coder
diff --git a/‎.claude/scripts/format.sh
Lines changed: 16 additions & 10 deletions b/‎.claude/scripts/format.sh
Lines changed: 16 additions & 10 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/audit/diff.go
Lines changed: 1 addition & 0 deletions b/‎coderd/audit/diff.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions b/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/check_constraint.go
Lines changed: 9 additions & 7 deletions b/‎coderd/database/check_constraint.go
Lines changed: 9 additions & 7 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 76 additions & 32 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 76 additions & 32 deletions
@@ -101,30 +101,36 @@ fi
 # Get the file extension to determine the appropriate formatter
 file_ext="${file_path##*.}"
 
+# Helper function to run formatter and handle errors
+run_formatter() {
+	local target="$1"
+	local file_type="$2"
+
+	if ! make FILE="$file_path" "$target"; then
+		echo "Error: Failed to format $file_type file: $file_path" >&2
+		exit 2
+	fi
+	echo "✓ Formatted $file_type file: $file_path"
+}
 # Change to the project root directory (where the Makefile is located)
 cd "$(dirname "$0")/../.."
 
 # Call the appropriate Makefile target based on file extension
 case "$file_ext" in
 go)
-	make fmt/go FILE="$file_path"
-	echo "✓ Formatted Go file: $file_path"
+	run_formatter "fmt/go" "Go"
 	;;
 js | jsx | ts | tsx)
-	make fmt/ts FILE="$file_path"
-	echo "✓ Formatted TypeScript/JavaScript file: $file_path"
+	run_formatter "fmt/ts" "TypeScript/JavaScript"
 	;;
 tf | tfvars)
-	make fmt/terraform FILE="$file_path"
-	echo "✓ Formatted Terraform file: $file_path"
+	run_formatter "fmt/terraform" "Terraform"
 	;;
 sh)
-	make fmt/shfmt FILE="$file_path"
-	echo "✓ Formatted shell script: $file_path"
+	run_formatter "fmt/shfmt" "shell script"
 	;;
 md)
-	make fmt/markdown FILE="$file_path"
-	echo "✓ Formatted Markdown file: $file_path"
+	run_formatter "fmt/markdown" "Markdown"
 	;;
 *)
 	echo "No formatter available for file extension: $file_ext"
 
@@ -24,6 +24,7 @@ type Auditable interface {
 		database.NotificationsSettings |
 		database.OAuth2ProviderApp |
 		database.OAuth2ProviderAppSecret |
+		database.OAuth2ProviderDeviceCode |
 		database.PrebuildsSettings |
 		database.CustomRole |
 		database.AuditableOrganizationMember |
 
@@ -117,6 +117,8 @@ func ResourceTarget[T Auditable](tgt T) string {
 		return typed.Name
 	case database.OAuth2ProviderAppSecret:
 		return typed.DisplaySecret
+	case database.OAuth2ProviderDeviceCode:
+		return typed.UserCode
 	case database.CustomRole:
 		return typed.Name
 	case database.AuditableOrganizationMember:
@@ -179,6 +181,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.ID
 	case database.OAuth2ProviderAppSecret:
 		return typed.ID
+	case database.OAuth2ProviderDeviceCode:
+		return typed.ID
 	case database.CustomRole:
 		return typed.ID
 	case database.AuditableOrganizationMember:
@@ -232,6 +236,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeOauth2ProviderApp
 	case database.OAuth2ProviderAppSecret:
 		return database.ResourceTypeOauth2ProviderAppSecret
+	case database.OAuth2ProviderDeviceCode:
+		return database.ResourceTypeOauth2ProviderDeviceCode
 	case database.CustomRole:
 		return database.ResourceTypeCustomRole
 	case database.AuditableOrganizationMember:
@@ -288,6 +294,8 @@ func ResourceRequiresOrgID[T Auditable]() bool {
 		return false
 	case database.OAuth2ProviderAppSecret:
 		return false
+	case database.OAuth2ProviderDeviceCode:
+		return false
 	case database.CustomRole:
 		return true
 	case database.AuditableOrganizationMember:
 
@@ -996,7 +996,7 @@ func New(options *Options) *API {
 		r.Route("/device", func(r chi.Router) {
 			r.Post("/", api.postOAuth2DeviceAuthorization()) // RFC 8628 compliant endpoint
 			r.Route("/verify", func(r chi.Router) {
-				r.Use(apiKeyMiddleware)
+				r.Use(apiKeyMiddlewareRedirect)
 				r.Get("/", api.getOAuth2DeviceVerification())
 				r.Post("/", api.postOAuth2DeviceVerification())
 			})
 
@@ -417,6 +417,35 @@ var (
 					rbac.ResourceProvisionerJobs.Type:        {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
 					rbac.ResourceOauth2App.Type:              {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 					rbac.ResourceOauth2AppSecret.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceOauth2AppCodeToken.Type:     {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+				}),
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	}.WithCachedASTValue()
+
+	subjectSystemOAuth2 = rbac.Subject{
+		Type:         rbac.SubjectTypeSystemRestricted,
+		FriendlyName: "System OAuth2",
+		ID:           uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Identifier:  rbac.RoleIdentifier{Name: "system-oauth2"},
+				DisplayName: "System OAuth2",
+				Site: rbac.Permissions(map[string][]policy.Action{
+					// OAuth2 resources - full CRUD permissions
+					rbac.ResourceOauth2App.Type:          rbac.ResourceOauth2App.AvailableActions(),
+					rbac.ResourceOauth2AppSecret.Type:    rbac.ResourceOauth2AppSecret.AvailableActions(),
+					rbac.ResourceOauth2AppCodeToken.Type: rbac.ResourceOauth2AppCodeToken.AvailableActions(),
+
+					// API key permissions needed for OAuth2 token revocation
+					rbac.ResourceApiKey.Type: {policy.ActionRead, policy.ActionDelete},
+
+					// Minimal read permissions that might be needed for OAuth2 operations
+					rbac.ResourceUser.Type:         {policy.ActionRead},
+					rbac.ResourceOrganization.Type: {policy.ActionRead},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -567,6 +596,12 @@ func AsSystemRestricted(ctx context.Context) context.Context {
 	return As(ctx, subjectSystemRestricted)
 }
 
+// AsSystemOAuth2 returns a context with an actor that has permissions
+// required for OAuth2 provider operations (token revocation, device codes, registration).
+func AsSystemOAuth2(ctx context.Context) context.Context {
+	return As(ctx, subjectSystemOAuth2)
+}
+
 // AsSystemReadProvisionerDaemons returns a context with an actor that has permissions
 // to read provisioner daemons.
 func AsSystemReadProvisionerDaemons(ctx context.Context) context.Context {
@@ -1346,6 +1381,14 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
 	return q.db.CleanTailnetTunnels(ctx)
 }
 
+func (q *querier) ConsumeOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPrefix []byte) (database.OAuth2ProviderAppCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderAppCodeByPrefix, q.db.ConsumeOAuth2ProviderAppCodeByPrefix)(ctx, secretPrefix)
+}
+
+func (q *querier) ConsumeOAuth2ProviderDeviceCodeByPrefix(ctx context.Context, deviceCodePrefix string) (database.OAuth2ProviderDeviceCode, error) {
+	return updateWithReturn(q.log, q.auth, q.db.GetOAuth2ProviderDeviceCodeByPrefix, q.db.ConsumeOAuth2ProviderDeviceCodeByPrefix)(ctx, deviceCodePrefix)
+}
+
 func (q *querier) CountAuditLogs(ctx context.Context, arg database.CountAuditLogsParams) (int64, error) {
 	// Shortcut if the user is an owner. The SQL filter is noticeable,
 	// and this is an easy win for owners. Which is the common case.
@@ -1489,7 +1532,7 @@ func (q *querier) DeleteExpiredOAuth2ProviderDeviceCodes(ctx context.Context) er
 func (q *querier) DeleteExternalAuthLink(ctx context.Context, arg database.DeleteExternalAuthLinkParams) error {
 	return fetchAndExec(q.log, q.auth, policy.ActionUpdatePersonal, func(ctx context.Context, arg database.DeleteExternalAuthLinkParams) (database.ExternalAuthLink, error) {
 		//nolint:gosimple
-		return q.db.GetExternalAuthLink(ctx, database.GetExternalAuthLinkParams{UserID: arg.UserID, ProviderID: arg.ProviderID})
+		return q.db.GetExternalAuthLink(ctx, database.GetExternalAuthLinkParams(arg))
 	}, q.db.DeleteExternalAuthLink)(ctx, arg)
 }
 
@@ -1568,27 +1611,30 @@ func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Contex
 	return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
 }
 
-func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, threshold database.DeleteOldAuditLogConnectionEventsParams) error {
-	// `ResourceSystem` is deprecated, but it doesn't make sense to add
-	// `policy.ActionDelete` to `ResourceAuditLog`, since this is the one and
-	// only time we'll be deleting from the audit log.
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
-		return err
-	}
-	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
-}
-
 func (q *querier) DeleteOAuth2ProviderDeviceCodeByID(ctx context.Context, id uuid.UUID) error {
 	// Fetch the device code first to check authorization
 	deviceCode, err := q.db.GetOAuth2ProviderDeviceCodeByID(ctx, id)
 	if err != nil {
-		return err
+		return xerrors.Errorf("get oauth2 provider device code: %w", err)
 	}
 	if err := q.authorizeContext(ctx, policy.ActionDelete, deviceCode); err != nil {
-		return err
+		return xerrors.Errorf("authorize oauth2 provider device code deletion: %w", err)
 	}
 
-	return q.db.DeleteOAuth2ProviderDeviceCodeByID(ctx, id)
+	if err := q.db.DeleteOAuth2ProviderDeviceCodeByID(ctx, id); err != nil {
+		return xerrors.Errorf("delete oauth2 provider device code: %w", err)
+	}
+	return nil
+}
+
+func (q *querier) DeleteOldAuditLogConnectionEvents(ctx context.Context, threshold database.DeleteOldAuditLogConnectionEventsParams) error {
+	// `ResourceSystem` is deprecated, but it doesn't make sense to add
+	// `policy.ActionDelete` to `ResourceAuditLog`, since this is the one and
+	// only time we'll be deleting from the audit log.
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.DeleteOldAuditLogConnectionEvents(ctx, threshold)
 }
 
 func (q *querier) DeleteOldNotificationMessages(ctx context.Context) error {
@@ -1620,7 +1666,7 @@ func (q *querier) DeleteOldWorkspaceAgentStats(ctx context.Context) error {
 }
 
 func (q *querier) DeleteOrganizationMember(ctx context.Context, arg database.DeleteOrganizationMemberParams) error {
-	return deleteQ[database.OrganizationMember](q.log, q.auth, func(ctx context.Context, arg database.DeleteOrganizationMemberParams) (database.OrganizationMember, error) {
+	return deleteQ(q.log, q.auth, func(ctx context.Context, arg database.DeleteOrganizationMemberParams) (database.OrganizationMember, error) {
 		member, err := database.ExpectOne(q.OrganizationMembers(ctx, database.OrganizationMembersParams{
 			OrganizationID: arg.OrganizationID,
 			UserID:         arg.UserID,
@@ -2213,7 +2259,7 @@ func (q *querier) GetLicenseByID(ctx context.Context, id int32) (database.Licens
 }
 
 func (q *querier) GetLicenses(ctx context.Context) ([]database.License, error) {
-	fetch := func(ctx context.Context, _ interface{}) ([]database.License, error) {
+	fetch := func(ctx context.Context, _ any) ([]database.License, error) {
 		return q.db.GetLicenses(ctx)
 	}
 	return fetchWithPostFilter(q.auth, policy.ActionRead, fetch)(ctx, nil)
@@ -2377,8 +2423,8 @@ func (q *querier) GetOAuth2ProviderDeviceCodeByUserCode(ctx context.Context, use
 }
 
 func (q *querier) GetOAuth2ProviderDeviceCodesByClientID(ctx context.Context, clientID uuid.UUID) ([]database.OAuth2ProviderDeviceCode, error) {
-	// This requires access to read the OAuth2 app
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
+	// This requires access to read OAuth2 app code tokens
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return []database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.GetOAuth2ProviderDeviceCodesByClientID(ctx, clientID)
@@ -2435,7 +2481,7 @@ func (q *querier) GetOrganizationResourceCountByID(ctx context.Context, organiza
 }
 
 func (q *querier) GetOrganizations(ctx context.Context, args database.GetOrganizationsParams) ([]database.Organization, error) {
-	fetch := func(ctx context.Context, _ interface{}) ([]database.Organization, error) {
+	fetch := func(ctx context.Context, _ any) ([]database.Organization, error) {
 		return q.db.GetOrganizations(ctx, args)
 	}
 	return fetchWithPostFilter(q.auth, policy.ActionRead, fetch)(ctx, nil)
@@ -2563,7 +2609,7 @@ func (q *querier) GetPreviousTemplateVersion(ctx context.Context, arg database.G
 }
 
 func (q *querier) GetProvisionerDaemons(ctx context.Context) ([]database.ProvisionerDaemon, error) {
-	fetch := func(ctx context.Context, _ interface{}) ([]database.ProvisionerDaemon, error) {
+	fetch := func(ctx context.Context, _ any) ([]database.ProvisionerDaemon, error) {
 		return q.db.GetProvisionerDaemons(ctx)
 	}
 	return fetchWithPostFilter(q.auth, policy.ActionRead, fetch)(ctx, nil)
@@ -3554,7 +3600,7 @@ func (q *querier) GetWorkspaceModulesCreatedAfter(ctx context.Context, createdAt
 }
 
 func (q *querier) GetWorkspaceProxies(ctx context.Context) ([]database.WorkspaceProxy, error) {
-	return fetchWithPostFilter(q.auth, policy.ActionRead, func(ctx context.Context, _ interface{}) ([]database.WorkspaceProxy, error) {
+	return fetchWithPostFilter(q.auth, policy.ActionRead, func(ctx context.Context, _ any) ([]database.WorkspaceProxy, error) {
 		return q.db.GetWorkspaceProxies(ctx)
 	})(ctx, nil)
 }
@@ -3848,8 +3894,8 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
 }
 
 func (q *querier) InsertOAuth2ProviderDeviceCode(ctx context.Context, arg database.InsertOAuth2ProviderDeviceCodeParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Creating device codes requires OAuth2 app access
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2App); err != nil {
+	// Creating device codes requires OAuth2 app code token creation access
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppCodeToken); err != nil {
 		return database.OAuth2ProviderDeviceCode{}, err
 	}
 	return q.db.InsertOAuth2ProviderDeviceCode(ctx, arg)
@@ -4156,10 +4202,11 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		return xerrors.Errorf("get workspace by id: %w", err)
 	}
 
-	var action policy.Action = policy.ActionWorkspaceStart
-	if arg.Transition == database.WorkspaceTransitionDelete {
+	action := policy.ActionWorkspaceStart
+	switch arg.Transition {
+	case database.WorkspaceTransitionDelete:
 		action = policy.ActionDelete
-	} else if arg.Transition == database.WorkspaceTransitionStop {
+	case database.WorkspaceTransitionStop:
 		action = policy.ActionWorkspaceStop
 	}
 
@@ -4536,13 +4583,10 @@ func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg dat
 }
 
 func (q *querier) UpdateOAuth2ProviderDeviceCodeAuthorization(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
-	// Verify the user is authenticated for device code authorization
-	_, ok := ActorFromContext(ctx)
-	if !ok {
-		return database.OAuth2ProviderDeviceCode{}, ErrNoActor
+	fetch := func(ctx context.Context, arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode, error) {
+		return q.db.GetOAuth2ProviderDeviceCodeByID(ctx, arg.ID)
 	}
-
-	return q.db.UpdateOAuth2ProviderDeviceCodeAuthorization(ctx, arg)
+	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateOAuth2ProviderDeviceCodeAuthorization)(ctx, arg)
 }
 
 func (q *querier) UpdateOrganization(ctx context.Context, arg database.UpdateOrganizationParams) (database.Organization, error) {