PR feedback

Emyrk · Emyrk · commit 37aa4c093714 · 2025-12-12T11:31:40.000-06:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -24,7 +24,6 @@ import (
 	"github.com/coder/coder/v2/coderd/oauth2provider"
 	"github.com/coder/coder/v2/coderd/pproflabel"
 	"github.com/coder/coder/v2/coderd/prebuilds"
-	"github.com/coder/coder/v2/coderd/promoauth"
 	"github.com/coder/coder/v2/coderd/usage"
 	"github.com/coder/coder/v2/coderd/wsbuilder"
 
@@ -1291,7 +1290,7 @@ func New(options *Options) *API {
 					r.Route("/github", func(r chi.Router) {
 						r.Use(
 							// Github supports PKCE S256
-							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, []promoauth.Oauth2PKCEChallengeMethod{promoauth.PKCEChallengeMethodSha256}),
+							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil, options.GithubOAuth2Config.PKCESupported()),
 						)
 						r.Get("/callback", api.userOAuth2Github)
 					})
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
@@ -169,7 +169,7 @@ type FakeIDP struct {
 	// clientID to be used by coderd
 	clientID     string
 	clientSecret string
-	pkce         bool // TODO: Implement for refresh token flow as well
+	pkce         bool // TODO(Emyrk): Implement for refresh token flow as well
 	// externalProviderID is optional to match the provider in coderd for
 	// redirectURLs.
 	externalProviderID string
@@ -1054,13 +1054,17 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 			if f.pkce {
 				challenge, ok := f.codeToChallengeMap.Load(code)
 				if !ok {
-					httpError(rw, http.StatusBadRequest, xerrors.New("code challenge not found for code"))
+					httpError(rw, http.StatusBadRequest, xerrors.New("pkce: challenge not found for code"))
 					return
 				}
 				codeVerifier := values.Get("code_verifier")
+				if codeVerifier == "" {
+					httpError(rw, http.StatusBadRequest, xerrors.New("pkce: missing code_verifier"))
+					return
+				}
 				expecter := oauth2.S256ChallengeFromVerifier(codeVerifier)
 				if challenge != expecter {
-					httpError(rw, http.StatusBadRequest, xerrors.New("invalid code verifier"))
+					httpError(rw, http.StatusBadRequest, xerrors.New("pkce: invalid code verifier"))
 					return
 				}
 			}
diff --git a/coderd/externalauth/externalauth.go b/coderd/externalauth/externalauth.go
@@ -895,7 +895,7 @@ func bitbucketServerDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exter
 		DisplayName: "Bitbucket Server",
 		Scopes:      []string{"PUBLIC_REPOS", "REPO_READ", "REPO_WRITE"},
 		DisplayIcon: "/icon/bitbucket.svg",
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// Bitbucket servers will have some base url, e.g. https://bitbucket.coder.com.
@@ -975,7 +975,7 @@ func jfrogArtifactoryDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exte
 		DisplayName: "JFrog Artifactory",
 		Scopes:      []string{"applied-permissions/user"},
 		DisplayIcon: "/icon/jfrog.svg",
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// Artifactory servers will have some base url, e.g. https://jfrog.coder.com.
@@ -1047,7 +1047,7 @@ func azureDevopsEntraDefaults(config *codersdk.ExternalAuthConfig) codersdk.Exte
 		DisplayName: "Azure DevOps (Entra)",
 		DisplayIcon: "/icon/azure-devops.svg",
 		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	}
 	// The tenant ID is required for urls and is in the auth url.
@@ -1087,7 +1087,7 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/azure-devops.svg",
 		Regex:       `^(https?://)?dev\.azure\.com(/.*)?$`,
 		Scopes:      []string{"vso.code_write"},
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 	codersdk.EnhancedExternalAuthProviderBitBucketCloud: {
@@ -1098,7 +1098,7 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/bitbucket.svg",
 		Regex:       `^(https?://)?bitbucket\.org(/.*)?$`,
 		Scopes:      []string{"account", "repository:write"},
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 	codersdk.EnhancedExternalAuthProviderSlack: {
@@ -1109,7 +1109,7 @@ var staticDefaults = map[codersdk.EnhancedExternalAuthProvider]codersdk.External
 		DisplayIcon: "/icon/slack.svg",
 		// See: https://api.slack.com/authentication/oauth-v2#exchanging
 		ExtraTokenKeys: []string{"authed_user"},
-		// TODO: PKCE support? Test 'S256' as the string value
+		// TODO: Investigate if 'S256' is accepted and PKCE is supported
 		CodeChallengeMethodsSupported: []string{string(promoauth.PKCEChallengeMethodNone)},
 	},
 }
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -770,6 +770,10 @@ type GithubOAuth2Config struct {
 	DefaultProviderConfigured bool
 }
 
+func (*GithubOAuth2Config) PKCESupported() []promoauth.Oauth2PKCEChallengeMethod {
+	return []promoauth.Oauth2PKCEChallengeMethod{promoauth.PKCEChallengeMethodSha256}
+}
+
 func (c *GithubOAuth2Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
 	if !c.DeviceFlowEnabled {
 		return c.OAuth2Config.Exchange(ctx, code, opts...)
