coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 25 additions & 14 deletions b/‎coderd/apidoc/docs.go
Lines changed: 25 additions & 14 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 23 additions & 12 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 23 additions & 12 deletions
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 4 additions & 4 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 0 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 0 additions & 2 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 2 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 4 additions & 4 deletions b/‎coderd/database/dump.sql
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/database/migrations/000350_remove_oauth2_callback_url.down.sql
Lines changed: 18 additions & 0 deletions b/‎coderd/database/migrations/000350_remove_oauth2_callback_url.down.sql
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000350_remove_oauth2_callback_url.up.sql
Lines changed: 28 additions & 0 deletions b/‎coderd/database/migrations/000350_remove_oauth2_callback_url.up.sql
Lines changed: 28 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 6 additions & 7 deletions b/‎coderd/database/models.go
Lines changed: 6 additions & 7 deletions
@@ -355,10 +355,10 @@ func TemplateVersionParameterOptionFromPreview(option *previewtypes.ParameterOpt
 
 func OAuth2ProviderApp(accessURL *url.URL, dbApp database.OAuth2ProviderApp) codersdk.OAuth2ProviderApp {
 	return codersdk.OAuth2ProviderApp{
-		ID:          dbApp.ID,
-		Name:        dbApp.Name,
-		CallbackURL: dbApp.CallbackURL,
-		Icon:        dbApp.Icon,
+		ID:           dbApp.ID,
+		Name:         dbApp.Name,
+		RedirectURIs: dbApp.RedirectUris,
+		Icon:         dbApp.Icon,
 		Endpoints: codersdk.OAuth2AppEndpoints{
 			Authorization: accessURL.ResolveReference(&url.URL{
 				Path: "/oauth2/authorize",
 
@@ -5238,7 +5238,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 			ID:                      app.ID,
 			Name:                    app.Name,
 			Icon:                    app.Icon,
-			CallbackURL:             app.CallbackURL,
 			RedirectUris:            app.RedirectUris,
 			ClientType:              app.ClientType,
 			DynamicallyRegistered:   app.DynamicallyRegistered,
@@ -5280,7 +5279,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() {
 			ID:                      app.ID,
 			Name:                    app.Name,
 			Icon:                    app.Icon,
-			CallbackURL:             app.CallbackURL,
 			RedirectUris:            app.RedirectUris,
 			ClientType:              app.ClientType,
 			ClientSecretExpiresAt:   app.ClientSecretExpiresAt,
 
@@ -1156,8 +1156,7 @@ func OAuth2ProviderApp(t testing.TB, db database.Store, seed database.OAuth2Prov
 		CreatedAt:               takeFirst(seed.CreatedAt, dbtime.Now()),
 		UpdatedAt:               takeFirst(seed.UpdatedAt, dbtime.Now()),
 		Icon:                    takeFirst(seed.Icon, ""),
-		CallbackURL:             takeFirst(seed.CallbackURL, "http://localhost"),
-		RedirectUris:            takeFirstSlice(seed.RedirectUris, []string{}),
+		RedirectUris:            takeFirstSlice(seed.RedirectUris, []string{"http://localhost"}),
 		ClientType:              takeFirst(seed.ClientType, sql.NullString{String: "confidential", Valid: true}),
 		DynamicallyRegistered:   takeFirst(seed.DynamicallyRegistered, sql.NullBool{Bool: false, Valid: true}),
 		ClientIDIssuedAt:        takeFirst(seed.ClientIDIssuedAt, sql.NullTime{}),
 
@@ -0,0 +1,18 @@
+-- Reverse migration: restore callback_url column from redirect_uris
+
+-- Add back the callback_url column
+ALTER TABLE oauth2_provider_apps
+ADD COLUMN callback_url text;
+
+-- Populate callback_url from the first redirect_uri
+UPDATE oauth2_provider_apps
+SET callback_url = redirect_uris[1]
+WHERE redirect_uris IS NOT NULL AND array_length(redirect_uris, 1) > 0;
+
+-- Remove NOT NULL and CHECK constraints from redirect_uris (restore original state)
+ALTER TABLE oauth2_provider_apps
+DROP CONSTRAINT IF EXISTS oauth2_provider_apps_redirect_uris_nonempty;
+ALTER TABLE oauth2_provider_apps
+ALTER COLUMN redirect_uris DROP NOT NULL;
+
+COMMENT ON COLUMN oauth2_provider_apps.callback_url IS 'Legacy callback URL field (replaced by redirect_uris array)';
@@ -0,0 +1,28 @@
+-- Migrate from callback_url to redirect_uris as source of truth for OAuth2 apps
+-- RFC 6749 compliance: use array of redirect URIs instead of single callback URL
+
+-- Populate redirect_uris from callback_url where redirect_uris is empty or NULL.
+-- NULLIF is used to treat empty strings in callback_url as NULL.
+-- If callback_url is NULL or empty, this will result in redirect_uris
+-- being an array with a single NULL element. This is preferable to an empty
+-- array as it will pass a CHECK for array length > 0, enforcing that all
+-- apps have at least one URI entry, even if it's null.
+UPDATE oauth2_provider_apps
+SET redirect_uris = ARRAY[NULLIF(callback_url, '')]
+WHERE (redirect_uris IS NULL OR cardinality(redirect_uris) = 0);
+
+-- Add NOT NULL constraint to redirect_uris
+ALTER TABLE oauth2_provider_apps
+ALTER COLUMN redirect_uris SET NOT NULL;
+
+-- Add CHECK constraint to ensure redirect_uris is not empty.
+-- This prevents empty arrays, which could have been created by the old logic,
+-- and ensures data integrity going forward.
+ALTER TABLE oauth2_provider_apps
+ADD CONSTRAINT redirect_uris_not_empty CHECK (cardinality(redirect_uris) > 0);
+
+-- Drop the callback_url column entirely
+ALTER TABLE oauth2_provider_apps
+DROP COLUMN callback_url;
+
+COMMENT ON COLUMN oauth2_provider_apps.redirect_uris IS 'RFC 6749 compliant list of valid redirect URIs for the application';