauth2provider.VerifyPKCE(tt.challenge, tt.verifier)
+			require.Equal(t, tt.expectValid, result)
+		})
+	}
+}
+
+func TestPKCES256Generation(t *testing.T) {
+	t.Parallel()
+
+	// Test that we can generate a valid S256 challenge from a verifier
+	verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+	expectedChallenge := "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
+
+	// Generate challenge using S256 method
+	h := sha256.Sum256([]byte(verifier))
+	challenge := base64.RawURLEncoding.EncodeToString(h[:])
+
+	require.Equal(t, expectedChallenge, challenge)
+	require.True(t, oauth2provider.VerifyPKCE(challenge, verifier))
+}