Skip to content

Commit 96c83c7

Browse files
EmyrkEmyrk
authored
Merge branch 'main' into stevenmasley/preview_errors
2 parents a87678d + 09c5055 commit 96c83c7

File tree

16 files changed

+1015
-4
lines changed

16 files changed

+1015
-4
lines changed

coderd/apidoc/docs.go

Lines changed: 46 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 42 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/coderd.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -914,6 +914,8 @@ func New(options *Options) *API {
914914

915915
// OAuth2 metadata endpoint for RFC 8414 discovery
916916
r.Get("/.well-known/oauth-authorization-server", api.oauth2AuthorizationServerMetadata)
917+
// OAuth2 protected resource metadata endpoint for RFC 9728 discovery
918+
r.Get("/.well-known/oauth-protected-resource", api.oauth2ProtectedResourceMetadata)
917919

918920
// OAuth2 linking routes do not make sense under the /api/v2 path. These are
919921
// for an external application to use Coder as an OAuth2 provider, not for

coderd/httpmw/apikey.go

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,31 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
214214
return nil, nil, false
215215
}
216216

217+
// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
218+
if code == http.StatusUnauthorized || code == http.StatusForbidden {
219+
var wwwAuth string
220+
221+
switch code {
222+
case http.StatusUnauthorized:
223+
// Map 401 to invalid_token with specific error descriptions
224+
switch {
225+
case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
226+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
227+
case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
228+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
229+
default:
230+
wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
231+
}
232+
case http.StatusForbidden:
233+
// Map 403 to insufficient_scope per RFC 6750
234+
wwwAuth = `Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
235+
default:
236+
wwwAuth = `Bearer realm="coder"`
237+
}
238+
239+
rw.Header().Set("WWW-Authenticate", wwwAuth)
240+
}
241+
217242
httpapi.Write(ctx, rw, code, response)
218243
return nil, nil, false
219244
}
@@ -653,9 +678,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
653678
// 1: The cookie
654679
// 2. The coder_session_token query parameter
655680
// 3. The custom auth header
681+
// 4. RFC 6750 Authorization: Bearer header
682+
// 5. RFC 6750 access_token query parameter
656683
//
657684
// API tokens for apps are read from workspaceapps/cookies.go.
658685
func APITokenFromRequest(r *http.Request) string {
686+
// Prioritize existing Coder custom authentication methods first
687+
// to maintain backward compatibility and existing behavior
688+
659689
cookie, err := r.Cookie(codersdk.SessionTokenCookie)
660690
if err == nil && cookie.Value != "" {
661691
return cookie.Value
@@ -671,6 +701,19 @@ func APITokenFromRequest(r *http.Request) string {
671701
return headerValue
672702
}
673703

704+
// RFC 6750 Bearer Token support (added as fallback methods)
705+
// Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)
706+
authHeader := r.Header.Get("Authorization")
707+
if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
708+
return authHeader[7:] // Skip "Bearer " (7 characters)
709+
}
710+
711+
// Check access_token query parameter
712+
accessToken := r.URL.Query().Get("access_token")
713+
if accessToken != "" {
714+
return accessToken
715+
}
716+
674717
return ""
675718
}
676719

coderd/httpmw/csrf.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,12 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
102102
return true
103103
}
104104

105+
// RFC 6750 Bearer Token authentication is exempt from CSRF
106+
// as it uses custom headers that cannot be set by malicious sites
107+
if authHeader := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
108+
return true
109+
}
110+
105111
// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
106112
// This is the CSRF check.
107113
sent := r.Header.Get("X-CSRF-TOKEN")

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy