Coder v2.13.0+56bf386 Tue Jul  2 17:54:06 UTC 2024https://github.com/coder/coder/commit/56bf386b15128c986ad4172c1932c13bed626d58

Steps to Reproduce

1.Log in to Coder.
2.From dev tools console, make a request like this, populating the values accordingly:

await fetch("https://<coder-host>/api/v2/organizations/<organization-id>/members/<member-id>/workspaces", { "credentials": "include", "headers": { "Accept": "*/*", "Accept-Language": "en-GB,en;q=0.5", "Content-Type": "application/json", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin" }, "body": "{\"name\":<template-name>",\"template_id\":<template-id>,\"rich_parameter_values\":[],\"parameter_values\":[]}", "method": "POST", "mode": "cors" });

Expected

Should get a 201 response indicating the workspace is created.

Actual

Get a 400 server error response saying "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies."

Notes

We've a small JS application wrapping the Code server API to allow users to get a coder workspace direct from a link without having to interact with the code-server instance directly.

The JS app and code server are both behind the same reverse proxy, so are on the same origin.

When they visit the JS app in their browser, it checks if the user is logged in by attempting to retrieve the/users/me API endpoint. If it doesn't get a 200 response, it redirects them to/users/oidc/callback?redirect=/app.

It then makes a series of GET requests to collect information from the API, all of which work fine (e.g. organization, templates) before making the above POST request with the information populated.

This was working on coder 2.2.1, but we've just tried to update to 2.13.0 and have begun getting the CSRF token error on the POST request.

If you add the headerX-CSRF-TOKEN with the value set to the value of the CSRF token cookie, the request succeeds.