Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit962c22c

Browse files
committed
feat: replace callback_url with redirect_uris for OAuth2 RFC 6749 compliance
Change-Id: I4823e475777ebdf75e3a80e47ff6bef1a556cd55Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parentb58eed8 commit962c22c

File tree

34 files changed

+590
-408
lines changed

34 files changed

+590
-408
lines changed

‎coderd/apidoc/docs.go

Lines changed: 25 additions & 14 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json

Lines changed: 23 additions & 12 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/db2sdk/db2sdk.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -355,10 +355,10 @@ func TemplateVersionParameterOptionFromPreview(option *previewtypes.ParameterOpt
355355

356356
funcOAuth2ProviderApp(accessURL*url.URL,dbApp database.OAuth2ProviderApp) codersdk.OAuth2ProviderApp {
357357
return codersdk.OAuth2ProviderApp{
358-
ID:dbApp.ID,
359-
Name:dbApp.Name,
360-
CallbackURL:dbApp.CallbackURL,
361-
Icon:dbApp.Icon,
358+
ID:dbApp.ID,
359+
Name:dbApp.Name,
360+
RedirectURIs:dbApp.RedirectUris,
361+
Icon:dbApp.Icon,
362362
Endpoints: codersdk.OAuth2AppEndpoints{
363363
Authorization:accessURL.ResolveReference(&url.URL{
364364
Path:"/oauth2/authorize",

‎coderd/database/dbauthz/dbauthz_test.go

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5227,7 +5227,33 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
52275227
})
52285228
}))
52295229
s.Run("InsertOAuth2ProviderApp",s.Subtest(func(db database.Store,check*expects) {
5230-
check.Args(database.InsertOAuth2ProviderAppParams{}).Asserts(rbac.ResourceOauth2App,policy.ActionCreate)
5230+
check.Args(database.InsertOAuth2ProviderAppParams{
5231+
ID:uuid.New(),
5232+
Name:fmt.Sprintf("test-app-%d",time.Now().UnixNano()),
5233+
CreatedAt:dbtestutil.NowInDefaultTimezone(),
5234+
UpdatedAt:dbtestutil.NowInDefaultTimezone(),
5235+
Icon:"",
5236+
RedirectUris: []string{"http://localhost"},
5237+
ClientType: sql.NullString{String:"confidential",Valid:true},
5238+
DynamicallyRegistered: sql.NullBool{Bool:false,Valid:true},
5239+
ClientIDIssuedAt: sql.NullTime{},
5240+
ClientSecretExpiresAt: sql.NullTime{},
5241+
GrantTypes: []string{"authorization_code","refresh_token"},
5242+
ResponseTypes: []string{"code"},
5243+
TokenEndpointAuthMethod: sql.NullString{String:"client_secret_basic",Valid:true},
5244+
Scope: sql.NullString{},
5245+
Contacts: []string{},
5246+
ClientUri: sql.NullString{},
5247+
LogoUri: sql.NullString{},
5248+
TosUri: sql.NullString{},
5249+
PolicyUri: sql.NullString{},
5250+
JwksUri: sql.NullString{},
5251+
Jwks: pqtype.NullRawMessage{},
5252+
SoftwareID: sql.NullString{},
5253+
SoftwareVersion: sql.NullString{},
5254+
RegistrationAccessToken: sql.NullString{},
5255+
RegistrationClientUri: sql.NullString{},
5256+
}).Asserts(rbac.ResourceOauth2App,policy.ActionCreate)
52315257
}))
52325258
s.Run("UpdateOAuth2ProviderAppByID",s.Subtest(func(db database.Store,check*expects) {
52335259
dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)
@@ -5238,7 +5264,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
52385264
ID:app.ID,
52395265
Name:app.Name,
52405266
Icon:app.Icon,
5241-
CallbackURL:app.CallbackURL,
52425267
RedirectUris:app.RedirectUris,
52435268
ClientType:app.ClientType,
52445269
DynamicallyRegistered:app.DynamicallyRegistered,
@@ -5280,7 +5305,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
52805305
ID:app.ID,
52815306
Name:app.Name,
52825307
Icon:app.Icon,
5283-
CallbackURL:app.CallbackURL,
52845308
RedirectUris:app.RedirectUris,
52855309
ClientType:app.ClientType,
52865310
ClientSecretExpiresAt:app.ClientSecretExpiresAt,

‎coderd/database/dbgen/dbgen.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1156,8 +1156,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
11561156
CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),
11571157
UpdatedAt:takeFirst(seed.UpdatedAt,dbtime.Now()),
11581158
Icon:takeFirst(seed.Icon,""),
1159-
CallbackURL:takeFirst(seed.CallbackURL,"http://localhost"),
1160-
RedirectUris:takeFirstSlice(seed.RedirectUris, []string{}),
1159+
RedirectUris:takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
11611160
ClientType:takeFirst(seed.ClientType, sql.NullString{String:"confidential",Valid:true}),
11621161
DynamicallyRegistered:takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool:false,Valid:true}),
11631162
ClientIDIssuedAt:takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),

‎coderd/database/dump.sql

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
-- Reverse migration: restore callback_url column from redirect_uris
2+
3+
-- Add back the callback_url column
4+
ALTERTABLE oauth2_provider_apps
5+
ADD COLUMN callback_urltext;
6+
7+
-- Populate callback_url from the first redirect_uri
8+
UPDATE oauth2_provider_apps
9+
SET callback_url= redirect_uris[1]
10+
WHERE redirect_urisIS NOT NULLAND array_length(redirect_uris,1)>0;
11+
12+
-- Remove NOT NULL and CHECK constraints from redirect_uris (restore original state)
13+
ALTERTABLE oauth2_provider_apps
14+
DROPCONSTRAINT IF EXISTS oauth2_provider_apps_redirect_uris_nonempty;
15+
ALTERTABLE oauth2_provider_apps
16+
ALTER COLUMN redirect_uris DROPNOT NULL;
17+
18+
COMMENT ON COLUMN oauth2_provider_apps.callback_url IS'Legacy callback URL field (replaced by redirect_uris array)';
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-- Migrate from callback_url to redirect_uris as source of truth for OAuth2 apps
2+
-- RFC 6749 compliance: use array of redirect URIs instead of single callback URL
3+
4+
-- Populate redirect_uris from callback_url where redirect_uris is empty or NULL.
5+
-- NULLIF is used to treat empty strings in callback_url as NULL.
6+
-- If callback_url is NULL or empty, this will result in redirect_uris
7+
-- being an array with a single NULL element. This is preferable to an empty
8+
-- array as it will pass a CHECK for array length > 0, enforcing that all
9+
-- apps have at least one URI entry, even if it's null.
10+
UPDATE oauth2_provider_apps
11+
SET redirect_uris= ARRAY[NULLIF(callback_url,'')]
12+
WHERE (redirect_uris ISNULLOR cardinality(redirect_uris)=0);
13+
14+
-- Add NOT NULL constraint to redirect_uris
15+
ALTERTABLE oauth2_provider_apps
16+
ALTER COLUMN redirect_urisSETNOT NULL;
17+
18+
-- Add CHECK constraint to ensure redirect_uris is not empty.
19+
-- This prevents empty arrays, which could have been created by the old logic,
20+
-- and ensures data integrity going forward.
21+
ALTERTABLE oauth2_provider_apps
22+
ADDCONSTRAINT redirect_uris_not_emptyCHECK (cardinality(redirect_uris)>0);
23+
24+
-- Drop the callback_url column entirely
25+
ALTERTABLE oauth2_provider_apps
26+
DROP COLUMN callback_url;
27+
28+
COMMENT ON COLUMN oauth2_provider_apps.redirect_uris IS'RFC 6749 compliant list of valid redirect URIs for the application';

‎coderd/database/models.go

Lines changed: 6 additions & 7 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp