rename cookie from challenge to verifier

Emyrk · Emyrk · commit 263b92504dea · 2025-12-12T11:34:11.000-06:00
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -146,7 +146,7 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, cookieCfg
 					authOpts = append(authOpts, oauth2.S256ChallengeOption(verifier))
 
 					http.SetCookie(rw, cookieCfg.Apply(&http.Cookie{
-						Name:     codersdk.OAuth2PKCEChallenge,
+						Name:     codersdk.OAuth2PKCEVerifier,
 						Value:    verifier,
 						Path:     "/",
 						HttpOnly: true,
@@ -185,14 +185,14 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, cookieCfg
 
 			exchangeOpts := make([]oauth2.AuthCodeOption, 0)
 			if sha256PKCESupported {
-				pkceChallenge, err := r.Cookie(codersdk.OAuth2PKCEChallenge)
+				pkceVerifier, err := r.Cookie(codersdk.OAuth2PKCEVerifier)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 						Message: "PKCE challenge must be provided.",
 					})
 					return
 				}
-				exchangeOpts = append(exchangeOpts, oauth2.VerifierOption(pkceChallenge.Value))
+				exchangeOpts = append(exchangeOpts, oauth2.VerifierOption(pkceVerifier.Value))
 			}
 
 			oauthToken, err := config.Exchange(ctx, code, exchangeOpts...)
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -1018,7 +1018,7 @@ func TestUserOAuth2Github(t *testing.T) {
 			Value: "somestate",
 		})
 		req.AddCookie(&http.Cookie{
-			Name:  codersdk.OAuth2PKCEChallenge,
+			Name:  codersdk.OAuth2PKCEVerifier,
 			Value: oauth2.GenerateVerifier(),
 		})
 		require.NoError(t, err)
@@ -2465,7 +2465,7 @@ func oauth2Callback(t *testing.T, client *codersdk.Client, opts ...func(*http.Re
 		Value: state,
 	})
 	req.AddCookie(&http.Cookie{
-		Name:  codersdk.OAuth2PKCEChallenge,
+		Name:  codersdk.OAuth2PKCEVerifier,
 		Value: oauth2.GenerateVerifier(),
 	})
 	res, err := client.HTTPClient.Do(req)
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -38,8 +38,10 @@ const (
 	SessionTokenHeader = "Coder-Session-Token"
 	// OAuth2StateCookie is the name of the cookie that stores the oauth2 state.
 	OAuth2StateCookie = "oauth_state"
-
-	OAuth2PKCEChallenge = "oauth_pkce_challenge"
+	// OAuth2PKCEVerifier is the name of the cookie that stores the oauth2 PKCE
+	// verifier. This is the raw verifier that when hashed, will match the challenge
+	// sent in the initial oauth2 request.
+	OAuth2PKCEVerifier = "oauth_pkce_verifier"
 	// OAuth2RedirectCookie is the name of the cookie that stores the oauth2 redirect.
 	OAuth2RedirectCookie = "oauth_redirect"
 
