Documentation ¶
Index ¶
Constants ¶
const ( // TODO(@deansheather): configurable expiry TicketExpiry = time.Minute // RedirectURIQueryParam is the query param for the app URL to be passed // back to the API auth endpoint on the main access URL. RedirectURIQueryParam = "redirect_uri" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AccessMethod ¶
type AccessMethod string
const ( AccessMethodPath AccessMethod = "path" AccessMethodSubdomain AccessMethod = "subdomain" )
type Provider ¶
type Provider struct { Logger slog.Logger AccessURL *url.URL Authorizer rbac.Authorizer Database database.Store DeploymentValues *codersdk.DeploymentValues OAuth2Configs *httpmw.OAuth2Configs TicketSigningKey []byte }
Provider provides authentication and authorization for workspace apps. TODO(@deansheather): also provide workspace apps as a whole to remove all app code from coderd.
func New ¶
func New(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, ticketSigningKey []byte) *Provider
func (*Provider) ResolveRequest ¶
func (p *Provider) ResolveRequest(rw http.ResponseWriter, r *http.Request, appReq Request) (*Ticket, bool)
ResolveRequest takes an app request, checks if it's valid and authenticated, and returns a ticket with details about the app.
The ticket is written as a signed JWT into a cookie and will be automatically used in the next request to the same app to avoid database calls.
Upstream code should avoid any database calls ever.
type Request ¶
type Request struct { AccessMethod AccessMethod // BasePath of the app. For path apps, this is the path prefix in the router // for this particular app. For subdomain apps, this should be "/". This is // used for setting the cookie path. BasePath string UsernameOrID string // WorkspaceAndAgent xor WorkspaceNameOrID are required. WorkspaceAndAgent string // "workspace" or "workspace.agent" WorkspaceNameOrID string // AgentNameOrID is not required if the workspace has only one agent. AgentNameOrID string AppSlugOrPort string }
type Ticket ¶
type Ticket struct { // Request details. AccessMethod AccessMethod `json:"access_method"` UsernameOrID string `json:"username_or_id"` WorkspaceNameOrID string `json:"workspace_name_or_id"` AgentNameOrID string `json:"agent_name_or_id"` AppSlugOrPort string `json:"app_slug_or_port"` // Trusted resolved details. Expiry int64 `json:"expiry"` // set by GenerateTicket if unset UserID uuid.UUID `json:"user_id"` WorkspaceID uuid.UUID `json:"workspace_id"` AgentID uuid.UUID `json:"agent_id"` AppURL string `json:"app_url"` }
Ticket is the struct data contained inside a workspace app ticket JWE. It contains the details of the workspace app that the ticket is valid for to avoid database queries.
The JSON field names are short to reduce the size of the ticket.