oxidecomputer · david-crespo · Jul 7, 2022 · Jul 6, 2022 · Jul 7, 2022 · Jul 7, 2022
diff --git a/nexus/src/external_api/console_api.rs b/nexus/src/external_api/console_api.rs
@@ -619,6 +619,17 @@ pub async fn console_settings_page(
     console_index_or_login_redirect(rqctx).await
 }
 
+#[endpoint {
+   method = GET,
+   path = "/",
+   unpublished = true,
+}]
+pub async fn console_root(
+    rqctx: Arc<RequestContext<Arc<ServerContext>>>,
+) -> Result<Response<Body>, HttpError> {
+    console_index_or_login_redirect(rqctx).await
+}
+
 /// Make a new PathBuf with `.gz` on the end
 fn with_gz_ext(path: &PathBuf) -> PathBuf {
     let mut new_path = path.clone();

diff --git a/nexus/src/external_api/device_auth.rs b/nexus/src/external_api/device_auth.rs
@@ -15,7 +15,7 @@ use crate::context::OpContext;
 use crate::db::model::DeviceAccessToken;
 use crate::ServerContext;
 use dropshot::{
-    endpoint, HttpError, HttpResponseOk, Query, RequestContext, TypedBody,
+    endpoint, HttpError, HttpResponseOk, RequestContext, TypedBody,
 };
 use http::{header, Response, StatusCode};
 use hyper::Body;
@@ -121,11 +121,10 @@ pub struct DeviceAuthVerify {
 #[endpoint {
     method = GET,
     path = "/device/verify",
-    tags = ["hidden"], // "token"
+    unpublished = true,
 }]
 pub async fn device_auth_verify(
     rqctx: Arc<RequestContext<Arc<ServerContext>>>,
-    _params: Query<DeviceAuthVerify>,
 ) -> Result<Response<Body>, HttpError> {
     console_index_or_login_redirect(rqctx).await
 }

diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs
@@ -219,6 +219,8 @@ pub fn external_api() -> NexusApiDescription {
         api.register(console_api::session_me)?;
         api.register(console_api::logout)?;
         api.register(console_api::console_page)?;
+        api.register(console_api::console_root)?;
+        api.register(console_api::console_settings_page)?;
         api.register(console_api::asset)?;
 
         api.register(console_api::login)?;

diff --git a/nexus/tests/integration_tests/console_api.rs b/nexus/tests/integration_tests/console_api.rs
@@ -158,10 +158,18 @@ async fn test_console_pages(cptestctx: &ControlPlaneTestContext) {
 
     let session_token = log_in_and_extract_token(&testctx).await;
 
-    // hit console page with session, should get back HTML response
-    let console_page =
-        RequestBuilder::new(&testctx, Method::GET, "/orgs/irrelevant-path")
-            .header(http::header::COOKIE, session_token)
+    // hit console pages with session, should get back HTML response
+    let console_paths = &[
+        "/",
+        "/orgs/irrelevant-path",
+        "/settings/irrelevant-path",
+        "/device/success",
+        "/device/verify",
+    ];
+
+    for path in console_paths {
+        let console_page = RequestBuilder::new(&testctx, Method::GET, path)
+            .header(http::header::COOKIE, session_token.clone())
             .expect_status(Some(StatusCode::OK))
             .expect_response_header(
                 http::header::CONTENT_TYPE,
@@ -171,7 +179,8 @@ async fn test_console_pages(cptestctx: &ControlPlaneTestContext) {
             .await
             .expect("failed to get console index");
 
-    assert_eq!(console_page.body, "<html></html>".as_bytes());
+        assert_eq!(console_page.body, "<html></html>".as_bytes());
+    }
 }
 
 #[nexus_test]

diff --git a/nexus/tests/output/nexus_tags.txt b/nexus/tests/output/nexus_tags.txt
@@ -17,7 +17,6 @@ OPERATION ID                             URL PATH
 device_access_token                      /device/token
 device_auth_confirm                      /device/confirm
 device_auth_request                      /device/auth
-device_auth_verify                       /device/verify
 logout                                   /logout
 session_me                               /session/me
 spoof_login                              /login

diff --git a/nexus/tests/output/uncovered-authz-endpoints.txt b/nexus/tests/output/uncovered-authz-endpoints.txt
@@ -1,6 +1,5 @@
 API endpoints with no coverage in authz tests:
 session_sshkey_delete                    (delete "/session/me/sshkeys/{ssh_key_name}")
-device_auth_verify                       (get    "/device/verify")
 login                                    (get    "/login/{silo_name}/{provider_name}")
 session_me                               (get    "/session/me")
 session_sshkey_list                      (get    "/session/me/sshkeys")

diff --git a/openapi/nexus.json b/openapi/nexus.json
@@ -112,37 +112,6 @@
         }
       }
     },
-    "/device/verify": {
-      "get": {
-        "tags": [
-          "hidden"
-        ],
-        "summary": "Verify an OAuth 2.0 Device Authorization Grant",
-        "description": "This endpoint should be accessed in a full user agent (e.g., a browser). If the user is not logged in, we redirect them to the login page and use the `state` parameter to get them back here on completion. If they are logged in, serve up the console verification page so they can verify the user code.",
-        "operationId": "device_auth_verify",
-        "parameters": [
-          {
-            "in": "query",
-            "name": "user_code",
-            "required": true,
-            "schema": {
-              "type": "string"
-            },
-            "style": "form"
-          }
-        ],
-        "responses": {
-          "default": {
-            "description": "",
-            "content": {
-              "*/*": {
-                "schema": {}
-              }
-            }
-          }
-        }
-      }
-    },
     "/hardware/racks": {
       "get": {
         "tags": [