fix(coderd/workspaceapps): prevent race in workspace app audit session updates (#17020)

Fixes coder/internal#520

coderd/workspaceapps/db.go

@@ -447,16 +447,17 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
 			slog.F("status_code", statusCode),
 		)
 
-		var startedAt time.Time
+		var newOrStale bool
 		err := p.Database.InTx(func(tx database.Store) (err error) {
 			// nolint:gocritic // System context is needed to write audit sessions.
 			dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx)
 
-			startedAt, err = tx.UpsertWorkspaceAppAuditSession(dangerousSystemCtx, database.UpsertWorkspaceAppAuditSessionParams{
+			newOrStale, err = tx.UpsertWorkspaceAppAuditSession(dangerousSystemCtx, database.UpsertWorkspaceAppAuditSessionParams{
 				// Config.
 				StaleIntervalMS: p.WorkspaceAppAuditSessionTimeout.Milliseconds(),
 
 				// Data.
+				ID:         uuid.New(),
 				AgentID:    aReq.dbReq.Agent.ID,
 				AppID:      aReq.dbReq.App.ID, // Can be unset, in which case uuid.Nil is fine.
 				UserID:     userID,            // Can be unset, in which case uuid.Nil is fine.
@@ -481,9 +482,9 @@ func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseW
 			return
 		}
 
-		if !startedAt.Equal(aReq.time) {
-			// If the unique session wasn't renewed, we don't want to log a new
-			// audit event for it.
+		if !newOrStale {
+			// We either didn't insert a new session, or the session
+			// didn't timeout due to inactivity.
 			return
 		}