NotificationsYou must be signed in to change notification settings
Fork912
Star10k

Commit67d89bb

authored

feat: implement sign up with GitHub for the first user (#16629)

Second PR to address#16230. Seethe issue for more context and discussion.It adds a "Continue with GitHub" button to the `/setup` page, so thedeployment's admin can sign up with it. It also removes the "Username"and "Full Name" fields to make signing up with email faster. In theemail flow, the username is now auto-generated based on the email, andfull name is left empty.<img width="1512" alt="Screenshot 2025-02-21 at 17 51 22"src="https://github.com/user-attachments/assets/e7c6986b-c05e-458b-bb01-c3aea3b74c0e"/>There's a separate, follow up issue to visually align the `/setup` pagewith the new design system:#16653

1 parentb419b36 commit67d89bbCopy full SHA for 67d89bb

File tree

7 files changed

+171

-59

lines changed

coderd
site
- e2e/setup
  - addUsersAndLicense.spec.ts
- src/pages/SetupPage

7 files changed

+171

-59

lines changed

`‎coderd/userauth.go`

Lines changed: 32 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ import (`
`27`	`27`	`"github.com/coder/coder/v2/coderd/cryptokeys"`
`28`	`28`	`"github.com/coder/coder/v2/coderd/idpsync"`
`29`	`29`	`"github.com/coder/coder/v2/coderd/jwtutils"`
	`30`	`+"github.com/coder/coder/v2/coderd/telemetry"`
`30`	`31`	`"github.com/coder/coder/v2/coderd/util/ptr"`
`31`	`32`
`32`	`33`	`"github.com/coder/coder/v2/coderd/apikey"`
`@@ -1054,6 +1055,10 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`1054`	`1055`	`deferparams.CommitAuditLogs()`
`1055`	`1056`	`iferr!=nil {`
`1056`	`1057`	`ifhttpErr:=idpsync.IsHTTPError(err);httpErr!=nil {`
	`1058`	`+// In the device flow, the error page is rendered client-side.`
	`1059`	`+ifapi.GithubOAuth2Config.DeviceFlowEnabled&&httpErr.RenderStaticPage {`
	`1060`	`+httpErr.RenderStaticPage=false`
	`1061`	`+}`
`1057`	`1062`	`httpErr.Write(rw,r)`
`1058`	`1063`	`return`
`1059`	`1064`	`}`
`@@ -1634,7 +1639,17 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) ([]http.C`
`1634`	`1639`	`isConvertLoginType=true`
`1635`	`1640`	`}`
`1636`	`1641`
`1637`		`-ifuser.ID==uuid.Nil&&!params.AllowSignups {`
	`1642`	`+// nolint:gocritic // Getting user count is a system function.`
	`1643`	`+userCount,err:=tx.GetUserCount(dbauthz.AsSystemRestricted(ctx))`
	`1644`	`+iferr!=nil {`
	`1645`	`+returnxerrors.Errorf("unable to fetch user count: %w",err)`
	`1646`	`+}`
	`1647`	`+`
	`1648`	`+// Allow the first user to sign up with OIDC, regardless of`
	`1649`	`+// whether signups are enabled or not.`
	`1650`	`+allowSignup:=userCount==0\|\|params.AllowSignups`
	`1651`	`+`
	`1652`	`+ifuser.ID==uuid.Nil&&!allowSignup {`
`1638`	`1653`	`signupsDisabledText:="Please contact your Coder administrator to request access."`
`1639`	`1654`	`ifapi.OIDCConfig!=nil&&api.OIDCConfig.SignupsDisabledText!="" {`
`1640`	`1655`	`signupsDisabledText=render.HTMLFromMarkdown(api.OIDCConfig.SignupsDisabledText)`
`@@ -1695,6 +1710,12 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) ([]http.C`
`1695`	`1710`	`returnxerrors.Errorf("unable to fetch default organization: %w",err)`
`1696`	`1711`	`}`
`1697`	`1712`
	`1713`	`+rbacRoles:= []string{}`
	`1714`	`+// If this is the first user, add the owner role.`
	`1715`	`+ifuserCount==0 {`
	`1716`	`+rbacRoles=append(rbacRoles,rbac.RoleOwner().String())`
	`1717`	`+}`
	`1718`	`+`
`1698`	`1719`	`//nolint:gocritic`
`1699`	`1720`	`user,err=api.CreateUser(dbauthz.AsSystemRestricted(ctx),tx,CreateUserRequest{`
`1700`	`1721`	`CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{`
`@@ -1709,10 +1730,20 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) ([]http.C`
`1709`	`1730`	`},`
`1710`	`1731`	`LoginType:params.LoginType,`
`1711`	`1732`	`accountCreatorName:"oauth",`
	`1733`	`+RBACRoles:rbacRoles,`
`1712`	`1734`	`})`
`1713`	`1735`	`iferr!=nil {`
`1714`	`1736`	`returnxerrors.Errorf("create user: %w",err)`
`1715`	`1737`	`}`
	`1738`	`+`
	`1739`	`+ifuserCount==0 {`
	`1740`	`+telemetryUser:=telemetry.ConvertUser(user)`
	`1741`	`+// The email is not anonymized for the first user.`
	`1742`	`+telemetryUser.Email=&user.Email`
	`1743`	`+api.Telemetry.Report(&telemetry.Snapshot{`
	`1744`	`+Users: []telemetry.User{telemetryUser},`
	`1745`	`+})`
	`1746`	`+}`
`1716`	`1747`	`}`
`1717`	`1748`
`1718`	`1749`	`// Activate dormant user on sign-in`

`‎coderd/userauth_test.go`

Lines changed: 55 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ import (`
`22`	`22`	`"github.com/prometheus/client_golang/prometheus"`
`23`	`23`	`"github.com/stretchr/testify/assert"`
`24`	`24`	`"github.com/stretchr/testify/require"`
	`25`	`+"go.uber.org/atomic"`
`25`	`26`	`"golang.org/x/oauth2"`
`26`	`27`	`"golang.org/x/xerrors"`
`27`	`28`
`@@ -254,37 +255,64 @@ func TestUserOAuth2Github(t *testing.T) {`
`254`	`255`	`})`
`255`	`256`	`t.Run("BlockSignups",func(t*testing.T) {`
`256`	`257`	`t.Parallel()`
	`258`	`+`
	`259`	`+db,ps:=dbtestutil.NewDB(t)`
	`260`	`+`
	`261`	`+id:=atomic.NewInt64(100)`
	`262`	`+login:=atomic.NewString("testuser")`
	`263`	`+email:=atomic.NewString("testuser@coder.com")`
	`264`	`+`
`257`	`265`	`client:=coderdtest.New(t,&coderdtest.Options{`
	`266`	`+Database:db,`
	`267`	`+Pubsub:ps,`
`258`	`268`	`GithubOAuth2Config:&coderd.GithubOAuth2Config{`
`259`	`269`	`OAuth2Config:&testutil.OAuth2Config{},`
`260`	`270`	`AllowOrganizations: []string{"coder"},`
`261`		`-ListOrganizationMemberships:func(ctx context.Context,clienthttp.Client) ([]github.Membership,error) {`
	`271`	`+ListOrganizationMemberships:func(_ context.Context,_http.Client) ([]github.Membership,error) {`
`262`	`272`	`return []*github.Membership{{`
`263`	`273`	`State:&stateActive,`
`264`	`274`	`Organization:&github.Organization{`
`265`	`275`	`Login:github.String("coder"),`
`266`	`276`	`},`
`267`	`277`	`}},nil`
`268`	`278`	`},`
`269`		`-AuthenticatedUser:func(ctx context.Context,clienthttp.Client) (github.User,error) {`
	`279`	`+AuthenticatedUser:func(_ context.Context,_http.Client) (github.User,error) {`
	`280`	`+id:=id.Load()`
	`281`	`+login:=login.Load()`
`270`	`282`	`return&github.User{`
`271`		`-ID:github.Int64(100),`
`272`		`-Login:github.String("testuser"),`
	`283`	`+ID:&id,`
	`284`	`+Login:&login,`
`273`	`285`	`Name:github.String("The Right Honorable Sir Test McUser"),`
`274`	`286`	`},nil`
`275`	`287`	`},`
`276`		`-ListEmails:func(ctx context.Context,clienthttp.Client) ([]github.UserEmail,error) {`
	`288`	`+ListEmails:func(_ context.Context,_http.Client) ([]github.UserEmail,error) {`
	`289`	`+email:=email.Load()`
`277`	`290`	`return []*github.UserEmail{{`
`278`		`-Email:github.String("testuser@coder.com"),`
	`291`	`+Email:&email,`
`279`	`292`	`Verified:github.Bool(true),`
`280`	`293`	`Primary:github.Bool(true),`
`281`	`294`	`}},nil`
`282`	`295`	`},`
`283`	`296`	`},`
`284`	`297`	`})`
`285`	`298`
	`299`	`+// The first user in a deployment with signups disabled will be allowed to sign up,`
	`300`	`+// but all the other users will not.`
`286`	`301`	`resp:=oauth2Callback(t,client)`
	`302`	`+require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode)`
	`303`	`+`
	`304`	`+ctx:=testutil.Context(t,testutil.WaitLong)`
	`305`	`+`
	`306`	`+// nolint:gocritic // Unit test`
	`307`	`+count,err:=db.GetUserCount(dbauthz.AsSystemRestricted(ctx))`
	`308`	`+require.NoError(t,err)`
	`309`	`+require.Equal(t,int64(1),count)`
	`310`	`+`
	`311`	`+id.Store(101)`
	`312`	`+email.Store("someotheruser@coder.com")`
	`313`	`+login.Store("someotheruser")`
`287`	`314`
	`315`	`+resp=oauth2Callback(t,client)`
`288`	`316`	`require.Equal(t,http.StatusForbidden,resp.StatusCode)`
`289`	`317`	`})`
`290`	`318`	`t.Run("MultiLoginNotAllowed",func(t*testing.T) {`
`@@ -988,6 +1016,7 @@ func TestUserOIDC(t *testing.T) {`
`988`	`1016`	`IgnoreEmailVerifiedbool`
`989`	`1017`	`IgnoreUserInfobool`
`990`	`1018`	`UseAccessTokenbool`
	`1019`	`+PrecreateFirstUserbool`
`991`	`1020`	`}{`
`992`	`1021`	`{`
`993`	`1022`	`Name:"NoSub",`
`@@ -1150,7 +1179,17 @@ func TestUserOIDC(t *testing.T) {`
`1150`	`1179`	`"email_verified":true,`
`1151`	`1180`	`"sub":uuid.NewString(),`
`1152`	`1181`	`},`
`1153`		`-StatusCode:http.StatusForbidden,`
	`1182`	`+StatusCode:http.StatusForbidden,`
	`1183`	`+PrecreateFirstUser:true,`
	`1184`	`+},`
	`1185`	`+{`
	`1186`	`+Name:"FirstSignup",`
	`1187`	`+IDTokenClaims: jwt.MapClaims{`
	`1188`	`+"email":"kyle@kwc.io",`
	`1189`	`+"email_verified":true,`
	`1190`	`+"sub":uuid.NewString(),`
	`1191`	`+},`
	`1192`	`+StatusCode:http.StatusOK,`
`1154`	`1193`	`},`
`1155`	`1194`	`{`
`1156`	`1195`	`Name:"UsernameFromEmail",`
`@@ -1443,15 +1482,22 @@ func TestUserOIDC(t *testing.T) {`
`1443`	`1482`	`})`
`1444`	`1483`	`numLogs:=len(auditor.AuditLogs())`
`1445`	`1484`
	`1485`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
	`1486`	`+iftc.PrecreateFirstUser {`
	`1487`	`+owner.CreateFirstUser(ctx, codersdk.CreateFirstUserRequest{`
	`1488`	`+Email:"precreated@coder.com",`
	`1489`	`+Username:"precreated",`
	`1490`	`+Password:"SomeSecurePassword!",`
	`1491`	`+})`
	`1492`	`+}`
	`1493`	`+`
`1446`	`1494`	`client,resp:=fake.AttemptLogin(t,owner,tc.IDTokenClaims)`
`1447`	`1495`	`numLogs++// add an audit log for login`
`1448`	`1496`	`require.Equal(t,tc.StatusCode,resp.StatusCode)`
`1449`	`1497`	`iftc.AssertResponse!=nil {`
`1450`	`1498`	`tc.AssertResponse(t,resp)`
`1451`	`1499`	`}`
`1452`	`1500`
`1453`		`-ctx:=testutil.Context(t,testutil.WaitShort)`
`1454`		`-`
`1455`	`1501`	`iftc.AssertUser!=nil {`
`1456`	`1502`	`user,err:=client.User(ctx,"me")`
`1457`	`1503`	`require.NoError(t,err)`

`‎coderd/users.go`

Lines changed: 18 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,8 @@ func (api API) firstUser(rw http.ResponseWriter, r http.Request) {`
`118`	`118`	`// @Success 201 {object} codersdk.CreateFirstUserResponse`
`119`	`119`	`// @Router /users/first [post]`
`120`	`120`	`func (apiAPI)postFirstUser(rw http.ResponseWriter,rhttp.Request) {`
	`121`	`+// The first user can also be created via oidc, so if making changes to the flow,`
	`122`	`+// ensure that the oidc flow is also updated.`
`121`	`123`	`ctx:=r.Context()`
`122`	`124`	`varcreateUser codersdk.CreateFirstUserRequest`
`123`	`125`	`if!httpapi.Read(ctx,rw,r,&createUser) {`
`@@ -198,6 +200,7 @@ func (api API) postFirstUser(rw http.ResponseWriter, r http.Request) {`
`198`	`200`	`OrganizationIDs: []uuid.UUID{defaultOrg.ID},`
`199`	`201`	`},`
`200`	`202`	`LoginType:database.LoginTypePassword,`
	`203`	`+RBACRoles: []string{rbac.RoleOwner().String()},`
`201`	`204`	`accountCreatorName:"coder",`
`202`	`205`	`})`
`203`	`206`	`iferr!=nil {`
`@@ -225,23 +228,6 @@ func (api API) postFirstUser(rw http.ResponseWriter, r http.Request) {`
`225`	`228`	`Users: []telemetry.User{telemetryUser},`
`226`	`229`	`})`
`227`	`230`
`228`		`-// TODO: @emyrk this currently happens outside the database tx used to create`
`229`		`-// the user. Maybe I add this ability to grant roles in the createUser api`
`230`		`-//and add some rbac bypass when calling api functions this way??`
`231`		`-// Add the admin role to this first user.`
`232`		`-//nolint:gocritic // needed to create first user`
`233`		`-_,err=api.Database.UpdateUserRoles(dbauthz.AsSystemRestricted(ctx), database.UpdateUserRolesParams{`
`234`		`-GrantedRoles: []string{rbac.RoleOwner().String()},`
`235`		`-ID:user.ID,`
`236`		`-})`
`237`		`-iferr!=nil {`
`238`		`-httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`239`		`-Message:"Internal error updating user's roles.",`
`240`		`-Detail:err.Error(),`
`241`		`-})`
`242`		`-return`
`243`		`-}`
`244`		`-`
`245`	`231`	`httpapi.Write(ctx,rw,http.StatusCreated, codersdk.CreateFirstUserResponse{`
`246`	`232`	`UserID:user.ID,`
`247`	`233`	`OrganizationID:defaultOrg.ID,`
`@@ -1351,6 +1337,7 @@ type CreateUserRequest struct {`
`1351`	`1337`	`LoginType database.LoginType`
`1352`	`1338`	`SkipNotificationsbool`
`1353`	`1339`	`accountCreatorNamestring`
	`1340`	`+RBACRoles []string`
`1354`	`1341`	`}`
`1355`	`1342`
`1356`	`1343`	`func (api*API)CreateUser(ctx context.Context,store database.Store,reqCreateUserRequest) (database.User,error) {`
`@@ -1360,6 +1347,13 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create`
`1360`	`1347`	`return database.User{},xerrors.Errorf("invalid username %q: %w",req.Username,usernameValid)`
`1361`	`1348`	`}`
`1362`	`1349`
	`1350`	`+// If the caller didn't specify rbac roles, default to`
	`1351`	`+// a member of the site.`
	`1352`	`+rbacRoles:= []string{}`
	`1353`	`+ifreq.RBACRoles!=nil {`
	`1354`	`+rbacRoles=req.RBACRoles`
	`1355`	`+}`
	`1356`	`+`
`1363`	`1357`	`varuser database.User`
`1364`	`1358`	`err:=store.InTx(func(tx database.Store)error {`
`1365`	`1359`	`orgRoles:=make([]string,0)`
`@@ -1376,10 +1370,9 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create`
`1376`	`1370`	`CreatedAt:dbtime.Now(),`
`1377`	`1371`	`UpdatedAt:dbtime.Now(),`
`1378`	`1372`	`HashedPassword: []byte{},`
`1379`		`-// All new users are defaulted to members of the site.`
`1380`		`-RBACRoles: []string{},`
`1381`		`-LoginType:req.LoginType,`
`1382`		`-Status:status,`
	`1373`	`+RBACRoles:rbacRoles,`
	`1374`	`+LoginType:req.LoginType,`
	`1375`	`+Status:status,`
`1383`	`1376`	`}`
`1384`	`1377`	`// If a user signs up with OAuth, they can have no password!`
`1385`	`1378`	`ifreq.Password!="" {`
`@@ -1437,6 +1430,10 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create`
`1437`	`1430`	`}`
`1438`	`1431`
`1439`	`1432`	`for_,u:=rangeuserAdmins {`
	`1433`	`+ifu.ID==user.ID {`
	`1434`	`+// If the new user is an admin, don't notify them about themselves.`
	`1435`	`+continue`
	`1436`	`+}`
`1440`	`1437`	`if_,err:=api.NotificationsEnqueuer.EnqueueWithData(`
`1441`	`1438`	`// nolint:gocritic // Need notifier actor to enqueue notifications`
`1442`	`1439`	`dbauthz.AsNotifier(ctx),`

`‎site/e2e/setup/addUsersAndLicense.spec.ts`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,6 @@ test("setup deployment", async ({ page }) => {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`// Setup first user`
`19`		`-awaitpage.getByLabel(Language.usernameLabel).fill(users.admin.username);`
`20`	`19`	`awaitpage.getByLabel(Language.emailLabel).fill(users.admin.email);`
`21`	`20`	`awaitpage.getByLabel(Language.passwordLabel).fill(users.admin.password);`
`22`	`21`	`awaitpage.getByTestId("create").click();`

`‎site/src/pages/SetupPage/SetupPage.test.tsx`

Lines changed: 0 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,18 +13,15 @@ import { SetupPage } from "./SetupPage";`
`13`	`13`	`import{LanguageasPageViewLanguage}from"./SetupPageView";`
`14`	`14`
`15`	`15`	`constfillForm=async({`
`16`		`-username="someuser",`
`17`	`16`	`email="someone@coder.com",`
`18`	`17`	`password="password",`
`19`	`18`	`}:{`
`20`	`19`	`username?:string;`
`21`	`20`	`email?:string;`
`22`	`21`	`password?:string;`
`23`	`22`	`}={})=>{`
`24`		`-constusernameField=screen.getByLabelText(PageViewLanguage.usernameLabel);`
`25`	`23`	`constemailField=screen.getByLabelText(PageViewLanguage.emailLabel);`
`26`	`24`	`constpasswordField=screen.getByLabelText(PageViewLanguage.passwordLabel);`
`27`		`-awaituserEvent.type(usernameField,username);`
`28`	`25`	`awaituserEvent.type(emailField,email);`
`29`	`26`	`awaituserEvent.type(passwordField,password);`
`30`	`27`	`constsubmitButton=screen.getByRole("button",{`

`‎site/src/pages/SetupPage/SetupPage.tsx`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import{buildInfo}from"api/queries/buildInfo";`
`2`		`-import{createFirstUser}from"api/queries/users";`
	`2`	`+import{authMethods,createFirstUser}from"api/queries/users";`
`3`	`3`	`import{Loader}from"components/Loader/Loader";`
`4`	`4`	`import{useAuthContext}from"contexts/auth/AuthProvider";`
`5`	`5`	`import{useEmbeddedMetadata}from"hooks/useEmbeddedMetadata";`
`@@ -19,6 +19,7 @@ export const SetupPage: FC = () => {`
`19`	`19`	`isSignedIn,`
`20`	`20`	`isSigningIn,`
`21`	`21`	`}=useAuthContext();`
	`22`	`+constauthMethodsQuery=useQuery(authMethods());`
`22`	`23`	`constcreateFirstUserMutation=useMutation(createFirstUser());`
`23`	`24`	`constsetupIsComplete=!isConfiguringTheFirstUser;`
`24`	`25`	`const{ metadata}=useEmbeddedMetadata();`
`@@ -34,7 +35,7 @@ export const SetupPage: FC = () => {`
`34`	`35`	`});`
`35`	`36`	`},[buildInfoQuery.data]);`
`36`	`37`
`37`		`-if(isLoading){`
	`38`	`+if(isLoading\|\|authMethodsQuery.isLoading){`
`38`	`39`	`return<Loaderfullscreen/>;`
`39`	`40`	`}`
`40`	`41`
`@@ -54,6 +55,7 @@ export const SetupPage: FC = () => {`
`54`	`55`	`<title>{pageTitle("Set up your account")}</title>`
`55`	`56`	`</Helmet>`
`56`	`57`	`<SetupPageView`
	`58`	`+authMethods={authMethodsQuery.data}`
`57`	`59`	`isLoading={isSigningIn\|\|createFirstUserMutation.isLoading}`
`58`	`60`	`error={createFirstUserMutation.error}`
`59`	`61`	`onSubmit={async(firstUser)=>{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit67d89bb

File tree

7 files changed

7 files changed

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

`‎coderd/users.go`

`‎site/e2e/setup/addUsersAndLicense.spec.ts`

`‎site/src/pages/SetupPage/SetupPage.test.tsx`

`‎site/src/pages/SetupPage/SetupPage.tsx`

0 commit comments