coder

shishantbiswas/coder

Fork 0

mirror of https://github.com/coder/coder.git synced 2026-06-03 13:08:25 +00:00

Commit Graph

Author	SHA1	Message	Date
cryptoluks	fcf431c1d7	fix(coderd/workspaceapps): prefer app session cookie over Authorization (#22041 ) This PR fixes a workspace app authentication bug where requests that include an `Authorization` header (intended for the upstream app) can cause Coder to ignore the workspace app session cookie (`coder_subdomain_app_session_token_` / `coder_path_app_session_token`). When that happens, Coder fails to mint or renew `coder_signed_app_token` and redirects to `/api/v2/applications/auth-redirect` instead of proxying the request to the workspace. This commonly shows up when users run a frontend and backend in the same workspace and the backend requires `Authorization` (for example, `curl -H "Authorization: bearer ..."` or browser `fetch()` calls). Related issues / context: Primary bug report and repro: [https://github.com/coder/coder/issues/21467](https://github.com/coder/coder/issues/21467) * Related symptoms reported as CORS / redirect failures for workspace apps: * [https://github.com/coder/coder/issues/20667](https://github.com/coder/coder/issues/20667) * [https://github.com/coder/coder/issues/19728](https://github.com/coder/coder/issues/19728) ## Root Cause In `coderd/workspaceapps/cookies.go`, `AppCookies.TokenFromRequest` checked `httpmw.APITokenFromRequest(r)` first. That helper returns a token from several places, including `Authorization: Bearer ...`. As a result, when a request included an upstream `Authorization` header, that header value was returned as the “session token” for the app proxy, and `coder_subdomain_app_session_token_` was never read. Authentication then failed and the request was treated as signed out. ## Fix Change the precedence in `AppCookies.TokenFromRequest`: 1. First check the access-method-specific cookie: subdomain apps: `coder_subdomain_app_session_token_{hash}` * path apps: `coder_path_app_session_token` 2. If not present, fall back to `httpmw.APITokenFromRequest(r)` (so non-browser clients can still authenticate via query, header, or bearer tokens if they really want to). This ensures that: * Backend requests that require `Authorization` still reach the workspace. * `coder_signed_app_token` can be renewed from the app session cookie even when `Authorization` is present. * `Authorization` is still forwarded to the upstream app (the reverse proxy code does not strip it). Initially, I attempted workarounds ([https://github.com/coder/coder/issues/20667#issuecomment-3868578388](https://github.com/coder/coder/issues/20667#issuecomment-3868578388), [https://github.com/coder/coder/issues/19728#issuecomment-3868578093](https://github.com/coder/coder/issues/19728#issuecomment-3868578093)), but adding `/auth-redirect` to the permissive CORS paths and extending the validity of workspace app auth tokens from 1 minute to 1 hour only partially masked the issue. After workspace restarts and token expiry, I no longer saw CORS errors, but the tokens were still not renewed. After patching my local Nix-based setup on Coder v1.30.0 with this change, I can no longer observe this behavior.	2026-02-11 23:18:49 +11:00
Dean Sheather	42dd544d90	fix: use unique cookies for workspace proxies (#19930 ) There is currently an issue with subdomain workspace apps on workspace proxies, where if you have a workspace proxy wildcard nested beneath the primary wildcard, cookies from the primary may be sent to the server before cookies from the proxy specifically. Currently: 1. Use a subdomain app via the primary proxy `.coder.corp.com` a. Client sends no cookies a. Server does token smuggling flow a. Server sets a cookie `coder_subdomain_app_session_token` on `.coder.corp.com` a. Server redirects client to reload the page a. Request should succeed as usual 1. Wait until the primary proxy's session token cookie has expired in the database (or make it invalid yourself) 1. Use a subdomain app via a separate proxy `.sydney.coder.corp.com` a. Client sends `coder_subdomain_app_session_token` cookie from `.coder.corp.com` a. Server validates supplied cookie, it fails because it's expired a. Server does token smuggling flow a. Server sets a cookie `coder_subdomain_app_session_token` on `*.sydney.coder.corp.com` a. Server redirects client to reload page a. Client sends BOTH cookies. a. The server will only process the first cookie it receives, so if the expired cookie for the primary proxy is sent first the request will end up in a permanent loop on step b. The fix is to append `_{hash(wildcard_access_url)}` to the subdomain cookies as we cannot control browser behavior further. This avoids the conflict as each proxy will only read it's specific cookie.	2025-09-25 00:30:02 +10:00
Dean Sheather	5993f85ec9	fix: avoid redirect loop on workspace proxies (#9389 ) * fix: avoid redirect loop on workspace proxies --------- Co-authored-by: Steven Masley <stevenmasley@coder.com>	2023-08-28 20:34:52 -05:00

Author

SHA1

Message

Date

cryptoluks

fcf431c1d7

fix(coderd/workspaceapps): prefer app session cookie over Authorization (#22041 )

This PR fixes a workspace app authentication bug where requests that
include an `Authorization` header (intended for the upstream app) can
cause Coder to ignore the workspace app session cookie
(`coder_subdomain_app_session_token_*` /
`coder_path_app_session_token`). When that happens, Coder fails to mint
or renew `coder_signed_app_token` and redirects to
`/api/v2/applications/auth-redirect` instead of proxying the request to
the workspace.

This commonly shows up when users run a frontend and backend in the same
workspace and the backend requires `Authorization` (for example, `curl
-H "Authorization: bearer ..."` or browser `fetch()` calls).

Related issues / context:

* Primary bug report and repro:
[https://github.com/coder/coder/issues/21467](https://github.com/coder/coder/issues/21467)
* Related symptoms reported as CORS / redirect failures for workspace
apps:

*
[https://github.com/coder/coder/issues/20667](https://github.com/coder/coder/issues/20667)
*
[https://github.com/coder/coder/issues/19728](https://github.com/coder/coder/issues/19728)

## Root Cause

In `coderd/workspaceapps/cookies.go`, `AppCookies.TokenFromRequest`
checked `httpmw.APITokenFromRequest(r)` first. That helper returns a
token from several places, including `Authorization: Bearer ...`.

As a result, when a request included an upstream `Authorization` header,
that header value was returned as the “session token” for the app proxy,
and `coder_subdomain_app_session_token_*` was never read. Authentication
then failed and the request was treated as signed out.

## Fix

Change the precedence in `AppCookies.TokenFromRequest`:

1. First check the access-method-specific cookie:

* subdomain apps: `coder_subdomain_app_session_token_{hash}`
* path apps: `coder_path_app_session_token`
2. If not present, fall back to `httpmw.APITokenFromRequest(r)` (so
non-browser clients can still authenticate via query, header, or bearer
tokens if they really want to).

This ensures that:

* Backend requests that require `Authorization` still reach the
workspace.
* `coder_signed_app_token` can be renewed from the app session cookie
even when `Authorization` is present.
* `Authorization` is still forwarded to the upstream app (the reverse
proxy code does not strip it).

Initially, I attempted workarounds
([https://github.com/coder/coder/issues/20667#issuecomment-3868578388](https://github.com/coder/coder/issues/20667#issuecomment-3868578388),
[https://github.com/coder/coder/issues/19728#issuecomment-3868578093](https://github.com/coder/coder/issues/19728#issuecomment-3868578093)),
but adding `/auth-redirect` to the permissive CORS paths and extending
the validity of workspace app auth tokens from 1 minute to 1 hour only
partially masked the issue. After workspace restarts and token expiry, I
no longer saw CORS errors, but the tokens were still not renewed.

After patching my local Nix-based setup on Coder v1.30.0 with this
change, I can no longer observe this behavior.

2026-02-11 23:18:49 +11:00

Dean Sheather

42dd544d90

fix: use unique cookies for workspace proxies (#19930 )

There is currently an issue with subdomain workspace apps on workspace
proxies, where if you have a workspace proxy wildcard nested beneath the
primary wildcard, cookies from the primary may be sent to the server
before cookies from the proxy specifically.

Currently:
1. Use a subdomain app via the primary proxy `*.coder.corp.com`
    a. Client sends no cookies
    a. Server does token smuggling flow
a. Server sets a cookie `coder_subdomain_app_session_token` on
`*.coder.corp.com`
    a. Server redirects client to reload the page
    a. Request should succeed as usual
1. Wait until the primary proxy's session token cookie has expired in
the database (or make it invalid yourself)
1. Use a subdomain app via a separate proxy `*.sydney.coder.corp.com`
a. Client sends `coder_subdomain_app_session_token` cookie from
`*.coder.corp.com`
    a. Server validates supplied cookie, it fails because it's expired
    a. Server does token smuggling flow
a. Server sets a cookie `coder_subdomain_app_session_token` on
`*.sydney.coder.corp.com`
    a. Server redirects client to reload page
    a. Client sends BOTH cookies.
a. The server will only process the first cookie it receives, so if the
expired cookie for the primary proxy is sent first the request will end
up in a permanent loop on step b.

The fix is to append `_{hash(wildcard_access_url)}` to the subdomain
cookies as we cannot control browser behavior further. This avoids the
conflict as each proxy will only read it's specific cookie.

2025-09-25 00:30:02 +10:00

Dean Sheather

5993f85ec9

fix: avoid redirect loop on workspace proxies (#9389 )

* fix: avoid redirect loop on workspace proxies

---------

Co-authored-by: Steven Masley <stevenmasley@coder.com>

2023-08-28 20:34:52 -05:00

3 Commits