const (// Server headers.AccessControlAllowOriginHeader      = "Access-Control-Allow-Origin"AccessControlAllowCredentialsHeader = "Access-Control-Allow-Credentials"AccessControlAllowMethodsHeader     = "Access-Control-Allow-Methods"AccessControlAllowHeadersHeader     = "Access-Control-Allow-Headers"VaryHeader                          = "Vary"// Client headers.OriginHeader                      = "Origin"AccessControlRequestMethodsHeader = "Access-Control-Request-Methods"AccessControlRequestHeadersHeader = "Access-Control-Request-Headers")

const (SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue.")

const (// WorkspaceProxyAuthTokenHeader is the auth header used for requests from// external workspace proxies.//// The format of an external proxy token is://     <proxy id>:<proxy secret>////nolint:gosecWorkspaceProxyAuthTokenHeader = "Coder-External-Proxy-Token")

funcAPIKey¶

func APIKey(r *http.Request)database.APIKey

APIKey returns the API key from the ExtractAPIKey handler.

funcAPIKeyFromRequest¶

func APIKeyFromRequest(ctxcontext.Context, dbdatabase.Store, sessionTokenFunc func(r *http.Request)string, r *http.Request) (*database.APIKey,codersdk.Response,bool)

funcAPIKeyOptional¶

func APIKeyOptional(r *http.Request) (database.APIKey,bool)

APIKeyOptional may return an API key from the ExtractAPIKey handler.

funcAPITokenFromRequest¶

func APITokenFromRequest(r *http.Request)string

APITokenFromRequest returns the api token from the request.Find the session token from:1: The cookie2. The coder_session_token query parameter3. The custom auth header

API tokens for apps are read from workspaceapps/cookies.go.

funcAsAuthzSystem¶

func AsAuthzSystem(mws ...func(http.Handler)http.Handler) func(http.Handler)http.Handler

AsAuthzSystem is a chained handler that temporarily sets the dbauthz contextto System for the inner handlers, and resets the context afterwards.

TODO: Refactor the middleware functions to not require this.This is a bit of a kludge for now as some middleware functions requireusage as a system user in some cases, but not all cases. To avoid largerefactors, we use this middleware to temporarily set the context to a system.

funcAttachRequestID¶

func AttachRequestID(nexthttp.Handler)http.Handler

AttachRequestID adds a request ID to each HTTP request.

funcCSPHeaders¶

func CSPHeaders(telemetrybool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(nexthttp.Handler)http.Handler

CSPHeaders returns a middleware that sets the Content-Security-Policy headerfor coderd.

Arguments:

• websocketHosts: a function that returns a list of supported external websocket hosts.This is to support the terminal connecting to a workspace proxy.The origin of the terminal request does not match the url of the proxy,so the CSP list of allowed hosts must be dynamic and match the currentavailable proxy urls.
• staticAdditions: a map of CSP directives to append to the default CSP headers.Used to allow specific static additions to the CSP headers. Allows some nicheuse cases, such as embedding Coder in an iframe.Example:https://github.com/coder/coder/issues/15118

funcCSRF¶

func CSRF(cookieCfgcodersdk.HTTPCookieConfig) func(nexthttp.Handler)http.Handler

CSRF is a middleware that verifies that a CSRF token is present in the requestfor non-GET requests.If enforce is false, then CSRF enforcement is disabled. We still wantto include the CSRF middleware because it will set the CSRF cookie.

funcChatParam¶added inv2.23.0

func ChatParam(r *http.Request)database.Chat

funcCors¶

func Cors(allowAllbool, origins ...string) func(nexthttp.Handler)http.Handler

funcCustomRedirectToLogin¶added inv2.5.0

func CustomRedirectToLogin(rwhttp.ResponseWriter, r *http.Request, redirectstring, messagestring, codeint)

CustomRedirectToLogin redirects the user to the login page with the `message` and`redirect` query parameters set, with a provided code

funcEnsureXForwardedForHeader¶

func EnsureXForwardedForHeader(req *http.Request)error

EnsureXForwardedForHeader ensures that the request has an X-Forwarded-Forheader. It uses the following logic:

1. If we have a direct connection (remoteAddr == proxyAddr), thenset it to remoteAddr
2. If we have a proxied connection (remoteAddr != proxyAddr) andX-Forwarded-For doesn't begin with remoteAddr, then overwriteit with remoteAddr,proxyAddr
3. If we have a proxied connection (remoteAddr != proxyAddr) andX-Forwarded-For begins with remoteAddr, then append proxyAddrto the original X-Forwarded-For header
4. If X-Forwarded-Proto is not set, then it will be set to "https"if req.TLS != nil, otherwise it will be set to "http"

funcExternalAuthParam¶added inv2.2.1

func ExternalAuthParam(r *http.Request) *externalauth.Config

funcExtractAPIKey¶

func ExtractAPIKey(rwhttp.ResponseWriter, r *http.Request, cfgExtractAPIKeyConfig) (*database.APIKey, *rbac.Subject,bool)

ExtractAPIKey requires authentication using a valid API key. It handlesextending an API key if it comes close to expiry, updating the last used timein the database.

If the configuration specifies that the API key is optional, a nil API keyand authz object may be returned. False is returned if a response was writtento the request and the caller should give up.nolint:revive

funcExtractAPIKeyMW¶

func ExtractAPIKeyMW(cfgExtractAPIKeyConfig) func(http.Handler)http.Handler

ExtractAPIKeyMW calls ExtractAPIKey with the given config on each request,storing the result in the request context.

funcExtractChatParam¶added inv2.23.0

func ExtractChatParam(dbdatabase.Store) func(http.Handler)http.Handler

funcExtractExternalAuthParam¶added inv2.2.1

func ExtractExternalAuthParam(configs []*externalauth.Config) func(nexthttp.Handler)http.Handler

funcExtractGroupByNameParam¶

func ExtractGroupByNameParam(dbdatabase.Store) func(http.Handler)http.Handler

funcExtractGroupParam¶

func ExtractGroupParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtraGroupParam grabs a group from the "group" URL parameter.

funcExtractNotificationTemplateParam¶added inv2.15.0

func ExtractNotificationTemplateParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractNotificationTemplateParam grabs a notification template from the "notification_template" URL parameter.

funcExtractOAuth2¶

func ExtractOAuth2(configpromoauth.OAuth2Config, client *http.Client, cookieCfgcodersdk.HTTPCookieConfig, authURLOpts map[string]string) func(http.Handler)http.Handler

ExtractOAuth2 is a middleware for automatically redirecting to OAuthURLs, and handling the exchange inbound. Any route that does not havea "code" URL parameter will be redirected.AuthURLOpts are passed to the AuthCodeURL function. If this is nil,the default option oauth2.AccessTypeOffline will be used.

funcExtractOAuth2ProviderApp¶added inv2.6.0

func ExtractOAuth2ProviderApp(dbdatabase.Store) func(http.Handler)http.Handler

ExtractOAuth2ProviderApp grabs an OAuth2 app from the "app" URL parameter. Thismiddleware requires the API key middleware higher in the call stack forauthentication.

funcExtractOAuth2ProviderAppSecret¶added inv2.6.0

func ExtractOAuth2ProviderAppSecret(dbdatabase.Store) func(http.Handler)http.Handler

ExtractOAuth2ProviderAppSecret grabs an OAuth2 app secret from the "app" and"secret" URL parameters. This middleware requires the ExtractOAuth2ProviderAppmiddleware higher in the stack

funcExtractOrganizationMember¶added inv2.23.0

func ExtractOrganizationMember(ctxcontext.Context, auth func(r *http.Request, actionpolicy.Action, objectrbac.Objecter)bool, rwhttp.ResponseWriter, r *http.Request, dbdatabase.Store, orgIDuuid.UUID) (*database.User, []database.OrganizationMembersRow,bool)

ExtractOrganizationMember extracts all user memberships from the "user" URLparameter. If orgID is uuid.Nil, then it will return all memberships for theuser, otherwise it will only return memberships to the org.

If `user` is returned, that means the caller can use the data. This is returned becauseit is possible to have a user with 0 organizations. So the user != nil, with 0 memberships.

funcExtractOrganizationMemberParam¶

func ExtractOrganizationMemberParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter.This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack

funcExtractOrganizationMembersParam¶added inv2.23.0

func ExtractOrganizationMembersParam(dbdatabase.Store, auth func(r *http.Request, actionpolicy.Action, objectrbac.Objecter)bool) func(http.Handler)http.Handler

ExtractOrganizationMembersParam grabs all user organization memberships.Only requires the "user" URL parameter.

Use this if you want to grab as much information for a user as you can.From an organization context, site wide user information might not available.

funcExtractOrganizationParam¶

func ExtractOrganizationParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractOrganizationParam grabs an organization from the "organization" URL parameter.This middleware requires the API key middleware higher in the call stack for authentication.

funcExtractProvisionerDaemonAuthenticated¶added inv2.9.0

func ExtractProvisionerDaemonAuthenticated(optsExtractProvisionerAuthConfig) func(nexthttp.Handler)http.Handler

ExtractProvisionerDaemonAuthenticated authenticates a request as a provisioner daemon.If the request is not authenticated, the next handler is called unless Optional is true.This function currently is tested inside the enterprise package.

funcExtractProvisionerKeyParam¶added inv2.14.0

func ExtractProvisionerKeyParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractProvisionerKeyParam extracts a provisioner key from a name in the {provisionerKey} URLparameter.

funcExtractRealIP¶

func ExtractRealIP(config *RealIPConfig) func(nexthttp.Handler)http.Handler

ExtractRealIP is a middleware that uses headers from reverse proxies topropagate origin IP address information, when configured to do so.

funcExtractRealIPAddress¶

func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP,error)

ExtractRealIPAddress returns the original client address according to theconfiguration and headers. It does not mutate the original request.

funcExtractTemplateParam¶

func ExtractTemplateParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractTemplateParam grabs a template from the "template" URL parameter.

funcExtractTemplateVersionParam¶

func ExtractTemplateVersionParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractTemplateVersionParam grabs template version from the "templateversion" URL parameter.

funcExtractUserContext¶added inv2.21.1

func ExtractUserContext(ctxcontext.Context, dbdatabase.Store, rwhttp.ResponseWriter, r *http.Request) (userdatabase.User, okbool)

ExtractUserContext queries the database for the parameterized `{user}` from the request URL.

funcExtractUserParam¶

func ExtractUserParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractUserParam extracts a user from an ID/username in the {user} URLparameter.

funcExtractUserParamOptional¶added inv2.21.1

func ExtractUserParamOptional(dbdatabase.Store) func(http.Handler)http.Handler

ExtractUserParamOptional does not fail if no user is present.

funcExtractWorkspaceAgentAndLatestBuild¶added inv2.10.0

func ExtractWorkspaceAgentAndLatestBuild(optsExtractWorkspaceAgentAndLatestBuildConfig) func(http.Handler)http.Handler

ExtractWorkspaceAgentAndLatestBuild requires authentication using a valid agent token.

funcExtractWorkspaceAgentParam¶

func ExtractWorkspaceAgentParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractWorkspaceAgentParam grabs a workspace agent from the "workspaceagent" URL parameter.

funcExtractWorkspaceAndAgentParam¶

func ExtractWorkspaceAndAgentParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractWorkspaceAndAgentParam grabs a workspace and an agent from the"workspace_and_agent" URL parameter. `ExtractUserParam` must be calledbefore this.This can be in the form of:

• "<workspace-name>.[workspace-agent]": If multiple agents exist
• "<workspace-name>": If one agent exists

funcExtractWorkspaceBuildParam¶

func ExtractWorkspaceBuildParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractWorkspaceBuildParam grabs workspace build from the "workspacebuild" URL parameter.

funcExtractWorkspaceParam¶

func ExtractWorkspaceParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractWorkspaceParam grabs a workspace from the "workspace" URL parameter.

funcExtractWorkspaceProxy¶

func ExtractWorkspaceProxy(optsExtractWorkspaceProxyConfig) func(http.Handler)http.Handler

ExtractWorkspaceProxy extracts the external workspace proxy from the requestusing the external proxy auth token header.

funcExtractWorkspaceProxyParam¶

func ExtractWorkspaceProxyParam(dbdatabase.Store, deploymentIDstring, fetchPrimaryProxy func(ctxcontext.Context) (database.WorkspaceProxy,error)) func(http.Handler)http.Handler

ExtractWorkspaceProxyParam extracts a workspace proxy from an ID/name in the {workspaceproxy} URLparameter.

funcExtractWorkspaceResourceParam¶

func ExtractWorkspaceResourceParam(dbdatabase.Store) func(http.Handler)http.Handler

ExtractWorkspaceResourceParam grabs a workspace resource from the "provisionerjob" URL parameter.

funcFilterUntrustedOriginHeaders¶

func FilterUntrustedOriginHeaders(config *RealIPConfig, req *http.Request)

FilterUntrustedOriginHeaders removes all known proxy headers from therequest for untrusted origins, and ensures that only one copyof each proxy header is set.

funcGroupParam¶

func GroupParam(r *http.Request)database.Group

GroupParam returns the group extracted via the ExtraGroupParam middleware.

funcHSTS¶

func HSTS(nexthttp.Handler, cfgHSTSConfig)http.Handler

HSTS will add the strict-transport-security header if enabled. This headerforces a browser to always use https for the domain after it loads https once.Meaning: On first load of product.coder.com, they are redirected to https. Onall subsequent loads, the client's local browser forces https. This preventsman in the middle.

This header only makes sense if the app is using tls.

Full header example:Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

funcLatestBuild¶added inv2.10.0

func LatestBuild(r *http.Request)database.WorkspaceBuild

LatestBuild returns the Latest Build from the ExtractLatestBuild handler.

funcNotificationTemplateParam¶added inv2.15.0

func NotificationTemplateParam(r *http.Request)database.NotificationTemplate

NotificationTemplateParam returns the template from the ExtractNotificationTemplateParam handler.

funcOAuth2ProviderApp¶added inv2.6.0

func OAuth2ProviderApp(r *http.Request)database.OAuth2ProviderApp

OAuth2ProviderApp returns the OAuth2 app from the ExtractOAuth2ProviderAppParam handler.

funcOAuth2ProviderAppSecret¶added inv2.6.0

func OAuth2ProviderAppSecret(r *http.Request)database.OAuth2ProviderAppSecret

OAuth2ProviderAppSecret returns the OAuth2 app secret from theExtractOAuth2ProviderAppSecretParam handler.

funcOrganizationParam¶

func OrganizationParam(r *http.Request)database.Organization

OrganizationParam returns the organization from the ExtractOrganizationParam handler.

funcParseUUIDParam¶

func ParseUUIDParam(rwhttp.ResponseWriter, r *http.Request, paramstring) (uuid.UUID,bool)

ParseUUIDParam consumes a url parameter and parses it as a UUID.

funcPrometheus¶

func Prometheus(registerprometheus.Registerer) func(http.Handler)http.Handler

funcProvisionerDaemonAuthenticated¶added inv2.9.0

func ProvisionerDaemonAuthenticated(r *http.Request)bool

funcProvisionerKeyAuthOptional¶added inv2.14.0

func ProvisionerKeyAuthOptional(r *http.Request) (database.ProvisionerKey,bool)

funcProvisionerKeyParam¶added inv2.14.0

func ProvisionerKeyParam(r *http.Request)database.ProvisionerKey

ProvisionerKeyParam returns the user from the ExtractProvisionerKeyParam handler.

funcRateLimit¶

func RateLimit(countint, windowtime.Duration) func(http.Handler)http.Handler

RateLimit returns a handler that limits requests per-minute basedon IP, endpoint, and user ID (if available).

funcRecordAuthzChecks¶added inv2.22.0

func RecordAuthzChecks(nexthttp.Handler)http.Handler

RecordAuthzChecks enables recording all of the authorization checks thatoccurred in the processing of a request. This is mostly helpful for debuggingand understanding what permissions are required for a given action.

Requires using a Recorder Authorizer.

funcRecover¶

func Recover(logslog.Logger) func(hhttp.Handler)http.Handler

funcRedirectToLogin¶

func RedirectToLogin(rwhttp.ResponseWriter, r *http.Request, dashboardURL *url.URL, messagestring)

RedirectToLogin redirects the user to the login page with the `message` and`redirect` query parameters set.

If dashboardURL is nil, the redirect will be relative to the currentrequest's host. If it is not nil, the redirect will be absolute with dashboardurl as the host.

funcReportCLITelemetry¶

func ReportCLITelemetry(logslog.Logger, reptelemetry.Reporter) func(http.Handler)http.Handler

funcRequestID¶

func RequestID(r *http.Request)uuid.UUID

RequestID returns the ID of the request.

funcRequireAPIKeyOrProvisionerDaemonAuth¶added inv2.9.0

func RequireAPIKeyOrProvisionerDaemonAuth() func(http.Handler)http.Handler

RequireAPIKeyOrProvisionerDaemonAuth is middleware that should be insertedafter optional ExtractAPIKey and ExtractProvisionerDaemonAuthenticatedmiddlewares to ensure one of the two authentication methods is provided.

If both are provided, an error is returned to avoid misuse.

funcRequireAPIKeyOrWorkspaceAgent¶

func RequireAPIKeyOrWorkspaceAgent() func(http.Handler)http.Handler

RequireAPIKeyOrWorkspaceAgent is middleware that should be inserted afteroptional ExtractAPIKey and ExtractWorkspaceAgent middlewares to ensure one ofthe two is provided.

If both are provided an error is returned to avoid misuse.

funcRequireAPIKeyOrWorkspaceProxyAuth¶

func RequireAPIKeyOrWorkspaceProxyAuth() func(http.Handler)http.Handler

RequireAPIKeyOrWorkspaceProxyAuth is middleware that should be inserted afteroptional ExtractAPIKey and ExtractWorkspaceProxy middlewares to ensure one ofthe two authentication methods is provided.

If both are provided, an error is returned to avoid misuse.

funcRequireExperiment¶added inv2.9.0

func RequireExperiment(experimentscodersdk.Experiments, experimentcodersdk.Experiment) func(nexthttp.Handler)http.Handler

funcSplitAPIToken¶

func SplitAPIToken(tokenstring) (idstring, secretstring, errerror)

SplitAPIToken verifies the format of an API key and returns the split ID andsecret.

APIKeys are formatted: ${ID}-${SECRET}

funcTemplateParam¶

func TemplateParam(r *http.Request)database.Template

TemplateParam returns the template from the ExtractTemplateParam handler.

funcTemplateVersionParam¶

func TemplateVersionParam(r *http.Request)database.TemplateVersion

TemplateVersionParam returns the template version from the ExtractTemplateVersionParam handler.

funcUserAuthorization¶

func UserAuthorization(r *http.Request)rbac.Subject

UserAuthorization returns the roles and scope used for authorization. Dependson the ExtractAPIKey handler.

funcUserAuthorizationOptional¶

func UserAuthorizationOptional(r *http.Request) (rbac.Subject,bool)

UserAuthorizationOptional may return the roles and scope used forauthorization. Depends on the ExtractAPIKey handler.

funcUserParam¶

func UserParam(r *http.Request)database.User

UserParam returns the user from the ExtractUserParam handler.

funcUserParamOptional¶added inv2.21.1

func UserParamOptional(r *http.Request) (database.User,bool)

funcUserRBACSubject¶added inv2.13.0

func UserRBACSubject(ctxcontext.Context, dbdatabase.Store, userIDuuid.UUID, scoperbac.ExpandableScope) (rbac.Subject,database.UserStatus,error)

UserRBACSubject fetches a user's rbac.Subject from the database. It pulls all roles from bothsite and organization scopes. It also pulls the groups, and the user's status.

funcWorkspaceAgent¶

func WorkspaceAgent(r *http.Request)database.WorkspaceAgent

WorkspaceAgent returns the workspace agent from the ExtractAgent handler.

funcWorkspaceAgentOptional¶

func WorkspaceAgentOptional(r *http.Request) (database.WorkspaceAgent,bool)

funcWorkspaceAgentParam¶

func WorkspaceAgentParam(r *http.Request)database.WorkspaceAgent

WorkspaceAgentParam returns the workspace agent from the ExtractWorkspaceAgentParam handler.

funcWorkspaceAppCors¶

func WorkspaceAppCors(regex *regexp.Regexp, appappurl.ApplicationURL) func(nexthttp.Handler)http.Handler

funcWorkspaceBuildParam¶

func WorkspaceBuildParam(r *http.Request)database.WorkspaceBuild

WorkspaceBuildParam returns the workspace build from the ExtractWorkspaceBuildParam handler.

funcWorkspaceParam¶

func WorkspaceParam(r *http.Request)database.Workspace

WorkspaceParam returns the workspace from the ExtractWorkspaceParam handler.

funcWorkspaceProxy¶

func WorkspaceProxy(r *http.Request)database.WorkspaceProxy

WorkspaceProxy returns the workspace proxy from the ExtractWorkspaceProxymiddleware.

funcWorkspaceProxyOptional¶

func WorkspaceProxyOptional(r *http.Request) (database.WorkspaceProxy,bool)

WorkspaceProxyOptional may return the workspace proxy from the ExtractWorkspaceProxymiddleware.

funcWorkspaceProxyParam¶

func WorkspaceProxyParam(r *http.Request)database.WorkspaceProxy

WorkspaceProxyParam returns the workspace proxy from the ExtractWorkspaceProxyParam handler.

funcWorkspaceResourceParam¶

func WorkspaceResourceParam(r *http.Request)database.WorkspaceResource

ProvisionerJobParam returns the template from the ExtractTemplateParam handler.

typeCSPFetchDirective¶

type CSPFetchDirectivestring

CSPFetchDirective is the list of all constant fetch directives thatcan be used/appended to.

const (CSPDirectiveDefaultSrcCSPFetchDirective = "default-src"CSPDirectiveConnectSrcCSPFetchDirective = "connect-src"CSPDirectiveChildSrcCSPFetchDirective = "child-src"CSPDirectiveScriptSrcCSPFetchDirective = "script-src"CSPDirectiveFontSrcCSPFetchDirective = "font-src"CSPDirectiveStyleSrcCSPFetchDirective = "style-src"CSPDirectiveObjectSrcCSPFetchDirective = "object-src"CSPDirectiveManifestSrcCSPFetchDirective = "manifest-src"CSPDirectiveFrameSrcCSPFetchDirective = "frame-src"CSPDirectiveImgSrcCSPFetchDirective = "img-src"CSPDirectiveReportURICSPFetchDirective = "report-uri"CSPDirectiveFormActionCSPFetchDirective = "form-action"CSPDirectiveMediaSrcCSPFetchDirective = "media-src"CSPFrameAncestorsCSPFetchDirective = "frame-ancestors"CSPDirectiveWorkerSrcCSPFetchDirective = "worker-src")

typeExtractAPIKeyConfig¶

type ExtractAPIKeyConfig struct {DBdatabase.StoreActivateDormantUser         func(ctxcontext.Context, udatabase.User) (database.User,error)OAuth2Configs               *OAuth2ConfigsRedirectToLoginboolDisableSessionExpiryRefreshbool// Optional governs whether the API key is optional. Use this if you want to// allow unauthenticated requests.//// If true and no session token is provided, nothing will be written to the// request context. Use the APIKeyOptional and UserAuthorizationOptional// functions to retrieve the API key and authorization instead of the// regular ones.//// If true and the API key is invalid (i.e. deleted, expired), the cookie// will be deleted and the request will continue. If the request is not a// cookie-based request, the request will be rejected with a 401.Optionalbool// SessionTokenFunc is a custom function that can be used to extract the API// key. If nil, the default behavior is used.SessionTokenFunc func(r *http.Request)string// PostAuthAdditionalHeadersFunc is a function that can be used to add// headers to the response after the user has been authenticated.//// This is originally implemented to send entitlement warning headers after// a user is authenticated to prevent additional CLI invocations.PostAuthAdditionalHeadersFunc func(arbac.Subject, headerhttp.Header)}

typeExtractProvisionerAuthConfig¶added inv2.9.0

type ExtractProvisionerAuthConfig struct {DBdatabase.StoreOptionalboolPSKstring}

typeExtractWorkspaceAgentAndLatestBuildConfig¶added inv2.10.0

type ExtractWorkspaceAgentAndLatestBuildConfig struct {DBdatabase.Store// Optional indicates whether the middleware should be optional.  If true, any// requests without the a token or with an invalid token will be allowed to// continue and no workspace agent will be set on the request context.Optionalbool}

typeExtractWorkspaceProxyConfig¶

type ExtractWorkspaceProxyConfig struct {DBdatabase.Store// Optional indicates whether the middleware should be optional. If true,// any requests without the external proxy auth token header will be// allowed to continue and no workspace proxy will be set on the request// context.Optionalbool}

typeHSTSConfig¶

type HSTSConfig struct {// HeaderValue is an empty string if hsts header is disabled.HeaderValuestring}

func HSTSConfigOptions(maxAgeint, options []string) (HSTSConfig,error)

typeOAuth2Configs¶

type OAuth2Configs struct {Githubpromoauth.OAuth2ConfigOIDCpromoauth.OAuth2Config}

OAuth2Configs is a collection of configurations for OAuth-based authentication.This should be extended to support other authentication types in the future.

func (c *OAuth2Configs) IsZero()bool

typeOAuth2State¶

type OAuth2State struct {Token       *oauth2.TokenRedirectstringStateStringstring}

func OAuth2(r *http.Request)OAuth2State

typeOrganizationMember¶added inv2.3.0

type OrganizationMember struct {database.OrganizationMemberUsernamestringAvatarURLstring}

OrganizationMember is the database object plus the Username and Avatar URL. Including thesein the middleware is preferable to a join at the SQL layer so that we can keep theautogenerated database types as they are.

func OrganizationMemberParam(r *http.Request)OrganizationMember

typeOrganizationMembers¶added inv2.23.0

type OrganizationMembers struct {// User is `nil` if the caller is not allowed access to the site wide// user object.User *database.User// Memberships can only be length 0 if `user != nil`. If `user == nil`, then// memberships will be at least length 1.Memberships []OrganizationMember}

func OrganizationMembersParam(r *http.Request)OrganizationMembers

func (omOrganizationMembers) UserID()uuid.UUID

typeRealIPConfig¶

type RealIPConfig struct {// TrustedOrigins is a list of networks that will be trusted. If// any non-trusted address supplies these headers, they will be// ignored.TrustedOrigins []*net.IPNet// TrustedHeaders lists headers that are trusted for forwarding// IP addresses. e.g. "CF-Connecting-IP", "True-Client-IP", etc.TrustedHeaders []string}

RealIPConfig configures the search order for the function, which controlswhich headers to consider trusted.

func ParseRealIPConfig(headers, origins []string) (*RealIPConfig,error)

typeRealIPState¶

type RealIPState struct {// Config is the configuration applied in the middleware. Consider// this read-only and do not modify.Config *RealIPConfig// OriginalRemoteAddr is the original RemoteAddr for the request.OriginalRemoteAddrstring}

RealIPState is the original state prior to modification by this middleware,useful for getting information about the connecting client if needed.

func RealIP(ctxcontext.Context) *RealIPState