shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-04 21:48:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,004 Commits 1,146 Branches 344 Tags
f009c17217e6bad9a61ba511d23735bc1ce94da0
Commit Graph

4 Commits

Author SHA1 Message Date
Cian Johnston df1bfe6479 feat: audit user secret create, update, and delete (#24756) (#24849) 
Emit user secret audit log entries for create/update/delete operations.
Reads stay un-audited, matching every other resource.

Audit log entries record changes in user secret name, environment
variable name, file path, and value. The secret value column is marked
`ActionSecret` so the diff records the change without showing the
ciphertext or plaintext.

Closes a TOCTOU window on delete to ensure no phantom audit logs for a
delete of a non-existent secret. Secret update accepts a small TOCTOU
window matching the other audited resources (templates, workspaces,
chats). The two-query pattern is wrapped in a transaction so audit state
can't leak from a failed mutation.

(cherry picked from commit 1c30d52b2b)

<!--

If you have used AI to produce some or all of this PR, please ensure you
have read our [AI Contribution
guidelines](https://coder.com/docs/about/contributing/AI_CONTRIBUTING)
before submitting.

-->

Co-authored-by: Zach <3724288+zedkipp@users.noreply.github.com>
 2026-04-30 21:01:27 +01:00
Zach 0832033a73 fix: relax secrets env var denylist for model providers (#24344) 
Previously we reserved some env vars that may collide with AI gateway.
These were incomplete and take away flexibility from the user, which
we're prioritizing in the first iteration of the feature.
 2026-04-14 12:44:55 -06:00
Zach 4854f33678 feat: add secret value and file path validation (#24269) 
Add secret value validation to reject null bytes and values exceeding 32KB.
The 32KB limit applies uniformly to both env var and file secrets because the
value field is shared and the destination can change after creation.

Add file path validation to also reject null bytes and paths exceeding 4096
bytes.

Wire up secret value validation into both POST and PATCH handlers.
 2026-04-13 07:24:34 -06:00
Zach 95cff8c5fb feat: add REST API handlers and client methods for user secrets (#24107) 
Add the five REST endpoints for managing user secrets, SDK client
methods, and handler tests.

Endpoints:
- `POST /api/v2/users/{user}/secrets`
- `GET /api/v2/users/{user}/secrets`
- `GET /api/v2/users/{user}/secrets/{name}`
- `PATCH /api/v2/users/{user}/secrets/{name}`
- `DELETE /api/v2/users/{user}/secrets/{name}`

Routes are registered under the existing `/{user}` group with
`ExtractUserParam`. The delete query was changed from `:exec` to
`:execrows` so the handler can distinguish "not found" from success
(DELETE with `:exec` silently returns nil for zero affected rows).
 2026-04-09 12:12:55 -06:00