move OAuth route to project group (#473)

MichaelClifford · web-flow · commit f5fac44bf053 · 2025-12-17T13:47:04.000-06:00
Signed-off-by: Michael Clifford &lt;mcliffor@redhat.com&gt;
diff --git a/components/backend/handlers/oauth.go b/components/backend/handlers/oauth.go
@@ -105,6 +105,35 @@ func GetOAuthURL(c *gin.Context) {
 		providerName = "google"
 	}
 
+	// Verify user has access to the session using user token
+	reqK8s, reqDyn := GetK8sClientsForRequest(c)
+	if reqK8s == nil {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid or missing token"})
+		return
+	}
+
+	// Verify session exists and user has access
+	gvr := schema.GroupVersionResource{
+		Group:    "vteam.ambient-code",
+		Version:  "v1alpha1",
+		Resource: "agenticsessions",
+	}
+
+	_, err := reqDyn.Resource(gvr).Namespace(projectName).Get(context.Background(), sessionName, v1.GetOptions{})
+	if errors.IsNotFound(err) {
+		c.JSON(http.StatusNotFound, gin.H{"error": "Session not found"})
+		return
+	}
+	if errors.IsForbidden(err) {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Access denied to session"})
+		return
+	}
+	if err != nil {
+		log.Printf("Failed to get session %s/%s: %v", projectName, sessionName, err)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to verify session"})
+		return
+	}
+
 	// Get OAuth provider config
 	provider, err := getOAuthProvider(providerName)
 	if err != nil {
diff --git a/components/backend/routes.go b/components/backend/routes.go
@@ -35,10 +35,6 @@ func registerRoutes(r *gin.Engine) {
 
 		api.POST("/projects/:projectName/agentic-sessions/:sessionName/github/token", handlers.MintSessionGitHubToken)
 
-		// OAuth integration endpoints (no auth required - called by external OAuth providers)
-		// OAuth URL generation endpoint - returns signed OAuth URL with HMAC-protected state
-		api.GET("/projects/:projectName/agentic-sessions/:sessionName/oauth/:provider/url", handlers.GetOAuthURL)
-
 		projectGroup := api.Group("/projects/:projectName", handlers.ValidateProjectContext())
 		{
 			projectGroup.GET("/access", handlers.AccessCheck)
@@ -84,6 +80,9 @@ func registerRoutes(r *gin.Engine) {
 			projectGroup.DELETE("/agentic-sessions/:sessionName/repos/:repoName", handlers.RemoveRepo)
 			projectGroup.PUT("/agentic-sessions/:sessionName/displayname", handlers.UpdateSessionDisplayName)
 
+			// OAuth integration - requires user auth like all other session endpoints
+			projectGroup.GET("/agentic-sessions/:sessionName/oauth/:provider/url", handlers.GetOAuthURL)
+
 			projectGroup.GET("/sessions/:sessionId/ws", websocket.HandleSessionWebSocket)
 			projectGroup.GET("/sessions/:sessionId/messages", websocket.GetSessionMessagesWS)
 			// Removed: /messages/claude-format - Using SDK's built-in resume with persisted ~/.claude state
