Closes https://github.com/coder/internal/issues/965
Recent `pg_dump` patch releases (13.22+ / 14.19+ / 15.14+ / 16.10+ /
17.6+) emit `\restrict` / `\unrestrict` psql meta-commands at the head
and tail of schema dumps. These broke both `sqlc` and our
`scripts/migrate-test` schema-equality check. PR #19696 worked around it
by pinning `pg_dump` to a Docker image.
This change unpins the workaround now that `sqlc` handles the
meta-commands:
* Bumps the coder/sqlc fork pin to [`337309b` on
coder/sqlc:main](https://github.com/coder/sqlc/commit/337309bfb9524f38466a5090e310040fc7af0203),
the merge of upstream v1.31.1 (coder/sqlc#6). v1.31.1 includes
[sqlc-dev/sqlc#4390](https://github.com/sqlc-dev/sqlc/pull/4390), the
upstream `\restrict` / `\unrestrict` parser fix. Updated in three places
that pin the fork SHA: `flake.nix` (`sqlc-custom`),
`.github/actions/setup-sqlc/action.yaml`, and the
`dogfood/coder/ubuntu-{22,26}.04` Dockerfiles. The flake's `sha256` /
`vendorHash` are reset to `pkgs.lib.fakeSha256`; Nix will surface the
real hashes on first build, per the existing comment block.
* Reverts #19696's Docker pin in `coderd/database/dbtestutil/db.go`.
Local `pg_dump` (13+) and the `postgres:13` Docker fallback both work
again.
* Strips `\restrict` / `\unrestrict` lines in `normalizeDump` so
`scripts/migrate-test`'s schema comparison is stable across `pg_dump`
versions (the token in those lines is randomized per run).
`TestNormalizeDumpStripsRestrict` locks the behavior in.
* Regenerates with v1.31.1, picking up the version stamp and one
upstream correctness fix in `DeleteLicense`
([sqlc-dev/sqlc#4383](https://github.com/sqlc-dev/sqlc/pull/4383): don't
shadow the input parameter when scanning a single-column return).
## Summary
Bumps the repository Go toolchain from 1.25.9 to 1.26.2 across local
development, CI, dogfood Docker images, and Nix builds.
## Changes
- Update `go.mod` and the shared setup-go action to Go 1.26.2.
- Update dogfood Ubuntu image Go versions and the official linux-amd64
tarball checksum.
- Move Nix Go module builds from `buildGo125Module` to
`buildGo126Module`.
- Regenerate API docs affected by Go 1.26 stdlib URL documentation
changes.
## Validation
- `./scripts/check_go_versions.sh`
- `make fmt`
- `make lint`
- `make build-slim`
- `make test TEST_SHORT=1`
- `make pre-commit`
> 🤖 This PR was created with the help of Coder Agents, and needs a human
review. 🧑💻
Go 1.26's crypto/x509 calls SecTrustCopyCertificateChain via cgo, a
Security framework function introduced in macOS 12. The devShell's
default stdenv uses the macOS 11 SDK, so clang can't find the symbol at
link time.
Override the devShell stdenv on Darwin with overrideSDK "12.3" so the
clang wrapper links against the 12.3 SDK, and update frontendPackages to
use apple_sdk_12_3 frameworks for consistency.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
# Update Node.js from 20.19.4 to 22.19.0
This PR updates Node.js from v20.19.4 to v22.19.0 across the codebase. The change includes:
- Updated Node.js version in GitHub Actions setup-node workflow
- Updated Node.js version in the dogfood Dockerfile
- Changed from `pkgs.nodejs_20` to `unstablePkgs.nodejs_22` in the Nix flake
- Updated the Node.js engine version constraints in package.json files to allow Node.js 22
- Updated Playwright from v1.47.0 to v1.50.1
- Updated tzdata dependency from v1.0.44 to v1.0.46
- Updated the flake.lock file with latest nixpkgs references
The PR also improves the error message for Playwright version mismatches by showing the actual versions in the error.
pnpm 9 yells pretty loudly about being out of date. also, pnpm 10 no
longer runs untrusted `postinstall`/`prepare` scripts by default, which,
_finally_.
## Summary
This PR implements critical MCP OAuth2 compliance features for Coder's authorization server, adding PKCE support, resource parameter handling, and OAuth2 server metadata discovery. This brings Coder's OAuth2 implementation significantly closer to production readiness for MCP (Model Context Protocol)
integrations.
## What's Added
### OAuth2 Authorization Server Metadata (RFC 8414)
- Add `/.well-known/oauth-authorization-server` endpoint for automatic client discovery
- Returns standardized metadata including supported grant types, response types, and PKCE methods
- Essential for MCP client compatibility and OAuth2 standards compliance
### PKCE Support (RFC 7636)
- Implement Proof Key for Code Exchange with S256 challenge method
- Add `code_challenge` and `code_challenge_method` parameters to authorization flow
- Add `code_verifier` validation in token exchange
- Provides enhanced security for public clients (mobile apps, CLIs)
### Resource Parameter Support (RFC 8707)
- Add `resource` parameter to authorization and token endpoints
- Store resource URI and bind tokens to specific audiences
- Critical for MCP's resource-bound token model
### Enhanced OAuth2 Error Handling
- Add OAuth2-compliant error responses with proper error codes
- Use standard error format: `{"error": "code", "error_description": "details"}`
- Improve error consistency across OAuth2 endpoints
### Authorization UI Improvements
- Fix authorization flow to use POST-based consent instead of GET redirects
- Remove dependency on referer headers for security decisions
- Improve CSRF protection with proper state parameter validation
## Why This Matters
**For MCP Integration:** MCP requires OAuth2 authorization servers to support PKCE, resource parameters, and metadata discovery. Without these features, MCP clients cannot securely authenticate with Coder.
**For Security:** PKCE prevents authorization code interception attacks, especially critical for public clients. Resource binding ensures tokens are only valid for intended services.
**For Standards Compliance:** These are widely adopted OAuth2 extensions that improve interoperability with modern OAuth2 clients.
## Database Changes
- **Migration 000343:** Adds `code_challenge`, `code_challenge_method`, `resource_uri` to `oauth2_provider_app_codes`
- **Migration 000343:** Adds `audience` field to `oauth2_provider_app_tokens` for resource binding
- **Audit Updates:** New OAuth2 fields properly tracked in audit system
- **Backward Compatibility:** All changes maintain compatibility with existing OAuth2 flows
## Test Coverage
- Comprehensive PKCE test suite in `coderd/identityprovider/pkce_test.go`
- OAuth2 metadata endpoint tests in `coderd/oauth2_metadata_test.go`
- Integration tests covering PKCE + resource parameter combinations
- Negative tests for invalid PKCE verifiers and malformed requests
## Testing Instructions
```bash
# Run the comprehensive OAuth2 test suite
./scripts/oauth2/test-mcp-oauth2.sh
Manual Testing with Interactive Server
# Start Coder in development mode
./scripts/develop.sh
# In another terminal, set up test app and run interactive flow
eval $(./scripts/oauth2/setup-test-app.sh)
./scripts/oauth2/test-manual-flow.sh
# Opens browser with OAuth2 flow, handles callback automatically
# Clean up when done
./scripts/oauth2/cleanup-test-app.sh
Individual Component Testing
# Test metadata endpoint
curl -s http://localhost:3000/.well-known/oauth-authorization-server | jq .
# Test PKCE generation
./scripts/oauth2/generate-pkce.sh
# Run specific test suites
go test -v ./coderd/identityprovider -run TestVerifyPKCE
go test -v ./coderd -run TestOAuth2AuthorizationServerMetadata
```
### Breaking Changes
None. All changes maintain backward compatibility with existing OAuth2 flows.
---
Change-Id: Ifbd0d9a543d545f9f56ecaa77ff2238542ff954a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
# Use workspace.OwnerUsername instead of fetching the owner
This PR optimizes the agent API by using the `workspace.OwnerUsername` field directly instead of making an additional database query to fetch the owner's username. The change removes the need to call `GetUserByID` in the manifest API and workspace agent RPC endpoints.
An issue arose when the agent token was scoped without access to user data (`api_key_scope = "no_user_data"`), causing the agent to fail to fetch the manifest due to an RBAC issue.
Change-Id: I3b6e7581134e2374b364ee059e3b18ece3d98b41
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Part of #17649
---
# Allow MCP server to run without authentication
This PR enhances the MCP server to operate without requiring authentication, making it more flexible for environments where authentication isn't available or necessary. Key changes:
- Replaced `InitClient` with `TryInitClient` to allow the MCP server to start without credentials
- Added graceful handling when URL or authentication is missing
- Made authentication status visible in server logs
- Added logic to skip user-dependent tools when no authenticated user is present
- Made the `coder_report_task` tool available with just an agent token (no user token required)
- Added comprehensive tests to verify operation without authentication
These changes allow the MCP server to function in more environments while still using authentication when available, improving flexibility for CI/CD and other automated environments.
this updates `go` to the latest stable patch version `1.24.2` in:
- `go.mod`
- `dogfood/coder/Dockerfile`
- `.github/actions/setup-go/action.yaml`
- `flake.nix`
written with the assistance of ClaudeCode.
---------
Co-authored-by: Thomas Kosiewski <tk@coder.com>
Followup PR to #16781, update the terraform version in our Nix devshell.
Additionally:
1. Switches from DeterminateSystems/nix-installer-action to nixbuild/nix-quick-install-action -- quicker installer, reduces actions time from ~60 seconds to ~1 seconds.
2. Adds nix-community/cache-nix-action for better caching with garbage collection -- avoids unnecessary rebuilding on subsequent runs, reduces nix image build time from ~6 minutes to <4 minutes.
3. Adds nixpkgs-unstable input to use Terraform 1.11.1
Change-Id: I05d6dfd3f3cf1af48cf8a2d9e61b396bcd2b7191
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Ensure that the version of Playwright installed with the Nix flake is
equal to the one specified in `site/package.json.` -- This assertion
ensures that `pnpm playwright:install` will not attempt to download
newer browser versions not present in the Nix image, fixing the startup
script and reducing the startup time, as `pnpm playwright:install` will
not download or install anything.
We also pre-install the required Playwright web browsers in the dogfood
Dockerfile. This change prevents us from redownloading system
dependencies and Google Chrome each time a workspace starts.
Change-Id: I8cc78e842f7d0b1d2a90a4517a186a03636c5559
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Add procps to flake.nix and release name to Docker image
Adds the `procps` package to flake.nix to enable the `free` command, and includes a release name file in the Docker image at `/etc/coderniximage-release`.
Change-Id: I85432acc06a204229fa3675e0020bd3acacf775a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
This updates actions/cache to v4.2.0 and adds missing development
dependencies (gawk, gnutar, which, zip, gzip) to the Nix flake.
Change-Id: I1156810c9e02f0cef8e1345a1cbf2b6ba484974a
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Added `gnugrep` to the development shell dependencies, as its a dependency of the bootstrap script for an agent.
Change-Id: Ia56e16a831bb94af2324e33ae5274833d0123d47
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Replace Depot build action with Nix for Nix dogfood image builds
The dogfood Nix image is now built using Nix's native container tooling instead of Depot. This change:
- Adds Nix setup steps to the GitHub Actions workflow
- Removes the Dockerfile.nix in favor of a Nix-native container build
- Updates the flake.nix to support building Docker images
- Introduces a hash file to track Nix-related changes
- Updates the vendorHash for Go dependencies
Change-Id: I4e011fe3a19d9a1375fbfd5223c910e59d66a5d9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
- update `flake.nix`:
- use `devShells.default` instead of `devShell`
- include macOS-specific build inputs
- use the same nodejs version in the default devShell and pnpm frontend build
- update `site/.npmrc` to include tarball URLs for a reproducible Nix build.
Change-Id: I28f0e301298806f251121cc93224740bcc02bcba
Signed-off-by: Thomas Kosiewski <tk@coder.com>
Change-Id: I22dba63d317b41749c807a55e15278006cdcecad
Signed-off-by: Thomas Kosiewski <tk@coder.com>
- Adds neovim and fzf to development tools, removes sapling, and fixes locale issues on Linux systems.
- Updates Dockerfile.nix syntax to use uppercase `AS` to remove warnings.
- Refactored conditional logic for strace inclusion using `lib.optional`.
Ethan