From 2e51c8119469910fbfca4ce78cd41c7390cad9c8 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 27 May 2026 19:31:18 +0000
Subject: [PATCH] feat(coderd/x/nats): require client auth when
 ClusterAuthToken is set

---
 coderd/x/nats/server.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/coderd/x/nats/server.go b/coderd/x/nats/server.go
index b017c5bb5e..47194c8a75 100644
--- a/coderd/x/nats/server.go
+++ b/coderd/x/nats/server.go
@@ -34,6 +34,9 @@ func buildServerOptions(opts Options) (*natsserver.Options, error) {
 	sopts.DontListen = false
 	sopts.Host = "127.0.0.1"
 	sopts.Port = natsserver.RANDOM_PORT
+	if opts.ClusterAuthToken != "" {
+		sopts.Authorization = opts.ClusterAuthToken
+	}
 
 	if !opts.disableCluster {
 		clusterHost := opts.ClusterHost
@@ -94,6 +97,9 @@ func connectClient(ns *natsserver.Server, opts Options, handlers connHandlers, c
 	connOpts := []natsgo.Option{
 		natsgo.Name(connName),
 	}
+	if opts.ClusterAuthToken != "" {
+		connOpts = append(connOpts, natsgo.Token(opts.ClusterAuthToken))
+	}
 	if opts.ReconnectWait > 0 {
 		connOpts = append(connOpts, natsgo.ReconnectWait(opts.ReconnectWait))
 	}