@@ -394,6 +394,9 @@ func (f *FakeIDP) ExternalLogin(t testing.TB, client *codersdk.Client, opts ...f
394394res ,err := cli .Do (req )
395395require .NoError (t ,err )
396396require .Equal (t ,http .StatusOK ,res .StatusCode ,"client failed to login" )
397+ t .Cleanup (func () {
398+ res .Body .Close ()
399+ })
397400return res
398401}
399402
@@ -690,23 +693,31 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
690693_ = json .NewEncoder (rw ).Encode (token )
691694}))
692695
693- mux . Handle ( userInfoPath , http . HandlerFunc ( func (rw http.ResponseWriter ,r * http.Request ) {
696+ validateMW := func (rw http.ResponseWriter ,r * http.Request ) ( email string , ok bool ) {
694697token ,err := f .authenticateBearerTokenRequest (t ,r )
695698f .logger .Info (r .Context (),"http call idp user info" ,
696699slog .Error (err ),
697700slog .F ("url" ,r .URL .String ()),
698701)
699702if err != nil {
700703http .Error (rw ,fmt .Sprintf ("invalid user info request: %s" ,err .Error ()),http .StatusBadRequest )
701- return
704+ return "" , false
702705}
703706
704- email ,ok : =f .accessTokens .Load (token )
707+ email ,ok = f .accessTokens .Load (token )
705708if ! ok {
706709t .Errorf ("access token user for user_info has no email to indicate which user" )
707710http .Error (rw ,"invalid access token, missing user info" ,http .StatusBadRequest )
711+ return "" ,false
712+ }
713+ return email ,true
714+ }
715+ mux .Handle (userInfoPath ,http .HandlerFunc (func (rw http.ResponseWriter ,r * http.Request ) {
716+ email ,ok := validateMW (rw ,r )
717+ if ! ok {
708718return
709719}
720+
710721claims ,err := f .hookUserInfo (email )
711722if err != nil {
712723http .Error (rw ,fmt .Sprintf ("user info hook returned error: %s" ,err .Error ()),httpErrorCode (http .StatusBadRequest ,err ))
@@ -715,21 +726,12 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
715726_ = json .NewEncoder (rw ).Encode (claims )
716727}))
717728
729+ // There is almost no difference between this and /userinfo.
730+ // The main tweak is that this route is "mounted" vs "handle" because "/userinfo"
731+ // should be strict, and this one needs to handle sub routes.
718732mux .Mount ("/external-auth-validate/" ,http .HandlerFunc (func (rw http.ResponseWriter ,r * http.Request ) {
719- token ,err := f .authenticateBearerTokenRequest (t ,r )
720- f .logger .Info (r .Context (),"http call idp external auth validate" ,
721- slog .Error (err ),
722- slog .F ("url" ,r .URL .String ()),
723- )
724- if err != nil {
725- http .Error (rw ,fmt .Sprintf ("invalid user info request: %s" ,err .Error ()),http .StatusBadRequest )
726- return
727- }
728-
729- email ,ok := f .accessTokens .Load (token )
733+ email ,ok := validateMW (rw ,r )
730734if ! ok {
731- t .Errorf ("access token user for external auth validate has no email to indicate which user" )
732- http .Error (rw ,"invalid access token" ,http .StatusBadRequest )
733735return
734736}
735737
@@ -844,6 +846,9 @@ func (f *FakeIDP) SetCoderdCallbackHandler(handler http.HandlerFunc) {
844846})
845847}
846848
849+ // ExternalAuthConfigOptions exists to provide additional functionality ontop
850+ // of the standard "validate" url. Some providers like github we actually parse
851+ // the response from the validate URL to gain additional information.
847852type ExternalAuthConfigOptions struct {
848853// ValidatePayload is the payload that is used when the user calls the
849854// equivalent of "userinfo" for oauth2. This is not standardized, so is
@@ -870,8 +875,7 @@ func (o *ExternalAuthConfigOptions) AddRoute(route string, handle func(email str
870875return o
871876}
872877
873- // ExternalAuthConfig takes a validatePayload, which should be the user data in a parseable format based
874- // on the type. Or just omitted if the user info is not important.
878+ // ExternalAuthConfig is the config for external auth providers.
875879func (f * FakeIDP )ExternalAuthConfig (t testing.TB ,id string ,custom * ExternalAuthConfigOptions ,opts ... func (cfg * externalauth.Config ))* externalauth.Config {
876880if custom == nil {
877881custom = & ExternalAuthConfigOptions {}