fix: relax csrf to exclude path based apps

Emyrk · Emyrk · commit 658d7df3a66d · 2024-01-04T17:50:22.000-06:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -579,7 +579,6 @@ func New(options *Options) *API {
 				next.ServeHTTP(w, r)
 			})
 		},
-		httpmw.CSRF(options.SecureAuthCookie),
 	)
 
 	r.Get("/healthz", func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write([]byte("OK")) })
@@ -627,6 +626,10 @@ func New(options *Options) *API {
 			// limit must be configurable by the admin.
 			apiRateLimiter,
 			httpmw.ReportCLITelemetry(api.Logger, options.Telemetry),
+			// CSRF only needs to apply to /api routes. It does not apply to GET requests
+			// anyway, which is most other routes. We want to exempt any external auth or
+			// application type routes.
+			httpmw.CSRF(options.SecureAuthCookie),
 		)
 		r.Get("/", apiRoot)
 		// All CSP errors will be logged
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -329,9 +329,10 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 				next.ServeHTTP(w, r)
 			})
 		},
-		// TODO: @emyrk we might not need this? But good to have if it does
-		// 		not break anything.
-		httpmw.CSRF(s.Options.SecureAuthCookie),
+		// CSRF middleware is intentionally excluded here. All coder requests
+		// which require CSRF protection are forwarded to the primary Coderd
+		// via a proxy function. Since the primary enforces this, the proxy does
+		// not.
 	)
 
 	// Attach workspace apps routes.
