Jul 1, 2024 · Jul 1, 2024 · Jul 1, 2024 · Jul 1, 2024 · Jul 1, 2024 · Jul 1, 2024
diff --git a/coderd/coderd.go b/coderd/coderd.go
 var globalHTTPSwaggerHandler http.HandlerFunc

 func init() {
 globalHTTPSwaggerHandler = httpSwagger.Handler(httpSwagger.URL("/swagger/doc.json"))
 globalHTTPSwaggerHandler = httpSwagger.Handler(
 httpSwagger.URL("/swagger/doc.json"),
 // The swagger UI has an "Authorize" button that will input the
 // credentials into the Coder-Session-Token header. This bypasses
 // CSRF checks **if** there is no cookie auth also present.
 // (If the cookie matches, then it's ok too)
 //
 // Because swagger is hosted on the same domain, we have the cookie
 // auth and the header auth competing. This can cause CSRF errors,
 // and can be confusing what authentication is being used.
 //
 // So remove authenticating via a cookie, and rely on the authorization
 // header passed in.
 httpSwagger.UIConfig(map[string]string{
 // Pulled from https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/
 // 'withCredentials' should disable fetch sending browser credentials, but
 // for whatever reason it does not.
 // So this `requestInterceptor` ensures browser credentials are
 // omitted from all requests.
 "requestInterceptor": `(a => {
 a.credentials = "omit";
 return a;
 })`,
 "withCredentials": "false",
 }))
 }

 var expDERPOnce = sync.Once{}
diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
 package httpmw

 import (
 "fmt"
 "net/http"
 "regexp"
 "strings"
 mw := nosurf.New(next)
 mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
 mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
 if err == nil && r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
 // If a user is using header authentication and cookie auth, but the values
 // do not match, the cookie value takes priority.
 // At the very least, return a more helpful error to the user.
 http.Error(w,
 fmt.Sprintf("CSRF error encountered. Authentication via %q cookie and %q header detected, but the values do not match. "+
 "To resolve this issue ensure the values used in both match, or only use one of the authentication methods. "+
 "You can also try clearing your cookies if this error persists.",
 codersdk.SessionTokenCookie, codersdk.SessionTokenHeader),
 http.StatusBadRequest)
 return
 }

 http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
 }))
Original file line number	Diff line number	Diff line change
Expand Up		@@ -87,7 +87,31 @@ import (
		var globalHTTPSwaggerHandler http.HandlerFunc

		func init() {
		globalHTTPSwaggerHandler = httpSwagger.Handler(httpSwagger.URL("/swagger/doc.json"))
		globalHTTPSwaggerHandler = httpSwagger.Handler(
		httpSwagger.URL("/swagger/doc.json"),
		// The swagger UI has an "Authorize" button that will input the
		// credentials into the Coder-Session-Token header. This bypasses
		// CSRF checks if there is no cookie auth also present.
		// (If the cookie matches, then it's ok too)
		//
		// Because swagger is hosted on the same domain, we have the cookie
		// auth and the header auth competing. This can cause CSRF errors,
		// and can be confusing what authentication is being used.
		//
		// So remove authenticating via a cookie, and rely on the authorization
		// header passed in.
		httpSwagger.UIConfig(map[string]string{
Copy link Member aslilacJul 1, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I hate that they use a`map[string]string` for this instead of a struct 😭 Copy link MemberAuthor EmyrkJul 1, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Not even a link to the docs 😢
		// Pulled from https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/
		// 'withCredentials' should disable fetch sending browser credentials, but
		// for whatever reason it does not.
		// So this `requestInterceptor` ensures browser credentials are
		// omitted from all requests.
		"requestInterceptor": `(a => {
		a.credentials = "omit";
		return a;
		})`,
Comment on lines +109 to +112 Copy link Member aslilacJul 1, 2024• edited Loading Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. their recommendation is just to embed javascript in a string??? I extra hate that Copy link MemberAuthor EmyrkJul 1, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Yea, it is a bit crazy:https://github.com/swaggo/http-swagger/blob/master/swagger.go#L24-L27
		"withCredentials": "false",
		}))
		}

		var expDERPOnce = sync.Once{}
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -1,6 +1,7 @@
		package httpmw

		import (
		"fmt"
		"net/http"
		"regexp"
		"strings"
Expand All		@@ -20,6 +21,20 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
		mw := nosurf.New(next)
		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
		if err == nil && r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
		// If a user is using header authentication and cookie auth, but the values
		// do not match, the cookie value takes priority.
		// At the very least, return a more helpful error to the user.
		http.Error(w,
		fmt.Sprintf("CSRF error encountered. Authentication via %q cookie and %q header detected, but the values do not match. "+
		"To resolve this issue ensure the values used in both match, or only use one of the authentication methods. "+
		"You can also try clearing your cookies if this error persists.",
		codersdk.SessionTokenCookie, codersdk.SessionTokenHeader),
		http.StatusBadRequest)
		return
		}

		http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
		}))

Expand Down