coder
diff --git a/‎.claude/scripts/format.sh
Lines changed: 16 additions & 10 deletions b/‎.claude/scripts/format.sh
Lines changed: 16 additions & 10 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 32 additions & 23 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 32 additions & 23 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 122 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 122 additions & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 38 additions & 2 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 38 additions & 2 deletions
@@ -101,30 +101,36 @@ fi
 # Get the file extension to determine the appropriate formatter
 file_ext="${file_path##*.}"
 
+# Helper function to run formatter and handle errors
+run_formatter() {
+	local target="$1"
+	local file_type="$2"
+
+	if ! make FILE="$file_path" "$target"; then
+		echo "Error: Failed to format $file_type file: $file_path" >&2
+		exit 2
+	fi
+	echo "✓ Formatted $file_type file: $file_path"
+}
 # Change to the project root directory (where the Makefile is located)
 cd "$(dirname "$0")/../.."
 
 # Call the appropriate Makefile target based on file extension
 case "$file_ext" in
 go)
-	make fmt/go FILE="$file_path"
-	echo "✓ Formatted Go file: $file_path"
+	run_formatter "fmt/go" "Go"
 	;;
 js | jsx | ts | tsx)
-	make fmt/ts FILE="$file_path"
-	echo "✓ Formatted TypeScript/JavaScript file: $file_path"
+	run_formatter "fmt/ts" "TypeScript/JavaScript"
 	;;
 tf | tfvars)
-	make fmt/terraform FILE="$file_path"
-	echo "✓ Formatted Terraform file: $file_path"
+	run_formatter "fmt/terraform" "Terraform"
 	;;
 sh)
-	make fmt/shfmt FILE="$file_path"
-	echo "✓ Formatted shell script: $file_path"
+	run_formatter "fmt/shfmt" "shell script"
 	;;
 md)
-	make fmt/markdown FILE="$file_path"
-	echo "✓ Formatted Markdown file: $file_path"
+	run_formatter "fmt/markdown" "Markdown"
 	;;
 *)
 	echo "No formatter available for file extension: $file_ext"
 
@@ -984,7 +984,7 @@ func New(options *Options) *API {
 		r.Route("/device", func(r chi.Router) {
 			r.Post("/", api.postOAuth2DeviceAuthorization()) // RFC 8628 compliant endpoint
 			r.Route("/verify", func(r chi.Router) {
-				r.Use(apiKeyMiddleware)
+				r.Use(apiKeyMiddlewareRedirect)
 				r.Get("/", api.getOAuth2DeviceVerification())
 				r.Post("/", api.postOAuth2DeviceVerification())
 			})
 
@@ -417,6 +417,7 @@ var (
 					rbac.ResourceProvisionerJobs.Type:        {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
 					rbac.ResourceOauth2App.Type:              {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceOauth2AppSecret.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceOauth2AppCodeToken.Type:     {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -1346,6 +1347,14 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
 	return q.db.CleanTailnetTunnels(ctx)
 }
 
+func (q *querier) ConsumeOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByPrefix, q.db.ConsumeOAuth2ProviderAppCodeByPrefix)(ctx, secretPrefix)
+}
+
+func (q *querier) ConsumeOAuth2ProviderDeviceCodeByPrefix(ctx context.Context, deviceCodePrefix string) (database.OAuth2ProviderDeviceCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderDeviceCodeByPrefix, q.db.ConsumeOAuth2ProviderDeviceCodeByPrefix)(ctx, deviceCodePrefix)
+}
+
 func (q *querier) CountAuditLogs(ctx context.Context, arg database.CountAuditLogsParams) (int64, error) {
 	// Shortcut if the user is an owner. The SQL filter is noticeable,
 	// and this is an easy win for owners. Which is the common case.
@@ -1560,27 +1569,30 @@ func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Contex
 	return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
 }
 
-func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, threshold database.DeleteOldAuditLogConnectionEventsParams) error {
-	// `ResourceSystem` is deprecated, but it doesn't make sense to add
-	// `policy.ActionDelete` to `ResourceAuditLog`, since this is the one and
-	// only time we'll be deleting from the audit log.
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return err
-	}
-	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
-}
-
 func (q *querier) DeleteOAuth2ProviderDeviceCodeByID(ctx context.Context, id uuid.UUID) error {
 	// Fetch the device code first to check authorization
 	deviceCode, err := q.db.GetOAuth2ProviderDeviceCodeByID(ctx, id)
 	if err != nil {
-		return err
+		return xerrors.Errorf("get oauth2 provider device code: %w", err)
 	}
 	if err := q.authorizeContext(ctx, policy.ActionDelete, deviceCode); err != nil {
-		return err
+		return xerrors.Errorf("authorize oauth2 provider device code deletion: %w", err)
 	}
 
-	return q.db.DeleteOAuth2ProviderDeviceCodeByID(ctx, id)
+	if err := q.db.DeleteOAuth2ProviderDeviceCodeByID(ctx, id); err != nil {
+		return xerrors.Errorf("delete oauth2 provider device code: %w", err)
+	}
+	return nil
+}
+
+func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, threshold database.DeleteOldAuditLogConnectionEventsParams) error {
+	// `ResourceSystem` is deprecated, but it doesn't make sense to add
+	// `policy.ActionDelete` to `ResourceAuditLog`, since this is the one and
+	// only time we'll be deleting from the audit log.
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
 }
 
 func (q *querier) DeleteOldNotificationMessages(ctx context.Context) error {
@@ -2359,8 +2371,8 @@ func (q *querier) GetOAuth2ProviderDeviceCodeByUserCode(ctx context.Context, use
 }
 
 func (q *querier) GetOAuth2ProviderDeviceCodesByClientID(ctx context.Context, clientID uuid.UUID) ([]database.OAuth2ProviderDeviceCode, error) {
-	// This requires access to read the OAuth2 app
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
+	// This requires access to read OAuth2 app code tokens
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return []database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.GetOAuth2ProviderDeviceCodesByClientID(ctx, clientID)
@@ -3802,8 +3814,8 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
 }
 
 func (q *querier) InsertOAuth2ProviderDeviceCode(ctx context.Context, arg database.InsertOAuth2ProviderDeviceCodeParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Creating device codes requires OAuth2 app access
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2App); err != nil {
+	// Creating device codes requires OAuth2 app code token creation access
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.InsertOAuth2ProviderDeviceCode(ctx, arg)
@@ -4482,13 +4494,10 @@ func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg dat
 }
 
 func (q *querier) UpdateOAuth2ProviderDeviceCodeAuthorization(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Verify the user is authenticated for device code authorization
-	_, ok := ActorFromContext(ctx)
-	if !ok {
-		return database.OAuth2ProviderDeviceCode{}, ErrNoActor
+	fetch := func(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
+		return q.db.GetOAuth2ProviderDeviceCodeByID(ctx, arg.ID)
 	}
-
-	return q.db.UpdateOAuth2ProviderDeviceCodeAuthorization(ctx, arg)
+	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateOAuth2ProviderDeviceCodeAuthorization)(ctx, arg)
 }
 
 func (q *querier) UpdateOrganization(ctx context.Context, arg database.UpdateOrganizationParams) (database.Organization, error) {
 
@@ -5531,6 +5531,19 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {
 			UserID: user.ID,
 		}).Asserts(rbac.ResourceOauth2AppCodeToken.WithOwner(user.ID.String()), policy.ActionDelete)
 	}))
+	s.Run("ConsumeOAuth2ProviderAppCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		user := dbgen.User(s.T(), db, database.User{})
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		// Use unique prefix to avoid test isolation issues
+		uniquePrefix := fmt.Sprintf("prefix-%s-%d", s.T().Name(), time.Now().UnixNano())
+		code := dbgen.OAuth2ProviderAppCode(s.T(), db, database.OAuth2ProviderAppCode{
+			SecretPrefix: []byte(uniquePrefix),
+			UserID:       user.ID,
+			AppID:        app.ID,
+			ExpiresAt:    time.Now().Add(24 * time.Hour), // Extended expiry for test stability
+		})
+		check.Args(code.SecretPrefix).Asserts(code, policy.ActionUpdate).Returns(code)
+	}))
 }
 
 func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
@@ -5606,6 +5619,115 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
 	}))
 }
 
+func (s *MethodTestSuite) TestOAuth2ProviderDeviceCodes() {
+	s.Run("InsertOAuth2ProviderDeviceCode", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		check.Args(database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			DeviceCodeHash:   []byte("hash"),
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		}).Asserts(rbac.ResourceOauth2AppCodeToken, policy.ActionCreate)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.ID).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.DeviceCodePrefix).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByUserCode", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.UserCode).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodesByClientID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(app.ID).Asserts(rbac.ResourceOauth2AppCodeToken, policy.ActionRead).Returns([]database.OAuth2ProviderDeviceCode{deviceCode})
+	}))
+	s.Run("ConsumeOAuth2ProviderDeviceCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		user := dbgen.User(s.T(), db, database.User{})
+		// Use unique identifiers to avoid test isolation issues
+		// Device code prefix must be exactly 8 characters
+		uniquePrefix := fmt.Sprintf("t%07d", time.Now().UnixNano()%10000000)
+		uniqueUserCode := fmt.Sprintf("USER%04d", time.Now().UnixNano()%10000)
+		// Create device code using dbgen (now available!)
+		deviceCode := dbgen.OAuth2ProviderDeviceCode(s.T(), db, database.OAuth2ProviderDeviceCode{
+			DeviceCodePrefix: uniquePrefix,
+			UserCode:         uniqueUserCode,
+			ClientID:         app.ID,
+			ExpiresAt:        time.Now().Add(24 * time.Hour), // Extended expiry for test stability
+		})
+		// Authorize the device code so it can be consumed
+		deviceCode, err := db.UpdateOAuth2ProviderDeviceCodeAuthorization(s.T().Context(), database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
+			ID:     deviceCode.ID,
+			UserID: uuid.NullUUID{UUID: user.ID, Valid: true},
+			Status: database.OAuth2DeviceStatusAuthorized,
+		})
+		require.NoError(s.T(), err)
+		require.Equal(s.T(), database.OAuth2DeviceStatusAuthorized, deviceCode.Status)
+		check.Args(uniquePrefix).Asserts(deviceCode, policy.ActionUpdate).Returns(deviceCode)
+	}))
+	s.Run("UpdateOAuth2ProviderDeviceCodeAuthorization", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		user := dbgen.User(s.T(), db, database.User{})
+		// Create device code using dbgen
+		deviceCode := dbgen.OAuth2ProviderDeviceCode(s.T(), db, database.OAuth2ProviderDeviceCode{
+			ClientID: app.ID,
+		})
+		require.Equal(s.T(), database.OAuth2DeviceStatusPending, deviceCode.Status)
+		check.Args(database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
+			ID:     deviceCode.ID,
+			UserID: uuid.NullUUID{UUID: user.ID, Valid: true},
+			Status: database.OAuth2DeviceStatusAuthorized,
+		}).Asserts(deviceCode, policy.ActionUpdate)
+	}))
+	s.Run("DeleteOAuth2ProviderDeviceCodeByID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "testpref",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.ID).Asserts(deviceCode, policy.ActionDelete)
+	}))
+	s.Run("DeleteExpiredOAuth2ProviderDeviceCodes", s.Subtest(func(db database.Store, check *expects) {
+		check.Args().Asserts(rbac.ResourceSystem, policy.ActionDelete)
+	}))
+}
+
 func (s *MethodTestSuite) TestResourcesMonitor() {
 	createAgent := func(t *testing.T, db database.Store) (database.WorkspaceAgent, database.WorkspaceTable) {
 		t.Helper()
 
@@ -17,6 +17,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/sqlc-dev/pqtype"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
@@ -1246,7 +1247,7 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2
 	code, err := db.InsertOAuth2ProviderAppCode(genCtx, database.InsertOAuth2ProviderAppCodeParams{
 		ID:                  takeFirst(seed.ID, uuid.New()),
 		CreatedAt:           takeFirst(seed.CreatedAt, dbtime.Now()),
-		ExpiresAt:           takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:           takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
 		SecretPrefix:        takeFirstSlice(seed.SecretPrefix, []byte("prefix")),
 		HashedSecret:        takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
 		AppID:               takeFirst(seed.AppID, uuid.New()),
@@ -1263,7 +1264,7 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
 	token, err := db.InsertOAuth2ProviderAppToken(genCtx, database.InsertOAuth2ProviderAppTokenParams{
 		ID:          takeFirst(seed.ID, uuid.New()),
 		CreatedAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
-		ExpiresAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:   takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
 		HashPrefix:  takeFirstSlice(seed.HashPrefix, []byte("prefix")),
 		RefreshHash: takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),
 		AppSecretID: takeFirst(seed.AppSecretID, uuid.New()),
@@ -1275,6 +1276,26 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
 	return token
 }
 
+func OAuth2ProviderDeviceCode(t testing.TB, db database.Store, seed database.OAuth2ProviderDeviceCode) database.OAuth2ProviderDeviceCode {
+	t.Helper()
+	deviceCode, err := db.InsertOAuth2ProviderDeviceCode(genCtx, database.InsertOAuth2ProviderDeviceCodeParams{
+		ID:                      takeFirst(seed.ID, uuid.New()),
+		CreatedAt:               takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:               takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
+		DeviceCodeHash:          takeFirstSlice(seed.DeviceCodeHash, []byte("device-hash")),
+		DeviceCodePrefix:        takeFirst(seed.DeviceCodePrefix, testutil.GetRandomName(t)[:8]),
+		UserCode:                takeFirst(seed.UserCode, generateValidUserCode()),
+		ClientID:                takeFirst(seed.ClientID, uuid.New()),
+		VerificationUri:         takeFirst(seed.VerificationUri, "https://example.com/device"),
+		VerificationUriComplete: seed.VerificationUriComplete,
+		Scope:                   seed.Scope,
+		ResourceUri:             seed.ResourceUri,
+		PollingInterval:         takeFirst(seed.PollingInterval, 5),
+	})
+	assert.NoError(t, err, "insert oauth2 device code")
+	return deviceCode
+}
+
 func WorkspaceAgentMemoryResourceMonitor(t testing.TB, db database.Store, seed database.WorkspaceAgentMemoryResourceMonitor) database.WorkspaceAgentMemoryResourceMonitor {
 	monitor, err := db.InsertMemoryResourceMonitor(genCtx, database.InsertMemoryResourceMonitorParams{
 		AgentID:        takeFirst(seed.AgentID, uuid.New()),
@@ -1515,3 +1536,18 @@ func generateCryptoKey(length int) (string, error) {
 	}
 	return hex.EncodeToString(b), nil
 }
+
+// generateValidUserCode creates RFC 8628 compliant user codes for OAuth2 device authorization.
+// Returns an 8-character alphanumeric code (6-8 chars as per RFC) using user-friendly characters
+// that exclude confusing characters like 0/O and 1/I for better user experience.
+func generateValidUserCode() string {
+	// Character set excluding confusing chars: 0/O, 1/I/L
+	chars := "23456789ABCDEFGHJKLMNPQRSTUVWXYZ"
+	code := make([]byte, 8)
+	for i := range code {
+		randomIndex := make([]byte, 1)
+		rand.Read(randomIndex)
+		code[i] = chars[int(randomIndex[0])%len(chars)]
+	}
+	return string(code)
+}