mirror of
https://github.com/coder/coder.git
synced 2026-06-03 04:58:23 +00:00
Ethan
552f342a5b
## Context This commit is part of the fix for a downstream provider outage observed during `coderd_template` updates. Observed downstream symptoms (terraform-provider-coderd): - Template-version websocket log stream requests returned `401`: `GET /api/v2/templateversions/<id>/logs`. - In older provider code (`waitForJob`), stream-init errors could produce `(nil, nil, err)` and then trigger a nil dereference when `closer.Close()` was deferred before checking `err`. - Net effect: template update path crashed instead of returning a controlled provisioning error. That provider panic is being hardened in the provider repo separately (https://github.com/coder/terraform-provider-coderd/pull/308). This commit addresses the upstream SDK auth mismatch that caused the websocket `401` side of the chain. ## Root cause On deployments with host-prefixed cookie handling (dev.coder.com) enabled (`--host-prefix-cookie` / `EnableHostPrefix=true`), middleware rewrites cookie state to enforce prefixed auth cookies. For non-browser websocket clients that still sent unprefixed `coder_session_token` via cookie jars, this created an auth mismatch: - cookie-based credential expected by the client path, - but cookie normalization/stripping applied server-side, - resulting in no usable token at auth extraction time. ## Fix in this commit Apply the #22226 non-browser auth principle to remaining websocket callsites in `codersdk` by replacing cookie-jar session auth with header-token auth. _Generated with mux but reviewed by a human_