Merge branch 'master' into scim

Author: felixmccuaig

Makefile

@@ -1,4 +1,5 @@
-.PHONY: all build deps dev-deps image migrate test vet sec format unused
+.PHONY: all build deps image migrate test vet sec format unused
+.PHONY: check-exhaustive check-gosec check-oapi-codegen check-staticcheck
 CHECK_FILES?=./...
 
 ifdef RELEASE_VERSION
@@ -33,13 +34,6 @@ build-strip: deps ## Build a stripped binary, for which the version file needs t
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build \
 		$(FLAGS) -ldflags "-s -w" -o auth-arm64-strip
 
-dev-deps: ## Install developer dependencies
-	@go install github.com/gobuffalo/pop/soda@latest
-	@go install github.com/securego/gosec/v2/cmd/gosec@latest
-	@go install honnef.co/go/tools/cmd/staticcheck@latest
-	@go install github.com/deepmap/oapi-codegen/cmd/oapi-codegen@latest
-	@go install github.com/nishanths/exhaustive/cmd/exhaustive@latest
-
 deps: ## Install dependencies.
 	@go mod download
 	@go mod verify
@@ -57,26 +51,40 @@ test: build ## Run tests.
 vet: # Vet the code
 	go vet $(CHECK_FILES)
 
-sec: dev-deps # Check for security vulnerabilities
+sec: check-gosec # Check for security vulnerabilities
 	gosec -quiet -exclude-generated $(CHECK_FILES)
 	gosec -quiet -tests -exclude-generated -exclude=G104 $(CHECK_FILES)
 
-unused: dev-deps # Look for unused code
+check-gosec:
+	@command -v gosec >/dev/null 2>&1 \
+		|| @go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+unused: | check-staticcheck # Look for unused code
 	@echo "Unused code:"
 	staticcheck -checks U1000 $(CHECK_FILES)
-	
 	@echo
-	
 	@echo "Code used only in _test.go (do move it in those files):"
 	staticcheck -checks U1000 -tests=false $(CHECK_FILES)
 
-static: dev-deps
+static: | check-staticcheck check-exhaustive
 	staticcheck ./...
 	exhaustive ./...
 
-generate: dev-deps
+check-staticcheck:
+	@command -v staticcheck >/dev/null 2>&1 \
+		|| @go install honnef.co/go/tools/cmd/staticcheck@latest
+
+check-exhaustive:
+	@command -v exhaustive >/dev/null 2>&1 \
+		|| @go install github.com/nishanths/exhaustive/cmd/exhaustive@latest
+
+generate: | check-oapi-codegen
 	go generate ./...
 
+check-oapi-codegen:
+	@command -v oapi-codegen >/dev/null 2>&1 \
+		|| go install github.com/deepmap/oapi-codegen/cmd/oapi-codegen@latest
+
 dev: ## Run the development containers
 	${DOCKER_COMPOSE} -f $(DEV_DOCKER_COMPOSE) up
 

internal/api/api.go

@@ -93,11 +93,6 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		version: version,
 	}
 
-	// Only initialize OAuth server if enabled
-	if globalConfig.OAuthServer.Enabled {
-		api.oauthServer = oauthserver.NewServer(globalConfig, db)
-	}
-
 	for _, o := range opt {
 		o.apply(api)
 	}
@@ -123,6 +118,11 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	// Connect token service to API's time function (supports test overrides)
 	api.tokenService.SetTimeFunc(api.Now)
 
+	// Initialize OAuth server (only if enabled)
+	if globalConfig.OAuthServer.Enabled {
+		api.oauthServer = oauthserver.NewServer(globalConfig, db, api.tokenService)
+	}
+
 	if api.config.Password.HIBP.Enabled {
 		httpClient := &http.Client{
 			// all HIBP API requests should finish quickly to avoid
@@ -238,7 +238,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			With(api.verifyCaptcha).Post("/otp", api.Otp)
 
 		// rate limiting applied in handler
-		r.With(api.verifyCaptcha).With(api.oauthClientAuth).Post("/token", api.Token)
+		r.With(api.verifyCaptcha).Post("/token", api.Token)
 
 		r.With(api.limitHandler(api.limiterOpts.Verify)).Route("/verify", func(r *router) {
 			r.Get("/", api.Verify)
@@ -379,6 +379,9 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				r.With(api.limitHandler(api.limiterOpts.OAuthClientRegister)).
 					Post("/clients/register", api.oauthServer.OAuthServerClientDynamicRegister)
 
+				// OAuth Token endpoint (public, with client authentication)
+				r.With(api.requireOAuthClientAuth).Post("/token", api.oauthServer.OAuthToken)
+
 				// OAuth 2.1 Authorization endpoints
 				// `/authorize` to initiate OAuth2 authorization code flow where Supabase Auth is the OAuth2 provider
 				r.Get("/authorize", api.oauthServer.OAuthServerAuthorize)

internal/api/middleware.go

@@ -14,9 +14,11 @@ import (
 	"time"
 
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
+	"github.com/gofrs/uuid"
 	"github.com/sirupsen/logrus"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/oauthserver"
+	"github.com/supabase/auth/internal/api/shared"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/security"
@@ -84,9 +86,9 @@ func (a *API) limitHandler(lmt *limiter.Limiter) middlewareHandler {
 	}
 }
 
-// oauthClientAuth optionally authenticates an OAuth client as middleware
-// This doesn't fail if no client credentials are provided, but validates them if present
-func (a *API) oauthClientAuth(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+// requireOAuthClientAuth authenticates an OAuth client as middleware
+// Requires client_id to be present and validates client credentials
+func (a *API) requireOAuthClientAuth(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
 
 	clientID, clientSecret, err := oauthserver.ExtractClientCredentials(r)
@@ -99,23 +101,29 @@ func (a *API) oauthClientAuth(w http.ResponseWriter, r *http.Request) (context.C
 		return ctx, nil
 	}
 
+	// Parse client_id as UUID
+	clientUUID, err := uuid.FromString(clientID)
+	if err != nil {
+		return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, "Invalid client_id format")
+	}
+
 	// Validate client credentials
 	db := a.db.WithContext(ctx)
-	client, err := models.FindOAuthServerClientByClientID(db, clientID)
+	client, err := models.FindOAuthServerClientByID(db, clientUUID)
 	if err != nil {
 		if models.IsNotFoundError(err) {
 			return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, "Invalid client credentials")
 		}
 		return nil, apierrors.NewInternalServerError("Error validating client credentials").WithInternalError(err)
 	}
 
-	// Validate client secret
-	if !oauthserver.ValidateClientSecret(clientSecret, client.ClientSecretHash) {
-		return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, "Invalid client credentials")
+	// Validate authentication using centralized logic
+	if err := oauthserver.ValidateClientAuthentication(client, clientSecret); err != nil {
+		return nil, apierrors.NewBadRequestError(apierrors.ErrorCodeInvalidCredentials, err.Error())
 	}
 
 	// Add authenticated client to context
-	ctx = oauthserver.WithOAuthServerClient(ctx, client)
+	ctx = shared.WithOAuthServerClient(ctx, client)
 	return ctx, nil
 }
 

internal/api/oauthserver/auth.go

@@ -1,14 +1,17 @@
 package oauthserver
 
 import (
+	"bytes"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
+	"io"
 	"net/http"
 	"strings"
 )
 
 // ExtractClientCredentials extracts OAuth client credentials from the request
-// Supports both Basic auth header and form body parameters
+// Supports Basic auth header, form body parameters, and JSON body parameters
 func ExtractClientCredentials(r *http.Request) (clientID, clientSecret string, err error) {
 	// First, try Basic auth header: Authorization: Basic base64(client_id:client_secret)
 	authHeader := r.Header.Get("Authorization")
@@ -28,22 +31,40 @@ func ExtractClientCredentials(r *http.Request) (clientID, clientSecret string, e
 		return parts[0], parts[1], nil
 	}
 
-	// Fall back to form parameters
-	if err := r.ParseForm(); err != nil {
-		return "", "", errors.New("failed to parse form")
-	}
+	// Check Content-Type to determine how to parse body parameters
+	contentType := r.Header.Get("Content-Type")
+	if strings.Contains(contentType, "application/json") {
+		// Parse JSON body
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			return "", "", errors.New("failed to read request body")
+		}
+		// Restore the body so other handlers can read it
+		r.Body = io.NopCloser(bytes.NewBuffer(body))
 
-	clientID = r.FormValue("client_id")
-	clientSecret = r.FormValue("client_secret")
+		var jsonData struct {
+			ClientID     string `json:"client_id"`
+			ClientSecret string `json:"client_secret"`
+		}
+		if err := json.Unmarshal(body, &jsonData); err != nil {
+			return "", "", errors.New("failed to parse JSON body")
+		}
+
+		clientID = jsonData.ClientID
+		clientSecret = jsonData.ClientSecret
+	} else {
+		// Fall back to form parameters
+		if err := r.ParseForm(); err != nil {
+			return "", "", errors.New("failed to parse form")
+		}
 
-	// Return empty credentials if both are empty (no client auth attempted)
-	if clientID == "" && clientSecret == "" {
-		return "", "", nil
+		clientID = r.FormValue("client_id")
+		clientSecret = r.FormValue("client_secret")
 	}
 
-	// If only one is provided, it's an error
-	if clientID == "" || clientSecret == "" {
-		return "", "", errors.New("both client_id and client_secret must be provided")
+	// return error if client_id is not provided
+	if clientID == "" {
+		return "", "", errors.New("client_id is required")
 	}
 
 	return clientID, clientSecret, nil

internal/api/oauthserver/authorize.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/gofrs/uuid"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/shared"
 	"github.com/supabase/auth/internal/models"
@@ -103,7 +104,13 @@ func (s *Server) OAuthServerAuthorize(w http.ResponseWriter, r *http.Request) er
 		return err
 	}
 
-	client, err := s.getOAuthServerClient(ctx, params.ClientID)
+	// Parse client_id as UUID
+	clientID, err := uuid.FromString(params.ClientID)
+	if err != nil {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeOAuthClientNotFound, "invalid client_id format")
+	}
+
+	client, err := s.getOAuthServerClient(ctx, clientID)
 	if err != nil {
 		if models.IsNotFoundError(err) {
 			return apierrors.NewBadRequestError(apierrors.ErrorCodeOAuthClientNotFound, "invalid client_id")
@@ -144,7 +151,7 @@ func (s *Server) OAuthServerAuthorize(w http.ResponseWriter, r *http.Request) er
 	}
 
 	observability.LogEntrySetField(r, "authorization_id", authorization.AuthorizationID)
-	observability.LogEntrySetField(r, "client_id", client.ClientID)
+	observability.LogEntrySetField(r, "client_id", client.ID.String())
 
 	// Redirect to authorization path with authorization_id
 	if config.OAuthServer.AuthorizationPath == "" {
@@ -228,7 +235,7 @@ func (s *Server) OAuthServerGetAuthorization(w http.ResponseWriter, r *http.Requ
 	response := AuthorizationDetailsResponse{
 		AuthorizationID: authorization.AuthorizationID,
 		Client: ClientDetailsResponse{
-			ClientID:   authorization.Client.ClientID,
+			ClientID:   authorization.Client.ID.String(),
 			ClientName: utilities.StringValue(authorization.Client.ClientName),
 			ClientURI:  utilities.StringValue(authorization.Client.ClientURI),
 			LogoURI:    utilities.StringValue(authorization.Client.LogoURI),
@@ -241,7 +248,7 @@ func (s *Server) OAuthServerGetAuthorization(w http.ResponseWriter, r *http.Requ
 	}
 
 	observability.LogEntrySetField(r, "authorization_id", authorization.AuthorizationID)
-	observability.LogEntrySetField(r, "client_id", authorization.Client.ClientID)
+	observability.LogEntrySetField(r, "client_id", authorization.Client.ID.String())
 
 	return shared.SendJSON(w, http.StatusOK, response)
 }