coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go‎
Lines changed: 16 additions & 10 deletions b/‎coderd/database/dbauthz/dbauthz.go‎
Lines changed: 16 additions & 10 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go‎
Lines changed: 117 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 21 additions & 2 deletions b/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go‎
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go‎
Lines changed: 30 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎coderd/database/migrations/testdata/fixtures/000349_oauth2_device_codes.up.sql‎
Lines changed: 20 additions & 0 deletions b/‎coderd/database/migrations/testdata/fixtures/000349_oauth2_device_codes.up.sql‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/querier.go‎
Lines changed: 2 additions & 0 deletions b/‎coderd/database/querier.go‎
Lines changed: 2 additions & 0 deletions
@@ -399,6 +399,7 @@ var (
 					rbac.ResourceProvisionerJobs.Type:        {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
 					rbac.ResourceOauth2App.Type:              {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceOauth2AppSecret.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceOauth2AppCodeToken.Type:     {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -1324,6 +1325,14 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
 	return q.db.CleanTailnetTunnels(ctx)
 }
 
+func (q *querier) ConsumeOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByPrefix, q.db.ConsumeOAuth2ProviderAppCodeByPrefix)(ctx, secretPrefix)
+}
+
+func (q *querier) ConsumeOAuth2ProviderDeviceCodeByPrefix(ctx context.Context, deviceCodePrefix string) (database.OAuth2ProviderDeviceCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderDeviceCodeByPrefix, q.db.ConsumeOAuth2ProviderDeviceCodeByPrefix)(ctx, deviceCodePrefix)
+}
+
 func (q *querier) CountAuditLogs(ctx context.Context, arg database.CountAuditLogsParams) (int64, error) {
 	// Shortcut if the user is an owner. The SQL filter is noticeable,
 	// and this is an easy win for owners. Which is the common case.
@@ -2301,8 +2310,8 @@ func (q *querier) GetOAuth2ProviderDeviceCodeByUserCode(ctx context.Context, use
 }
 
 func (q *querier) GetOAuth2ProviderDeviceCodesByClientID(ctx context.Context, clientID uuid.UUID) ([]database.OAuth2ProviderDeviceCode, error) {
-	// This requires access to read the OAuth2 app
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
+	// This requires access to read OAuth2 app code tokens
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return []database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.GetOAuth2ProviderDeviceCodesByClientID(ctx, clientID)
@@ -3752,8 +3761,8 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
 }
 
 func (q *querier) InsertOAuth2ProviderDeviceCode(ctx context.Context, arg database.InsertOAuth2ProviderDeviceCodeParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Creating device codes requires OAuth2 app access
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2App); err != nil {
+	// Creating device codes requires OAuth2 app code token creation access
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.InsertOAuth2ProviderDeviceCode(ctx, arg)
@@ -4432,13 +4441,10 @@ func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg dat
 }
 
 func (q *querier) UpdateOAuth2ProviderDeviceCodeAuthorization(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Verify the user is authenticated for device code authorization
-	_, ok := ActorFromContext(ctx)
-	if !ok {
-		return database.OAuth2ProviderDeviceCode{}, ErrNoActor
+	fetch := func(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
+		return q.db.GetOAuth2ProviderDeviceCodeByID(ctx, arg.ID)
 	}
-
-	return q.db.UpdateOAuth2ProviderDeviceCodeAuthorization(ctx, arg)
+	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateOAuth2ProviderDeviceCodeAuthorization)(ctx, arg)
 }
 
 func (q *querier) UpdateOrganization(ctx context.Context, arg database.UpdateOrganizationParams) (database.Organization, error) {
 
@@ -5423,6 +5423,19 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {
 			UserID: user.ID,
 		}).Asserts(rbac.ResourceOauth2AppCodeToken.WithOwner(user.ID.String()), policy.ActionDelete)
 	}))
+	s.Run("ConsumeOAuth2ProviderAppCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		user := dbgen.User(s.T(), db, database.User{})
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		// Use unique prefix to avoid test isolation issues
+		uniquePrefix := fmt.Sprintf("prefix-%s-%d", s.T().Name(), time.Now().UnixNano())
+		code := dbgen.OAuth2ProviderAppCode(s.T(), db, database.OAuth2ProviderAppCode{
+			SecretPrefix: []byte(uniquePrefix),
+			UserID:       user.ID,
+			AppID:        app.ID,
+			ExpiresAt:    time.Now().Add(24 * time.Hour), // Extended expiry for test stability
+		})
+		check.Args(code.SecretPrefix).Asserts(code, policy.ActionUpdate).Returns(code)
+	}))
 }
 
 func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
@@ -5498,6 +5511,110 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
 	}))
 }
 
+func (s *MethodTestSuite) TestOAuth2ProviderDeviceCodes() {
+	s.Run("InsertOAuth2ProviderDeviceCode", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		check.Args(database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID: app.ID,
+		}).Asserts(rbac.ResourceOauth2AppCodeToken, policy.ActionCreate)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "test-prefix",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.ID).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "test-prefix",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.DeviceCodePrefix).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodeByUserCode", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "test-prefix",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.UserCode).Asserts(deviceCode, policy.ActionRead).Returns(deviceCode)
+	}))
+	s.Run("GetOAuth2ProviderDeviceCodesByClientID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "test-prefix",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(app.ID).Asserts(rbac.ResourceOauth2AppCodeToken, policy.ActionRead).Returns([]database.OAuth2ProviderDeviceCode{deviceCode})
+	}))
+	s.Run("ConsumeOAuth2ProviderDeviceCodeByPrefix", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		user := dbgen.User(s.T(), db, database.User{})
+		// Use unique identifiers to avoid test isolation issues
+		uniquePrefix := fmt.Sprintf("dev-prefix-%s-%d", s.T().Name(), time.Now().UnixNano())
+		uniqueUserCode := fmt.Sprintf("USER%s-%d", s.T().Name(), time.Now().UnixNano())
+		// Create device code using dbgen (now available!)
+		deviceCode := dbgen.OAuth2ProviderDeviceCode(s.T(), db, database.OAuth2ProviderDeviceCode{
+			DeviceCodePrefix: uniquePrefix,
+			UserCode:         uniqueUserCode,
+			ClientID:         app.ID,
+			ExpiresAt:        time.Now().Add(24 * time.Hour), // Extended expiry for test stability
+		})
+		// Authorize the device code so it can be consumed
+		deviceCode, err := db.UpdateOAuth2ProviderDeviceCodeAuthorization(s.T().Context(), database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
+			ID:     deviceCode.ID,
+			UserID: uuid.NullUUID{UUID: user.ID, Valid: true},
+			Status: database.OAuth2DeviceStatusAuthorized,
+		})
+		require.NoError(s.T(), err)
+		require.Equal(s.T(), database.OAuth2DeviceStatusAuthorized, deviceCode.Status)
+		check.Args(uniquePrefix).Asserts(deviceCode, policy.ActionUpdate).Returns(deviceCode)
+	}))
+	s.Run("UpdateOAuth2ProviderDeviceCodeAuthorization", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		user := dbgen.User(s.T(), db, database.User{})
+		// Create device code using dbgen
+		deviceCode := dbgen.OAuth2ProviderDeviceCode(s.T(), db, database.OAuth2ProviderDeviceCode{
+			ClientID: app.ID,
+		})
+		require.Equal(s.T(), database.OAuth2DeviceStatusPending, deviceCode.Status)
+		check.Args(database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
+			ID:     deviceCode.ID,
+			UserID: uuid.NullUUID{UUID: user.ID, Valid: true},
+			Status: database.OAuth2DeviceStatusAuthorized,
+		}).Asserts(deviceCode, policy.ActionUpdate)
+	}))
+	s.Run("DeleteOAuth2ProviderDeviceCodeByID", s.Subtest(func(db database.Store, check *expects) {
+		app := dbgen.OAuth2ProviderApp(s.T(), db, database.OAuth2ProviderApp{})
+		deviceCode, err := db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
+			ClientID:         app.ID,
+			DeviceCodePrefix: "test-prefix",
+			UserCode:         "TEST1234",
+			VerificationUri:  "http://example.com/device",
+		})
+		require.NoError(s.T(), err)
+		check.Args(deviceCode.ID).Asserts(deviceCode, policy.ActionDelete)
+	}))
+	s.Run("DeleteExpiredOAuth2ProviderDeviceCodes", s.Subtest(func(db database.Store, check *expects) {
+		check.Args().Asserts(rbac.ResourceSystem, policy.ActionDelete)
+	}))
+}
+
 func (s *MethodTestSuite) TestResourcesMonitor() {
 	createAgent := func(t *testing.T, db database.Store) (database.WorkspaceAgent, database.WorkspaceTable) {
 		t.Helper()
 
@@ -1199,7 +1199,7 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2
 	code, err := db.InsertOAuth2ProviderAppCode(genCtx, database.InsertOAuth2ProviderAppCodeParams{
 		ID:                  takeFirst(seed.ID, uuid.New()),
 		CreatedAt:           takeFirst(seed.CreatedAt, dbtime.Now()),
-		ExpiresAt:           takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:           takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
 		SecretPrefix:        takeFirstSlice(seed.SecretPrefix, []byte("prefix")),
 		HashedSecret:        takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
 		AppID:               takeFirst(seed.AppID, uuid.New()),
@@ -1216,7 +1216,7 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
 	token, err := db.InsertOAuth2ProviderAppToken(genCtx, database.InsertOAuth2ProviderAppTokenParams{
 		ID:          takeFirst(seed.ID, uuid.New()),
 		CreatedAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
-		ExpiresAt:   takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:   takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
 		HashPrefix:  takeFirstSlice(seed.HashPrefix, []byte("prefix")),
 		RefreshHash: takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),
 		AppSecretID: takeFirst(seed.AppSecretID, uuid.New()),
@@ -1228,6 +1228,25 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
 	return token
 }
 
+func OAuth2ProviderDeviceCode(t testing.TB, db database.Store, seed database.OAuth2ProviderDeviceCode) database.OAuth2ProviderDeviceCode {
+	deviceCode, err := db.InsertOAuth2ProviderDeviceCode(genCtx, database.InsertOAuth2ProviderDeviceCodeParams{
+		ID:                      takeFirst(seed.ID, uuid.New()),
+		CreatedAt:               takeFirst(seed.CreatedAt, dbtime.Now()),
+		ExpiresAt:               takeFirst(seed.ExpiresAt, dbtime.Now().Add(24*time.Hour)),
+		DeviceCodeHash:          takeFirstSlice(seed.DeviceCodeHash, []byte("device-hash")),
+		DeviceCodePrefix:        takeFirst(seed.DeviceCodePrefix, testutil.GetRandomName(t)),
+		UserCode:                takeFirst(seed.UserCode, testutil.GetRandomName(t)),
+		ClientID:                takeFirst(seed.ClientID, uuid.New()),
+		VerificationUri:         takeFirst(seed.VerificationUri, "https://example.com/device"),
+		VerificationUriComplete: seed.VerificationUriComplete,
+		Scope:                   seed.Scope,
+		ResourceUri:             seed.ResourceUri,
+		PollingInterval:         takeFirst(seed.PollingInterval, 5),
+	})
+	require.NoError(t, err, "insert oauth2 device code")
+	return deviceCode
+}
+
 func WorkspaceAgentMemoryResourceMonitor(t testing.TB, db database.Store, seed database.WorkspaceAgentMemoryResourceMonitor) database.WorkspaceAgentMemoryResourceMonitor {
 	monitor, err := db.InsertMemoryResourceMonitor(genCtx, database.InsertMemoryResourceMonitorParams{
 		AgentID:        takeFirst(seed.AgentID, uuid.New()),
 
@@ -0,0 +1,20 @@
+INSERT INTO oauth2_provider_device_codes (
+    id, created_at, expires_at, device_code_hash, device_code_prefix,
+    user_code, client_id, user_id, status, verification_uri,
+    verification_uri_complete, scope, resource_uri, polling_interval
+) VALUES (
+    'c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+    '2023-06-15 10:23:54+00',
+    '2023-06-15 10:33:54+00',
+    CAST('abcdefg123' AS bytea),
+    'abcdefg1',
+    'ABCD1234',
+    'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+    '0ed9befc-4911-4ccf-a8e2-559bf72daa94',
+    'pending',
+    'http://coder.com/oauth2/device',
+    'http://coder.com/oauth2/device?user_code=ABCD1234',
+    'read:user',
+    'http://coder.com/api',
+    5
+);