Movatterモバイル変換

Skip to content

coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitc24fac0

f0ssel

committed

Add test for query param session token

1 parentfb1ff80 commitc24fac0Copy full SHA for c24fac0

File tree

16 files changed

+69

-38

lines changed

16 files changed

+69

-38

lines changed

`‎coderd/httpmw/apikey.go`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,8 @@ import (`
`17`	`17`	`"github.com/coder/coder/coderd/httpapi"`
`18`	`18`	`)`
`19`	`19`
`20`		`-//AuthCookie represents the name of the cookie the API key is stored in.`
`21`		`-constAuthCookie="session_token"`
	`20`	`+//SessionTokenKey represents the name of the cookie or query paramater the API key is stored in.`
	`21`	`+constSessionTokenKey="session_token"`
`22`	`22`
`23`	`23`	`typeapiKeyContextKeystruct{}`
`24`	`24`
`@@ -44,23 +44,23 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h`
`44`	`44`	`returnfunc(next http.Handler) http.Handler {`
`45`	`45`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`46`	`46`	`varcookieValuestring`
`47`		`-cookie,err:=r.Cookie(AuthCookie)`
	`47`	`+cookie,err:=r.Cookie(SessionTokenKey)`
`48`	`48`	`iferr!=nil {`
`49`		`-cookieValue=r.URL.Query().Get(AuthCookie)`
	`49`	`+cookieValue=r.URL.Query().Get(SessionTokenKey)`
`50`	`50`	`}else {`
`51`	`51`	`cookieValue=cookie.Value`
`52`	`52`	`}`
`53`	`53`	`ifcookieValue=="" {`
`54`	`54`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`55`		`-Message:fmt.Sprintf("%q cookie or query parameter must be provided",AuthCookie),`
	`55`	`+Message:fmt.Sprintf("%q cookie or query parameter must be provided",SessionTokenKey),`
`56`	`56`	`})`
`57`	`57`	`return`
`58`	`58`	`}`
`59`	`59`	`parts:=strings.Split(cookieValue,"-")`
`60`	`60`	`// APIKeys are formatted: ID-SECRET`
`61`	`61`	`iflen(parts)!=2 {`
`62`	`62`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`63`		`-Message:fmt.Sprintf("invalid %q cookie api key format",AuthCookie),`
	`63`	`+Message:fmt.Sprintf("invalid %q cookie api key format",SessionTokenKey),`
`64`	`64`	`})`
`65`	`65`	`return`
`66`	`66`	`}`
`@@ -69,13 +69,13 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h`
`69`	`69`	`// Ensuring key lengths are valid.`
`70`	`70`	`iflen(keyID)!=10 {`
`71`	`71`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`72`		`-Message:fmt.Sprintf("invalid %q cookie api key id",AuthCookie),`
	`72`	`+Message:fmt.Sprintf("invalid %q cookie api key id",SessionTokenKey),`
`73`	`73`	`})`
`74`	`74`	`return`
`75`	`75`	`}`
`76`	`76`	`iflen(keySecret)!=22 {`
`77`	`77`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`78`		`-Message:fmt.Sprintf("invalid %q cookie api key secret",AuthCookie),`
	`78`	`+Message:fmt.Sprintf("invalid %q cookie api key secret",SessionTokenKey),`
`79`	`79`	`})`
`80`	`80`	`return`
`81`	`81`	`}`

`‎coderd/httpmw/apikey_test.go`

Lines changed: 42 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ func TestAPIKey(t *testing.T) {`
`56`	`56`	`rw=httptest.NewRecorder()`
`57`	`57`	`)`
`58`	`58`	`r.AddCookie(&http.Cookie{`
`59`		`-Name:httpmw.AuthCookie,`
	`59`	`+Name:httpmw.SessionTokenKey,`
`60`	`60`	`Value:"test-wow-hello",`
`61`	`61`	`})`
`62`	`62`
`@@ -74,7 +74,7 @@ func TestAPIKey(t *testing.T) {`
`74`	`74`	`rw=httptest.NewRecorder()`
`75`	`75`	`)`
`76`	`76`	`r.AddCookie(&http.Cookie{`
`77`		`-Name:httpmw.AuthCookie,`
	`77`	`+Name:httpmw.SessionTokenKey,`
`78`	`78`	`Value:"test-wow",`
`79`	`79`	`})`
`80`	`80`
`@@ -92,7 +92,7 @@ func TestAPIKey(t *testing.T) {`
`92`	`92`	`rw=httptest.NewRecorder()`
`93`	`93`	`)`
`94`	`94`	`r.AddCookie(&http.Cookie{`
`95`		`-Name:httpmw.AuthCookie,`
	`95`	`+Name:httpmw.SessionTokenKey,`
`96`	`96`	`Value:"testtestid-wow",`
`97`	`97`	`})`
`98`	`98`
`@@ -111,7 +111,7 @@ func TestAPIKey(t *testing.T) {`
`111`	`111`	`rw=httptest.NewRecorder()`
`112`	`112`	`)`
`113`	`113`	`r.AddCookie(&http.Cookie{`
`114`		`-Name:httpmw.AuthCookie,`
	`114`	`+Name:httpmw.SessionTokenKey,`
`115`	`115`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`116`	`116`	`})`
`117`	`117`
`@@ -130,7 +130,7 @@ func TestAPIKey(t *testing.T) {`
`130`	`130`	`rw=httptest.NewRecorder()`
`131`	`131`	`)`
`132`	`132`	`r.AddCookie(&http.Cookie{`
`133`		`-Name:httpmw.AuthCookie,`
	`133`	`+Name:httpmw.SessionTokenKey,`
`134`	`134`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`135`	`135`	`})`
`136`	`136`
`@@ -157,7 +157,7 @@ func TestAPIKey(t *testing.T) {`
`157`	`157`	`rw=httptest.NewRecorder()`
`158`	`158`	`)`
`159`	`159`	`r.AddCookie(&http.Cookie{`
`160`		`-Name:httpmw.AuthCookie,`
	`160`	`+Name:httpmw.SessionTokenKey,`
`161`	`161`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`162`	`162`	`})`
`163`	`163`
`@@ -182,7 +182,7 @@ func TestAPIKey(t *testing.T) {`
`182`	`182`	`rw=httptest.NewRecorder()`
`183`	`183`	`)`
`184`	`184`	`r.AddCookie(&http.Cookie{`
`185`		`-Name:httpmw.AuthCookie,`
	`185`	`+Name:httpmw.SessionTokenKey,`
`186`	`186`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`187`	`187`	`})`
`188`	`188`
`@@ -209,6 +209,37 @@ func TestAPIKey(t *testing.T) {`
`209`	`209`	`require.Equal(t,sentAPIKey.ExpiresAt,gotAPIKey.ExpiresAt)`
`210`	`210`	`})`
`211`	`211`
	`212`	`+t.Run("QueryParameter",func(t*testing.T) {`
	`213`	`+t.Parallel()`
	`214`	`+var (`
	`215`	`+db=databasefake.New()`
	`216`	`+id,secret=randomAPIKeyParts()`
	`217`	`+hashed=sha256.Sum256([]byte(secret))`
	`218`	`+r=httptest.NewRequest("GET","/",nil)`
	`219`	`+rw=httptest.NewRecorder()`
	`220`	`+)`
	`221`	`+q:=r.URL.Query()`
	`222`	`+q.Add(httpmw.SessionTokenKey,fmt.Sprintf("%s-%s",id,secret))`
	`223`	`+r.URL.RawQuery=q.Encode()`
	`224`	`+`
	`225`	`+_,err:=db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{`
	`226`	`+ID:id,`
	`227`	`+HashedSecret:hashed[:],`
	`228`	`+ExpiresAt:database.Now().AddDate(0,0,1),`
	`229`	`+})`
	`230`	`+require.NoError(t,err)`
	`231`	`+httpmw.ExtractAPIKey(db,nil)(http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
	`232`	`+// Checks that it exists on the context!`
	`233`	`+_=httpmw.APIKey(r)`
	`234`	`+httpapi.Write(rw,http.StatusOK, httpapi.Response{`
	`235`	`+Message:"it worked!",`
	`236`	`+})`
	`237`	`+})).ServeHTTP(rw,r)`
	`238`	`+res:=rw.Result()`
	`239`	`+deferres.Body.Close()`
	`240`	`+require.Equal(t,http.StatusOK,res.StatusCode)`
	`241`	`+})`
	`242`	`+`
`212`	`243`	`t.Run("ValidUpdateLastUsed",func(t*testing.T) {`
`213`	`244`	`t.Parallel()`
`214`	`245`	`var (`
`@@ -219,7 +250,7 @@ func TestAPIKey(t *testing.T) {`
`219`	`250`	`rw=httptest.NewRecorder()`
`220`	`251`	`)`
`221`	`252`	`r.AddCookie(&http.Cookie{`
`222`		`-Name:httpmw.AuthCookie,`
	`253`	`+Name:httpmw.SessionTokenKey,`
`223`	`254`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`224`	`255`	`})`
`225`	`256`
`@@ -252,7 +283,7 @@ func TestAPIKey(t *testing.T) {`
`252`	`283`	`rw=httptest.NewRecorder()`
`253`	`284`	`)`
`254`	`285`	`r.AddCookie(&http.Cookie{`
`255`		`-Name:httpmw.AuthCookie,`
	`286`	`+Name:httpmw.SessionTokenKey,`
`256`	`287`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`257`	`288`	`})`
`258`	`289`
`@@ -285,7 +316,7 @@ func TestAPIKey(t *testing.T) {`
`285`	`316`	`rw=httptest.NewRecorder()`
`286`	`317`	`)`
`287`	`318`	`r.AddCookie(&http.Cookie{`
`288`		`-Name:httpmw.AuthCookie,`
	`319`	`+Name:httpmw.SessionTokenKey,`
`289`	`320`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`290`	`321`	`})`
`291`	`322`
`@@ -319,7 +350,7 @@ func TestAPIKey(t *testing.T) {`
`319`	`350`	`rw=httptest.NewRecorder()`
`320`	`351`	`)`
`321`	`352`	`r.AddCookie(&http.Cookie{`
`322`		`-Name:httpmw.AuthCookie,`
	`353`	`+Name:httpmw.SessionTokenKey,`
`323`	`354`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`324`	`355`	`})`
`325`	`356`

`‎coderd/httpmw/authorize_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ func TestExtractUserRoles(t *testing.T) {`
`94`	`94`
`95`	`95`	`req:=httptest.NewRequest("GET","/",nil)`
`96`	`96`	`req.AddCookie(&http.Cookie{`
`97`		`-Name:httpmw.AuthCookie,`
	`97`	`+Name:httpmw.SessionTokenKey,`
`98`	`98`	`Value:token,`
`99`	`99`	`})`
`100`	`100`

`‎coderd/httpmw/organizationparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestOrganizationParam(t *testing.T) {`
`29`	`29`	`hashed=sha256.Sum256([]byte(secret))`
`30`	`30`	`)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/templateparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestTemplateParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r:=httptest.NewRequest("GET","/",nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/templateversionparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestTemplateVersionParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r:=httptest.NewRequest("GET","/",nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/userparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestUserParam(t *testing.T) {`
`29`	`29`	`rw=httptest.NewRecorder()`
`30`	`30`	`)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/workspaceagent.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,10 +28,10 @@ func WorkspaceAgent(r *http.Request) database.WorkspaceAgent {`
`28`	`28`	`funcExtractWorkspaceAgent(db database.Store)func(http.Handler) http.Handler {`
`29`	`29`	`returnfunc(next http.Handler) http.Handler {`
`30`	`30`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`31`		`-cookie,err:=r.Cookie(AuthCookie)`
	`31`	`+cookie,err:=r.Cookie(SessionTokenKey)`
`32`	`32`	`iferr!=nil {`
`33`	`33`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`34`		`-Message:fmt.Sprintf("%q cookie must be provided",AuthCookie),`
	`34`	`+Message:fmt.Sprintf("%q cookie must be provided",SessionTokenKey),`
`35`	`35`	`})`
`36`	`36`	`return`
`37`	`37`	`}`

`‎coderd/httpmw/workspaceagent_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ func TestWorkspaceAgent(t *testing.T) {`
`22`	`22`	`token:=uuid.New()`
`23`	`23`	`r:=httptest.NewRequest("GET","/",nil)`
`24`	`24`	`r.AddCookie(&http.Cookie{`
`25`		`-Name:httpmw.AuthCookie,`
	`25`	`+Name:httpmw.SessionTokenKey,`
`26`	`26`	`Value:token.String(),`
`27`	`27`	`})`
`28`	`28`	`returnr,token`

`‎coderd/httpmw/workspaceagentparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceAgentParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r:=httptest.NewRequest("GET","/",nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/workspacebuildparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceBuildParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r:=httptest.NewRequest("GET","/",nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/httpmw/workspaceparam_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r:=httptest.NewRequest("GET","/",nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`-Name:httpmw.AuthCookie,`
	`32`	`+Name:httpmw.SessionTokenKey,`
`33`	`33`	`Value:fmt.Sprintf("%s-%s",id,secret),`
`34`	`34`	`})`
`35`	`35`

`‎coderd/users.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -643,7 +643,7 @@ func (api) postLogout(rw http.ResponseWriter, _ http.Request) {`
`643`	`643`	`cookie:=&http.Cookie{`
`644`	`644`	`// MaxAge < 0 means to delete the cookie now`
`645`	`645`	`MaxAge:-1,`
`646`		`-Name:httpmw.AuthCookie,`
	`646`	`+Name:httpmw.SessionTokenKey,`
`647`	`647`	`Path:"/",`
`648`	`648`	`}`
`649`	`649`
`@@ -701,7 +701,7 @@ func (api api) createAPIKey(rw http.ResponseWriter, r http.Request, params dat`
`701`	`701`	`// This format is consumed by the APIKey middleware.`
`702`	`702`	`sessionToken:=fmt.Sprintf("%s-%s",keyID,keySecret)`
`703`	`703`	`http.SetCookie(rw,&http.Cookie{`
`704`		`-Name:httpmw.AuthCookie,`
	`704`	`+Name:httpmw.SessionTokenKey,`
`705`	`705`	`Value:sessionToken,`
`706`	`706`	`Path:"/",`
`707`	`707`	`HttpOnly:true,`

`‎coderd/users_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ func TestPostLogout(t *testing.T) {`
`122`	`122`	`cookies:=response.Cookies()`
`123`	`123`	`require.Len(t,cookies,1,"Exactly one cookie should be returned")`
`124`	`124`
`125`		`-require.Equal(t,cookies[0].Name,httpmw.AuthCookie,"Cookie should be the auth cookie")`
	`125`	`+require.Equal(t,cookies[0].Name,httpmw.SessionTokenKey,"Cookie should be the auth cookie")`
`126`	`126`	`require.Equal(t,cookies[0].MaxAge,-1,"Cookie should be set to delete")`
`127`	`127`	`})`
`128`	`128`	`}`

`‎codersdk/client.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ func (c *Client) request(ctx context.Context, method, path string, body interfac`
`64`	`64`	`returnnil,xerrors.Errorf("create request: %w",err)`
`65`	`65`	`}`
`66`	`66`	`req.AddCookie(&http.Cookie{`
`67`		`-Name:httpmw.AuthCookie,`
	`67`	`+Name:httpmw.SessionTokenKey,`
`68`	`68`	`Value:c.SessionToken,`
`69`	`69`	`})`
`70`	`70`	`ifbody!=nil {`
`@@ -99,7 +99,7 @@ func (c Client) websocket(ctx context.Context, path string) (websocket.Conn, e`
`99`	`99`	`}`
`100`	`100`	`apiURL.Path=path`
`101`	`101`	`q:=apiURL.Query()`
`102`		`-q.Add(httpmw.AuthCookie,c.SessionToken)`
	`102`	`+q.Add(httpmw.SessionTokenKey,c.SessionToken)`
`103`	`103`	`apiURL.RawQuery=q.Encode()`
`104`	`104`
`105`	`105`	`//nolint:bodyclose`

`‎codersdk/workspaceagents.go`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ func (c *Client) ListenWorkspaceAgent(ctx context.Context, logger slog.Logger) (`
`188`	`188`	`return agent.Metadata{},nil,xerrors.Errorf("create cookie jar: %w",err)`
`189`	`189`	`}`
`190`	`190`	`jar.SetCookies(serverURL, []*http.Cookie{{`
`191`		`-Name:httpmw.AuthCookie,`
	`191`	`+Name:httpmw.SessionTokenKey,`
`192`	`192`	`Value:c.SessionToken,`
`193`	`193`	`}})`
`194`	`194`	`httpClient:=&http.Client{`
`@@ -263,7 +263,7 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti`
`263`	`263`	`returnnil,xerrors.Errorf("create cookie jar: %w",err)`
`264`	`264`	`}`
`265`	`265`	`jar.SetCookies(serverURL, []*http.Cookie{{`
`266`		`-Name:httpmw.AuthCookie,`
	`266`	`+Name:httpmw.SessionTokenKey,`
`267`	`267`	`Value:c.SessionToken,`
`268`	`268`	`}})`
`269`	`269`	`httpClient:=&http.Client{`
`@@ -351,7 +351,7 @@ func (c *Client) WorkspaceAgentReconnectingPTY(ctx context.Context, agentID, rec`
`351`	`351`	`returnnil,xerrors.Errorf("create cookie jar: %w",err)`
`352`	`352`	`}`
`353`	`353`	`jar.SetCookies(serverURL, []*http.Cookie{{`
`354`		`-Name:httpmw.AuthCookie,`
	`354`	`+Name:httpmw.SessionTokenKey,`
`355`	`355`	`Value:c.SessionToken,`
`356`	`356`	`}})`
`357`	`357`	`httpClient:=&http.Client{`

0 commit comments

Comments

(0)

[8]ページ先頭

©2009-2025 Movatter.jp