fix: return 404 instead of 401 for missing OAuth2 apps in management API

ThomasK33 · ThomasK33 · commit 7fac49dfb070 · 2025-07-04T15:32:15.000+02:00
This prevents users from being logged out when deleting OAuth2 apps.
The frontend interceptor triggers logout on 401 responses, but React Query
refetches deleted apps and should get 404, not 401.

Also adds conditional OAuth2 navigation when experiment is enabled.

Change-Id: I48886144883539b7c51307f2a500f95be31dd383
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/.claude/scripts/format.sh b/.claude/scripts/format.sh
@@ -6,13 +6,70 @@
 
 set -euo pipefail
 
+# canonicalize_path resolves a path to its absolute, canonical form.
+# It tries 'realpath', 'readlink -f', 'python3', 'python', or 'perl' in order.
+# If none of these are available, it returns an empty string.
+canonicalize_path() {
+	local path_to_resolve="$1"
+	local resolved_path=""
+
+	if command -v realpath >/dev/null 2>&1; then
+		resolved_path="$(realpath "$path_to_resolve" 2>/dev/null)"
+	elif command -v readlink >/dev/null 2>&1 && readlink -f . >/dev/null 2>&1; then
+		resolved_path="$(readlink -f "$path_to_resolve" 2>/dev/null)"
+	elif command -v python3 >/dev/null 2>&1; then
+		resolved_path="$(python3 -c "import os, sys; print(os.path.realpath(sys.argv[1]))" "$path_to_resolve" 2>/dev/null)"
+	elif command -v python >/dev/null 2>&1; then
+		resolved_path="$(python -c "import os, sys; print(os.path.realpath(sys.argv[1]))" "$path_to_resolve" 2>/dev/null)"
+	elif command -v perl >/dev/null 2>&1; then
+		resolved_path="$(perl -e 'use Cwd "abs_path"; print abs_path(shift)' "$path_to_resolve" 2>/dev/null)"
+	fi
+	echo "$resolved_path"
+}
+
 # Read JSON input from stdin
 input=$(cat)
 
 # Extract the file path from the JSON input
 # Expected format: {"tool_input": {"file_path": "/absolute/path/to/file"}} or {"tool_response": {"filePath": "/absolute/path/to/file"}}
 file_path=$(echo "$input" | jq -r '.tool_input.file_path // .tool_response.filePath // empty')
 
+# Secure path canonicalization to prevent path traversal attacks
+# Resolve repo root to an absolute, canonical path.
+repo_root_raw="$(cd "$(dirname "$0")/../.." && pwd)"
+repo_root="$(canonicalize_path "$repo_root_raw")"
+if [[ -z "$repo_root" ]]; then
+	# Fallback if canonicalization fails
+	repo_root="$repo_root_raw"
+fi
+
+# Resolve the input path to an absolute path
+if [[ "$file_path" = /* ]]; then
+	# Already absolute
+	abs_file_path="$file_path"
+else
+	# Make relative paths absolute from repo root
+	abs_file_path="$repo_root/$file_path"
+fi
+
+# Canonicalize the path (resolve symlinks and ".." segments)
+canonical_file_path="$(canonicalize_path "$abs_file_path")"
+
+# Check if canonicalization failed or if the resolved path is outside the repo
+if [[ -z "$canonical_file_path" ]] || { [[ "$canonical_file_path" != "$repo_root" ]] && [[ "$canonical_file_path" != "$repo_root"/* ]]; }; then
+	echo "Error: File path is outside repository or invalid: $file_path" >&2
+	exit 1
+fi
+
+# Handle the case where the file path is the repository root itself.
+if [[ "$canonical_file_path" == "$repo_root" ]]; then
+	echo "Warning: Formatting the repository root is not a supported operation. Skipping." >&2
+	exit 0
+fi
+
+# Convert back to relative path from repo root for consistency
+file_path="${canonical_file_path#"$repo_root"/}"
+
 if [[ -z "$file_path" ]]; then
 	echo "Error: No file path provided in input" >&2
 	exit 1
diff --git a/.mcp.json b/.mcp.json
@@ -1,36 +1,36 @@
 {
-	"mcpServers": {
-		"go-language-server": {
-			"type": "stdio",
-			"command": "go",
-			"args": [
-				"run",
-				"github.com/isaacphi/mcp-language-server@latest",
-				"-workspace",
-				"./",
-				"-lsp",
-				"go",
-				"--",
-				"run",
-				"golang.org/x/tools/gopls@latest"
-			],
-			"env": {}
-		},
-		"typescript-language-server": {
-			"type": "stdio",
-			"command": "go",
-			"args": [
-				"run",
-				"github.com/isaacphi/mcp-language-server@latest",
-				"-workspace",
-				"./site/",
-				"-lsp",
-				"pnpx",
-				"--",
-				"typescript-language-server",
-				"--stdio"
-			],
-			"env": {}
-		}
-	}
-}
+  "mcpServers": {
+    "go-language-server": {
+      "type": "stdio",
+      "command": "go",
+      "args": [
+        "run",
+        "github.com/isaacphi/mcp-language-server@latest",
+        "-workspace",
+        "./",
+        "-lsp",
+        "go",
+        "--",
+        "run",
+        "golang.org/x/tools/gopls@latest"
+      ],
+      "env": {}
+    },
+    "typescript-language-server": {
+      "type": "stdio",
+      "command": "go",
+      "args": [
+        "run",
+        "github.com/isaacphi/mcp-language-server@latest",
+        "-workspace",
+        "./site/",
+        "-lsp",
+        "pnpx",
+        "--",
+        "typescript-language-server",
+        "--stdio"
+      ],
+      "env": {}
+    }
+  }
+}
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -225,7 +225,7 @@ func ExtractOAuth2ProviderAppWithOAuth2Errors(db database.Store) func(http.Handl
 type errorWriter interface {
 	writeMissingClientID(ctx context.Context, rw http.ResponseWriter)
 	writeInvalidClientID(ctx context.Context, rw http.ResponseWriter, err error)
-	writeInvalidClient(ctx context.Context, rw http.ResponseWriter)
+	writeClientNotFound(ctx context.Context, rw http.ResponseWriter)
 }
 
 // codersdkErrorWriter writes standard codersdk errors for general API endpoints
@@ -244,9 +244,13 @@ func (*codersdkErrorWriter) writeInvalidClientID(ctx context.Context, rw http.Re
 	})
 }
 
-func (*codersdkErrorWriter) writeInvalidClient(ctx context.Context, rw http.ResponseWriter) {
-	httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-		Message: "Invalid OAuth2 client.",
+func (*codersdkErrorWriter) writeClientNotFound(ctx context.Context, rw http.ResponseWriter) {
+	// Management API endpoints return 404 for missing OAuth2 apps (proper REST semantics).
+	// This differs from OAuth2 protocol endpoints which return 401 "invalid_client" per RFC 6749.
+	// Returning 401 here would trigger the frontend's automatic logout interceptor when React Query
+	// refetches a deleted app, incorrectly logging out users who just deleted their own OAuth2 apps.
+	httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
+		Message: "OAuth2 application not found.",
 	})
 }
 
@@ -261,7 +265,7 @@ func (*oauth2ErrorWriter) writeInvalidClientID(ctx context.Context, rw http.Resp
 	httpapi.WriteOAuth2Error(ctx, rw, http.StatusUnauthorized, "invalid_client", "The client credentials are invalid")
 }
 
-func (*oauth2ErrorWriter) writeInvalidClient(ctx context.Context, rw http.ResponseWriter) {
+func (*oauth2ErrorWriter) writeClientNotFound(ctx context.Context, rw http.ResponseWriter) {
 	httpapi.WriteOAuth2Error(ctx, rw, http.StatusUnauthorized, "invalid_client", "The client credentials are invalid")
 }
 
@@ -308,7 +312,7 @@ func extractOAuth2ProviderAppBase(db database.Store, errWriter errorWriter) func
 
 			app, err := db.GetOAuth2ProviderAppByID(ctx, appID)
 			if httpapi.Is404Error(err) {
-				errWriter.writeInvalidClient(ctx, rw)
+				errWriter.writeClientNotFound(ctx, rw)
 				return
 			}
 			if err != nil {
diff --git a/site/src/modules/dashboard/DashboardProvider.tsx b/site/src/modules/dashboard/DashboardProvider.tsx
@@ -1,9 +1,11 @@
 import { appearance } from "api/queries/appearance";
+import { buildInfo } from "api/queries/buildInfo";
 import { entitlements } from "api/queries/entitlements";
 import { experiments } from "api/queries/experiments";
 import { organizations } from "api/queries/organizations";
 import type {
 	AppearanceConfig,
+	BuildInfoResponse,
 	Entitlements,
 	Experiment,
 	Organization,
@@ -21,6 +23,7 @@ export interface DashboardValue {
 	entitlements: Entitlements;
 	experiments: Experiment[];
 	appearance: AppearanceConfig;
+	buildInfo: BuildInfoResponse;
 	organizations: readonly Organization[];
 	showOrganizations: boolean;
 	canViewOrganizationSettings: boolean;
@@ -36,12 +39,14 @@ export const DashboardProvider: FC<PropsWithChildren> = ({ children }) => {
 	const entitlementsQuery = useQuery(entitlements(metadata.entitlements));
 	const experimentsQuery = useQuery(experiments(metadata.experiments));
 	const appearanceQuery = useQuery(appearance(metadata.appearance));
+	const buildInfoQuery = useQuery(buildInfo(metadata["build-info"]));
 	const organizationsQuery = useQuery(organizations());
 
 	const error =
 		entitlementsQuery.error ||
 		appearanceQuery.error ||
 		experimentsQuery.error ||
+		buildInfoQuery.error ||
 		organizationsQuery.error;
 
 	if (error) {
@@ -52,6 +57,7 @@ export const DashboardProvider: FC<PropsWithChildren> = ({ children }) => {
 		!entitlementsQuery.data ||
 		!appearanceQuery.data ||
 		!experimentsQuery.data ||
+		!buildInfoQuery.data ||
 		!organizationsQuery.data;
 
 	if (isLoading) {
@@ -70,6 +76,7 @@ export const DashboardProvider: FC<PropsWithChildren> = ({ children }) => {
 				entitlements: entitlementsQuery.data,
 				experiments: experimentsQuery.data,
 				appearance: appearanceQuery.data,
+				buildInfo: buildInfoQuery.data,
 				organizations: organizationsQuery.data,
 				showOrganizations,
 				canViewOrganizationSettings:
diff --git a/site/src/modules/management/DeploymentSidebar.tsx b/site/src/modules/management/DeploymentSidebar.tsx
@@ -8,7 +8,8 @@ import { DeploymentSidebarView } from "./DeploymentSidebarView";
  */
 export const DeploymentSidebar: FC = () => {
 	const { permissions } = useAuthenticated();
-	const { entitlements, showOrganizations } = useDashboard();
+	const { entitlements, showOrganizations, experiments, buildInfo } =
+		useDashboard();
 	const hasPremiumLicense =
 		entitlements.features.multiple_organizations.enabled;
 
@@ -17,6 +18,8 @@ export const DeploymentSidebar: FC = () => {
 			permissions={permissions}
 			showOrganizations={showOrganizations}
 			hasPremiumLicense={hasPremiumLicense}
+			experiments={experiments}
+			buildInfo={buildInfo}
 		/>
 	);
 };
diff --git a/site/src/modules/management/DeploymentSidebarView.tsx b/site/src/modules/management/DeploymentSidebarView.tsx
@@ -1,3 +1,4 @@
+import type { BuildInfoResponse, Experiment } from "api/typesGenerated";
 import {
 	Sidebar as BaseSidebar,
 	SettingsSidebarNavItem as SidebarNavItem,
@@ -6,12 +7,15 @@ import { Stack } from "components/Stack/Stack";
 import { ArrowUpRight } from "lucide-react";
 import type { Permissions } from "modules/permissions";
 import type { FC } from "react";
+import { isDevBuild } from "utils/buildInfo";
 
 interface DeploymentSidebarViewProps {
 	/** Site-wide permissions. */
 	permissions: Permissions;
 	showOrganizations: boolean;
 	hasPremiumLicense: boolean;
+	experiments: Experiment[];
+	buildInfo: BuildInfoResponse;
 }
 
 /**
@@ -22,6 +26,8 @@ export const DeploymentSidebarView: FC<DeploymentSidebarViewProps> = ({
 	permissions,
 	showOrganizations,
 	hasPremiumLicense,
+	experiments,
+	buildInfo,
 }) => {
 	return (
 		<BaseSidebar>
@@ -47,10 +53,12 @@ export const DeploymentSidebarView: FC<DeploymentSidebarViewProps> = ({
 						External Authentication
 					</SidebarNavItem>
 				)}
-				{/* Not exposing this yet since token exchange is not finished yet.
-          <SidebarNavItem href="oauth2-provider/apps">
-            OAuth2 Applications
-          </SidebarNavItem>*/}
+				{permissions.viewDeploymentConfig &&
+					(experiments.includes("oauth2") || isDevBuild(buildInfo)) && (
+						<SidebarNavItem href="/deployment/oauth2-provider/apps">
+							OAuth2 Applications
+						</SidebarNavItem>
+					)}
 				{permissions.viewDeploymentConfig && (
 					<SidebarNavItem href="/deployment/network">Network</SidebarNavItem>
 				)}
diff --git a/site/src/pages/DeploymentSettingsPage/OAuth2AppsSettingsPage/EditOAuth2AppPageView.tsx b/site/src/pages/DeploymentSettingsPage/OAuth2AppsSettingsPage/EditOAuth2AppPageView.tsx
@@ -141,6 +141,7 @@ export const EditOAuth2AppPageView: FC<EditOAuth2AppProps> = ({
 							confirmLoading={mutatingResource.deleteApp}
 							name={app.name}
 							entity="OAuth2 application"
+							info="⚠️ Warning: Deleting this OAuth2 application will immediately invalidate all active sessions and API keys associated with it. Users currently authenticated through this application will be logged out and need to re-authenticate."
 							onConfirm={() => deleteApp(app.name)}
 							onCancel={() => setShowDelete(false)}
 						/>
diff --git a/site/src/pages/UserSettingsPage/Sidebar.tsx b/site/src/pages/UserSettingsPage/Sidebar.tsx
@@ -13,17 +13,19 @@ import {
 	FingerprintIcon,
 	KeyIcon,
 	LockIcon,
+	ShieldIcon,
 	UserIcon,
 } from "lucide-react";
 import { useDashboard } from "modules/dashboard/useDashboard";
 import type { FC } from "react";
+import { isDevBuild } from "utils/buildInfo";
 
 interface SidebarProps {
 	user: User;
 }
 
 export const Sidebar: FC<SidebarProps> = ({ user }) => {
-	const { entitlements } = useDashboard();
+	const { entitlements, experiments, buildInfo } = useDashboard();
 	const showSchedulePage =
 		entitlements.features.advanced_template_scheduling.enabled;
 
@@ -43,6 +45,11 @@ export const Sidebar: FC<SidebarProps> = ({ user }) => {
 			<SidebarNavItem href="external-auth" icon={GitIcon}>
 				External Authentication
 			</SidebarNavItem>
+			{(experiments.includes("oauth2") || isDevBuild(buildInfo)) && (
+				<SidebarNavItem href="oauth2-provider" icon={ShieldIcon}>
+					OAuth2 Applications
+				</SidebarNavItem>
+			)}
 			{showSchedulePage && (
 				<SidebarNavItem href="schedule" icon={CalendarCogIcon}>
 					Schedule
diff --git a/site/src/pages/WorkspacePage/WorkspacePage.test.tsx b/site/src/pages/WorkspacePage/WorkspacePage.test.tsx
@@ -1,7 +1,11 @@
 import { screen, waitFor, within } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import * as apiModule from "api/api";
-import type { TemplateVersionParameter, Workspace } from "api/typesGenerated";
+import type {
+	BuildInfoResponse,
+	TemplateVersionParameter,
+	Workspace,
+} from "api/typesGenerated";
 import MockServerSocket from "jest-websocket-mock";
 import {
 	DashboardContext,
@@ -554,6 +558,7 @@ describe("WorkspacePage", () => {
 						appearance: MockAppearanceConfig,
 						entitlements: MockEntitlements,
 						experiments: [],
+						buildInfo: { version: "v0.0.0-test" } as BuildInfoResponse,
 						organizations: [MockOrganization],
 						showOrganizations: true,
 						canViewOrganizationSettings: true,
diff --git a/site/src/testHelpers/storybook.tsx b/site/src/testHelpers/storybook.tsx
@@ -2,7 +2,7 @@ import type { StoryContext } from "@storybook/react";
 import { withDefaultFeatures } from "api/api";
 import { getAuthorizationKey } from "api/queries/authCheck";
 import { hasFirstUserKey, meKey } from "api/queries/users";
-import type { Entitlements } from "api/typesGenerated";
+import type { BuildInfoResponse, Entitlements } from "api/typesGenerated";
 import { GlobalSnackbar } from "components/GlobalSnackbar/GlobalSnackbar";
 import {
 	ProxyContext,
@@ -56,6 +56,7 @@ export const withDashboardProvider = (
 				entitlements,
 				experiments,
 				appearance: MockAppearanceConfig,
+				buildInfo: { version: "v0.0.0-test" } as BuildInfoResponse,
 				organizations,
 				showOrganizations,
 				canViewOrganizationSettings,
diff --git a/site/src/utils/buildInfo.ts b/site/src/utils/buildInfo.ts
