coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dogfood.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/security.yaml
Lines changed: 3 additions & 3 deletions
diff --git a/‎cmd/coder/main.go
Lines changed: 5 additions & 0 deletions b/‎cmd/coder/main.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 20 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 17 additions & 2 deletions b/‎coderd/database/queries.sql.go
Lines changed: 17 additions & 2 deletions
diff --git a/‎coderd/database/queries/users.sql
Lines changed: 11 additions & 0 deletions b/‎coderd/database/queries/users.sql
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/searchquery/search.go
Lines changed: 2 additions & 0 deletions b/‎coderd/searchquery/search.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/users.go
Lines changed: 2 additions & 0 deletions b/‎coderd/users.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/users_test.go
Lines changed: 110 additions & 0 deletions b/‎coderd/users_test.go
Lines changed: 110 additions & 0 deletions
diff --git a/‎docs/admin/monitoring/index.md
Lines changed: 2 additions & 2 deletions b/‎docs/admin/monitoring/index.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/admin/security/database-encryption.md
Lines changed: 4 additions & 0 deletions b/‎docs/admin/security/database-encryption.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/admin/security/index.md
Lines changed: 8 additions & 1 deletion b/‎docs/admin/security/index.md
Lines changed: 8 additions & 1 deletion
@@ -188,7 +188,7 @@ jobs:
 
       # Check for any typos
       - name: Check for typos
-        uses: crate-ci/typos@2872c382bb9668d4baa5eade234dcbc0048ca2cf # v1.28.2
+        uses: crate-ci/typos@d1c850b2b5d502763520c25fb4a6a1128ad99bd9 # v1.28.3
         with:
           config: .github/workflows/typos.toml
 
 
@@ -50,7 +50,7 @@ jobs:
         uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Login to DockerHub
         if: github.ref == 'refs/heads/main'
 
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
         uses: ./.github/actions/setup-go
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           languages: go, javascript
 
@@ -48,7 +48,7 @@ jobs:
           rm Makefile
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
 
       - name: Send Slack notification on failure
         if: ${{ failure() }}
@@ -144,7 +144,7 @@ jobs:
           severity: "CRITICAL,HIGH"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: trivy-results.sarif
           category: "Trivy"
 
@@ -5,6 +5,8 @@ import (
 	"os"
 	_ "time/tzdata"
 
+	tea "github.com/charmbracelet/bubbletea"
+
 	"github.com/coder/coder/v2/agent/agentexec"
 	"github.com/coder/coder/v2/cli"
 )
@@ -15,6 +17,9 @@ func main() {
 		_, _ = fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
+	// This preserves backwards compatibility with an init function that is causing grief for
+	// web terminals using agent-exec + screen. See https://github.com/coder/coder/pull/15817
+	tea.InitTerminal()
 	var rootCmd cli.RootCmd
 	rootCmd.RunWithSubcommands(rootCmd.AGPL())
 }
@@ -5800,6 +5800,26 @@ func (q *FakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 		users = usersFilteredByRole
 	}
 
+	if !params.CreatedBefore.IsZero() {
+		usersFilteredByCreatedAt := make([]database.User, 0, len(users))
+		for i, user := range users {
+			if user.CreatedAt.Before(params.CreatedBefore) {
+				usersFilteredByCreatedAt = append(usersFilteredByCreatedAt, users[i])
+			}
+		}
+		users = usersFilteredByCreatedAt
+	}
+
+	if !params.CreatedAfter.IsZero() {
+		usersFilteredByCreatedAt := make([]database.User, 0, len(users))
+		for i, user := range users {
+			if user.CreatedAt.After(params.CreatedAfter) {
+				usersFilteredByCreatedAt = append(usersFilteredByCreatedAt, users[i])
+			}
+		}
+		users = usersFilteredByCreatedAt
+	}
+
 	if !params.LastSeenBefore.IsZero() {
 		usersFilteredByLastSeen := make([]database.User, 0, len(users))
 		for i, user := range users {
 
@@ -391,6 +391,8 @@ func (q *sqlQuerier) GetAuthorizedUsers(ctx context.Context, arg GetUsersParams,
 		pq.Array(arg.RbacRole),
 		arg.LastSeenBefore,
 		arg.LastSeenAfter,
+		arg.CreatedBefore,
+		arg.CreatedAfter,
 		arg.OffsetOpt,
 		arg.LimitOpt,
 	)
 
@@ -199,6 +199,17 @@ WHERE
 			last_seen_at >= @last_seen_after
 		ELSE true
 	END
+	-- Filter by created_at
+	AND CASE
+		WHEN @created_before :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+			created_at <= @created_before
+		ELSE true
+	END
+	AND CASE
+		WHEN @created_after :: timestamp with time zone != '0001-01-01 00:00:00Z' THEN
+			created_at >= @created_after
+		ELSE true
+	END
 	-- End of filters
 
 	-- Authorize Filter clause will be injected below in GetAuthorizedUsers
 
@@ -70,6 +70,8 @@ func Users(query string) (database.GetUsersParams, []codersdk.ValidationError) {
 		RbacRole:       parser.Strings(values, []string{}, "role"),
 		LastSeenAfter:  parser.Time3339Nano(values, time.Time{}, "last_seen_after"),
 		LastSeenBefore: parser.Time3339Nano(values, time.Time{}, "last_seen_before"),
+		CreatedAfter:   parser.Time3339Nano(values, time.Time{}, "created_after"),
+		CreatedBefore:  parser.Time3339Nano(values, time.Time{}, "created_before"),
 	}
 	parser.ErrorExcessParams(values)
 	return filter, parser.Errors
 
@@ -317,6 +317,8 @@ func (api *API) GetUsers(rw http.ResponseWriter, r *http.Request) ([]database.Us
 		RbacRole:       params.RbacRole,
 		LastSeenBefore: params.LastSeenBefore,
 		LastSeenAfter:  params.LastSeenAfter,
+		CreatedAfter:   params.CreatedAfter,
+		CreatedBefore:  params.CreatedBefore,
 		OffsetOpt:      int32(paginationParams.Offset),
 		LimitOpt:       int32(paginationParams.Limit),
 	})
 
@@ -26,9 +26,11 @@ import (
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/util/ptr"
@@ -1515,6 +1517,73 @@ func TestUsersFilter(t *testing.T) {
 		users = append(users, user)
 	}
 
+	// Add users with different creation dates for testing date filters
+	for i := 0; i < 3; i++ {
+		// nolint:gocritic // Using system context is necessary to seed data in tests
+		user1, err := api.Database.InsertUser(dbauthz.AsSystemRestricted(ctx), database.InsertUserParams{
+			ID:        uuid.New(),
+			Email:     fmt.Sprintf("before%d@coder.com", i),
+			Username:  fmt.Sprintf("before%d", i),
+			LoginType: database.LoginTypeNone,
+			Status:    string(codersdk.UserStatusActive),
+			RBACRoles: []string{codersdk.RoleMember},
+			CreatedAt: dbtime.Time(time.Date(2022, 12, 15+i, 12, 0, 0, 0, time.UTC)),
+		})
+		require.NoError(t, err)
+
+		// The expected timestamps must be parsed from strings to compare equal during `ElementsMatch`
+		sdkUser1 := db2sdk.User(user1, nil)
+		sdkUser1.CreatedAt, err = time.Parse(time.RFC3339, sdkUser1.CreatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser1.UpdatedAt, err = time.Parse(time.RFC3339, sdkUser1.UpdatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser1.LastSeenAt, err = time.Parse(time.RFC3339, sdkUser1.LastSeenAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		users = append(users, sdkUser1)
+
+		// nolint:gocritic //Using system context is necessary to seed data in tests
+		user2, err := api.Database.InsertUser(dbauthz.AsSystemRestricted(ctx), database.InsertUserParams{
+			ID:        uuid.New(),
+			Email:     fmt.Sprintf("during%d@coder.com", i),
+			Username:  fmt.Sprintf("during%d", i),
+			LoginType: database.LoginTypeNone,
+			Status:    string(codersdk.UserStatusActive),
+			RBACRoles: []string{codersdk.RoleOwner},
+			CreatedAt: dbtime.Time(time.Date(2023, 1, 15+i, 12, 0, 0, 0, time.UTC)),
+		})
+		require.NoError(t, err)
+
+		sdkUser2 := db2sdk.User(user2, nil)
+		sdkUser2.CreatedAt, err = time.Parse(time.RFC3339, sdkUser2.CreatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser2.UpdatedAt, err = time.Parse(time.RFC3339, sdkUser2.UpdatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser2.LastSeenAt, err = time.Parse(time.RFC3339, sdkUser2.LastSeenAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		users = append(users, sdkUser2)
+
+		// nolint:gocritic // Using system context is necessary to seed data in tests
+		user3, err := api.Database.InsertUser(dbauthz.AsSystemRestricted(ctx), database.InsertUserParams{
+			ID:        uuid.New(),
+			Email:     fmt.Sprintf("after%d@coder.com", i),
+			Username:  fmt.Sprintf("after%d", i),
+			LoginType: database.LoginTypeNone,
+			Status:    string(codersdk.UserStatusActive),
+			RBACRoles: []string{codersdk.RoleOwner},
+			CreatedAt: dbtime.Time(time.Date(2023, 2, 15+i, 12, 0, 0, 0, time.UTC)),
+		})
+		require.NoError(t, err)
+
+		sdkUser3 := db2sdk.User(user3, nil)
+		sdkUser3.CreatedAt, err = time.Parse(time.RFC3339, sdkUser3.CreatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser3.UpdatedAt, err = time.Parse(time.RFC3339, sdkUser3.UpdatedAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		sdkUser3.LastSeenAt, err = time.Parse(time.RFC3339, sdkUser3.LastSeenAt.Format(time.RFC3339))
+		require.NoError(t, err)
+		users = append(users, sdkUser3)
+	}
+
 	// --- Setup done ---
 	testCases := []struct {
 		Name   string
@@ -1657,6 +1726,37 @@ func TestUsersFilter(t *testing.T) {
 				return u.LastSeenAt.Before(end) && u.LastSeenAt.After(start)
 			},
 		},
+		{
+			Name: "CreatedAtBefore",
+			Filter: codersdk.UsersRequest{
+				SearchQuery: `created_before:"2023-01-31T23:59:59Z"`,
+			},
+			FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
+				end := time.Date(2023, 1, 31, 23, 59, 59, 0, time.UTC)
+				return u.CreatedAt.Before(end)
+			},
+		},
+		{
+			Name: "CreatedAtAfter",
+			Filter: codersdk.UsersRequest{
+				SearchQuery: `created_after:"2023-01-01T00:00:00Z"`,
+			},
+			FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
+				start := time.Date(2023, 1, 1, 0, 0, 0, 0, time.UTC)
+				return u.CreatedAt.After(start)
+			},
+		},
+		{
+			Name: "CreatedAtRange",
+			Filter: codersdk.UsersRequest{
+				SearchQuery: `created_after:"2023-01-01T00:00:00Z" created_before:"2023-01-31T23:59:59Z"`,
+			},
+			FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
+				start := time.Date(2023, 1, 1, 0, 0, 0, 0, time.UTC)
+				end := time.Date(2023, 1, 31, 23, 59, 59, 0, time.UTC)
+				return u.CreatedAt.After(start) && u.CreatedAt.Before(end)
+			},
+		},
 	}
 
 	for _, c := range testCases {
@@ -1677,6 +1777,16 @@ func TestUsersFilter(t *testing.T) {
 					exp = append(exp, made)
 				}
 			}
+
+			// TODO: This can be removed with dbmem
+			if !dbtestutil.WillUsePostgres() {
+				for i := range matched.Users {
+					if len(matched.Users[i].OrganizationIDs) == 0 {
+						matched.Users[i].OrganizationIDs = nil
+					}
+				}
+			}
+
 			require.ElementsMatch(t, exp, matched.Users, "expected users returned")
 		})
 	}
 
@@ -1,7 +1,7 @@
 # Monitoring Coder
 
-Learn about our the tools, techniques, and best practices to monitor Coder your
-Coder deployment.
+Learn about our the tools, techniques, and best practices to monitor your Coder
+deployment.
 
 ## Quick Start: Observability Helm Chart
 
 
@@ -185,3 +185,7 @@ To delete all encrypted data from your database, perform the following actions:
 - Decryption may fail if newly encrypted data is written while decryption is in
   progress. If this happens, ensure that all active coder instances are stopped,
   and retry.
+
+## Next steps
+
+- [Security - best practices](../../tutorials/best-practices/security-best-practices.md)
@@ -1,4 +1,11 @@
-# Security Advisories
+# Security
+
+<children></children>
+
+For other security tips, visit our guide to
+[security best practices](../../tutorials/best-practices/security-best-practices.md).
+
+## Security Advisories
 
 > If you discover a vulnerability in Coder, please do not hesitate to report it
 > to us by following the instructions
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ import (`
`5`	`5`	`"os"`
`6`	`6`	`_ "time/tzdata"`
`7`	`7`
	`8`	`+ tea "github.com/charmbracelet/bubbletea"`
	`9`	`+`
`8`	`10`	`"github.com/coder/coder/v2/agent/agentexec"`
`9`	`11`	`"github.com/coder/coder/v2/cli"`
`10`	`12`	`)`
`@@ -15,6 +17,9 @@ func main() {`
`15`	`17`	`_, _ = fmt.Fprintln(os.Stderr, err)`
`16`	`18`	`os.Exit(1)`
`17`	`19`	`}`
	`20`	`+ // This preserves backwards compatibility with an init function that is causing grief for`
	`21`	`+ // web terminals using agent-exec + screen. See https://github.com/coder/coder/pull/15817`
	`22`	`+ tea.InitTerminal()`
`18`	`23`	`var rootCmd cli.RootCmd`
`19`	`24`	`rootCmd.RunWithSubcommands(rootCmd.AGPL())`
`20`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -391,6 +391,8 @@ func (q *sqlQuerier) GetAuthorizedUsers(ctx context.Context, arg GetUsersParams,`
`391`	`391`	`pq.Array(arg.RbacRole),`
`392`	`392`	`arg.LastSeenBefore,`
`393`	`393`	`arg.LastSeenAfter,`
	`394`	`+ arg.CreatedBefore,`
	`395`	`+ arg.CreatedAfter,`
`394`	`396`	`arg.OffsetOpt,`
`395`	`397`	`arg.LimitOpt,`
`396`	`398`	`)`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,8 @@ func Users(query string) (database.GetUsersParams, []codersdk.ValidationError) {`
`70`	`70`	`RbacRole: parser.Strings(values, []string{}, "role"),`
`71`	`71`	`LastSeenAfter: parser.Time3339Nano(values, time.Time{}, "last_seen_after"),`
`72`	`72`	`LastSeenBefore: parser.Time3339Nano(values, time.Time{}, "last_seen_before"),`
	`73`	`+ CreatedAfter: parser.Time3339Nano(values, time.Time{}, "created_after"),`
	`74`	`+ CreatedBefore: parser.Time3339Nano(values, time.Time{}, "created_before"),`
`73`	`75`	`}`
`74`	`76`	`parser.ErrorExcessParams(values)`
`75`	`77`	`return filter, parser.Errors`