* Allow hiding password entry, changing OpenID Connect text and OpenID Connect icon
* Docs
* Cleaning
* Fix Prettier and Go test and TS compile error
* Fix LoginPage test
* Prettier
* Fix storybook
* Add query param to un-hide password auth
* Cleaning
* Hide password by default when OIDC enabled
* Ran prettier, updated goldenfiles and ran "make gen"
* Fixed and added LoginPage test
* Ran prettier
* PR Feedback and split up SignInForm.tsx
* Updated golden files
* Fix auto-genned-files
* make gen -B
* Revert provisioner files?
* Fix lint error
---------
Co-authored-by: Kyle Carberry <kyle@coder.com>
This commit disables path-based app sharing by default. It is possible
for a workspace app on a path (not a subdomain) to make API requests to
the Coder API. When accessing your own workspace, this is not much of a
problem. When accessing a shared workspace app, the workspace owner
could include malicious javascript in the page that makes requests to
the Coder API on behalf of the visitor.
This vulnerability does not affect subdomain apps.
- Disables path-based app sharing by default. Previous behavior can be
restored using the `--dangerous-allow-path-app-sharing` flag which is
not recommended.
- Disables users with the site "owner" role from accessing path-based
apps from workspaces they do not own. Previous behavior can be
restored using the `--dangerous-allow-path-app-site-owner-access` flag
which is not recommended.
- Adds a flag `--disable-path-apps` which can be used by
security-conscious admins to disable all path-based apps across the
entire deployment. This check is enforced at app-access time, not at
template-ingest time.
- Deprecates the --experimental flag
- Adds a new flag --experiments which supports passing multiple comma-separated values or a wildcard value.
- Exposes a new endpoint /api/v2/experiments that returns the list of enabled experiments.
- Deprecates the field Features.Experimental in favour of this new API.
- Updates apidocgen to support type aliases (shoutout to @mtojek).
- Modifies apitypings to support generating slice types.
- Updates develop.sh to pass additional args after -- to $CODERD_SHIM.
* Adds a configuration knob CODER_OIDC_IGNORE_EMAIL_VERIFIED that allows
ignoring the email_verified OIDC claim
* Adds warning message at startup if CODER_OIDC_IGNORE_EMAIL_VERIFIED=true
* Adds warning whenever an unverified OIDC email is let through
* Skips flaky test on non-linux platforms
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Arthur Normand