Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit03c4724

Browse files
committed
feat(oauth2): add authorization server metadata endpoint and PKCE support
- Add /.well-known/oauth-authorization-server metadata endpoint (RFC 8414)- Implement PKCE support with S256 method for enhanced security- Add resource parameter support (RFC 8707) for token binding- Add OAuth2-compliant error responses with proper error codes- Fix authorization UI to use POST-based consent instead of GET redirects- Add comprehensive OAuth2 test scripts and interactive test server- Update CLAUDE.md with OAuth2 development guidelinesDatabase changes:- Add migration 000341: code_challenge, resource_uri, audience fields- Update audit table for new OAuth2 fieldsOAuth2 provider remains development-only (requires --dev flag).Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954aSigned-off-by: Thomas Kosiewski <tk@coder.com>
1 parent1b1d091 commit03c4724

File tree

42 files changed

+2866
-272
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

42 files changed

+2866
-272
lines changed

‎.claude/settings.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"permissions": {
3+
"allow": [],
4+
"deny": [
5+
"mcp__go-language-server__edit_file"
6+
]
7+
}
8+
}

‎.mcp.json

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
{
2+
"mcpServers": {
3+
"go-language-server": {
4+
"type":"stdio",
5+
"command":"go",
6+
"args": [
7+
"run",
8+
"github.com/isaacphi/mcp-language-server@latest",
9+
"-workspace",
10+
"./",
11+
"-lsp",
12+
"go",
13+
"--",
14+
"run",
15+
"golang.org/x/tools/gopls@latest"
16+
],
17+
"env": {}
18+
}
19+
}
20+
}

‎CLAUDE.md

Lines changed: 165 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,22 @@
22

33
Read[cursor rules](.cursorrules).
44

5+
##Quick Start Checklist for New Features
6+
7+
###Before Starting
8+
9+
-[ ] Run`git pull` to ensure you're on latest code
10+
-[ ] Check if feature touches database - you'll need migrations
11+
-[ ] Check if feature touches audit logs - update`enterprise/audit/table.go`
12+
13+
##Development Server
14+
15+
###Starting Development Mode
16+
17+
- Use`./scripts/develop.sh` to start Coder in development mode
18+
- This automatically builds and runs with`--dev` flag and proper access URL
19+
- Do NOT manually run`make build && ./coder server --dev` - use the script instead
20+
521
##Build/Test/Lint Commands
622

723
###Main Commands
@@ -34,6 +50,7 @@ Read [cursor rules](.cursorrules).
3450
- Use`gofumpt` for formatting
3551
- Create packages when used during implementation
3652
- Validate abstractions against implementations
53+
-**Test packages**: Use`package_test` naming (e.g.,`identityprovider_test`) for black-box testing
3754

3855
###Error Handling
3956

@@ -63,11 +80,50 @@ Read [cursor rules](.cursorrules).
6380
- Keep message titles concise (~70 characters)
6481
- Use imperative, present tense in commit titles
6582

66-
##Database queries
83+
##Database Work
84+
85+
###Migration Guidelines
86+
87+
1.**Create migration files**:
88+
- Location:`coderd/database/migrations/`
89+
- Format:`{number}_{description}.{up|down}.sql`
90+
- Number must be unique and sequential
91+
- Always include both up and down migrations
92+
93+
2.**Update database queries**:
94+
- MUST DO! Any changes to database - adding queries, modifying queries should be done in the`coderd/database/queries/*.sql` files
95+
- MUST DO! Queries are grouped in files relating to context - e.g.`prebuilds.sql`,`users.sql`,`oauth2.sql`
96+
- After making changes to any`coderd/database/queries/*.sql` files you must run`make gen` to generate respective ORM changes
97+
98+
3.**Handle nullable fields**:
99+
- Use`sql.NullString`,`sql.NullBool`, etc. for optional database fields
100+
- Set`.Valid = true` when providing values
101+
- Example:
102+
103+
```go
104+
CodeChallenge: sql.NullString{
105+
String: params.codeChallenge,
106+
Valid: params.codeChallenge !="",
107+
}
108+
```
67109

68-
- MUST DO! Any changes to database - adding queries, modifying queries should be done in the`coderd\database\queries\*.sql` files. Use`make gen` to generate necessary changes after.
69-
- MUST DO! Queries are grouped in files relating to context - e.g.`prebuilds.sql`,`users.sql`,`provisionerjobs.sql`.
70-
- After making changes to any`coderd\database\queries\*.sql` files you must run`make gen` to generate respective ORM changes.
110+
4. **Audit table updates**:
111+
-If adding fields to auditable types, update`enterprise/audit/table.go`
112+
-Add each new field with appropriateaction (ActionTrack,ActionIgnore,ActionSecret)
113+
-Run`make gen` to verify no audit errors
114+
115+
5. **In-memorydatabase (dbmem) updates**:
116+
-When adding new fields to database structs, ensure`dbmem` implementation copies all fields
117+
-Check`coderd/database/dbmem/dbmem.go`forInsert/Update methods
118+
-Missing fields in dbmem can cause tests to fail evenif main implementation is correct
119+
120+
###DatabaseGenerationProcess
121+
122+
1.ModifySQL files in`coderd/database/queries/`
123+
2.Run`make gen`
124+
3.If errors about audit table, update`enterprise/audit/table.go`
125+
4.Run`make gen` again
126+
5.Run`make lint` to catch any remaining issues
71127

72128
##Architecture
73129

@@ -78,6 +134,14 @@ Read [cursor rules](.cursorrules).
78134
- **Agents**:Services in remote workspaces providing features likeSSH and port forwarding
79135
- **Workspaces**:Cloud resources defined byTerraform
80136

137+
###AddingNewAPIEndpoints
138+
139+
1. **Define types** in`codersdk/`package
140+
2. **Add handler** in appropriate`coderd/` file
141+
3. **Register route** in`coderd/coderd.go`
142+
4. **Add tests** in`coderd/*_test.go` files
143+
5. **UpdateOpenAPI** by running`make gen`
144+
81145
##Sub-modules
82146

83147
###TemplateSystem
@@ -104,3 +168,100 @@ Read [cursor rules](.cursorrules).
104168
The frontend is contained in the site folder.
105169

106170
For buildingFrontend refer to [this document](docs/about/contributing/frontend.md)
171+
172+
##CommonPatterns
173+
174+
###OAuth2/AuthenticationWork
175+
176+
-Typesgo in`codersdk/oauth2.go` or similar
177+
-Handlersgo in`coderd/oauth2.go` or`coderd/identityprovider/`
178+
-Database fields need migration + audit table updates
179+
-Always support backward compatibility
180+
181+
##OAuth2Development
182+
183+
###OAuth2ProviderImplementation
184+
185+
When working onOAuth2 provider features:
186+
187+
1. **OAuth2SpecCompliance**:
188+
-FollowRFC6749for token responses
189+
-Use`expires_in` (seconds) not`expiry` (timestamp) in token responses
190+
-Return properOAuth2error format:`{"error": "code", "error_description": "details"}`
191+
192+
2. **ErrorResponseFormat**:
193+
-CreateOAuth2-complianterror responsesfor token endpoint
194+
-Use standarderror codes:`invalid_client`,`invalid_grant`,`invalid_request`
195+
-Avoid genericerror responsesforOAuth2 endpoints
196+
197+
3. **TestingOAuth2Features**:
198+
-Use scripts in`./scripts/oauth2/`for testing
199+
-Run`./scripts/oauth2/test-mcp-oauth2.sh`for comprehensive tests
200+
-Manual testing: use`./scripts/oauth2/test-manual-flow.sh`
201+
202+
4. **PKCEImplementation**:
203+
-Support both with and withoutPKCEfor backward compatibility
204+
-UseS256 methodfor code challenge
205+
-Properly validate code_verifier against stored code_challenge
206+
207+
5. **UIAuthorizationFlow**:
208+
-UsePOST requestsfor consent, notGET with links
209+
-Avoid dependency on referer headersfor security decisions
210+
-Support proper state parameter validation
211+
212+
###OAuth2ErrorHandlingPattern
213+
214+
```go
215+
// Define specific OAuth2 errors
216+
var (
217+
errInvalidPKCE = xerrors.New("invalid code_verifier")
218+
)
219+
220+
// Use OAuth2-compliant error responses
221+
type OAuth2Error struct {
222+
Error string`json:"error"`
223+
ErrorDescription string`json:"error_description,omitempty"`
224+
}
225+
226+
// Return proper OAuth2 errors
227+
if errors.Is(err, errInvalidPKCE) {
228+
writeOAuth2Error(ctx, rw, http.StatusBadRequest, "invalid_grant", "The PKCE code verifier is invalid")
229+
return
230+
}
231+
```
232+
233+
###TestingPatterns
234+
235+
-Use table-driven testsfor comprehensive coverage
236+
-Mock external dependencies
237+
-Test both positive and negative cases
238+
-Use`testutil.WaitLong`for timeouts in tests
239+
240+
##TestingScripts
241+
242+
###OAuth2TestScripts
243+
244+
Located in`./scripts/oauth2/`:
245+
246+
-`test-mcp-oauth2.sh` -Full automated test suite
247+
-`setup-test-app.sh` -Create testOAuth2 app
248+
-`cleanup-test-app.sh` -Remove test app
249+
-`generate-pkce.sh` -GeneratePKCE parameters
250+
-`test-manual-flow.sh` -Manual browser testing
251+
252+
Always run the full test suite afterOAuth2 changes:
253+
254+
```bash
255+
./scripts/oauth2/test-mcp-oauth2.sh
256+
```
257+
258+
##Troubleshooting
259+
260+
###CommonIssues
261+
262+
1. **"Audit table entry missing action"** -Update`enterprise/audit/table.go`
263+
2. **"package should be X_test"** -Use`package_test` namingfor test files
264+
3. **SQLtype errors** -Use`sql.Null*` typesfor nullable fields
265+
4. **Missing newlines** -Ensure files end with newline character
266+
5. **Tests passing locally but failing inCI** -Checkif`dbmem` implementation needs updating
267+
6. **OAuth2 endpoints returning wrongerror format** -EnsureOAuth2 endpointsreturnRFC6749 compliant errors

‎coderd/apidoc/docs.go

Lines changed: 125 additions & 3 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp