coder
diff --git a/‎cli/server.go
Lines changed: 3 additions & 5 deletions b/‎cli/server.go
Lines changed: 3 additions & 5 deletions
diff --git a/‎cli/server_test.go
Lines changed: 10 additions & 7 deletions b/‎cli/server_test.go
Lines changed: 10 additions & 7 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 27 additions & 23 deletions b/‎coderd/coderd.go
Lines changed: 27 additions & 23 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 2 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/dbauthz/querier.go
Lines changed: 10 additions & 0 deletions b/‎coderd/database/dbauthz/querier.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/database/dbfake/databasefake.go
Lines changed: 13 additions & 0 deletions b/‎coderd/database/dbfake/databasefake.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 14 additions & 2 deletions b/‎coderd/database/queries.sql.go
Lines changed: 14 additions & 2 deletions
diff --git a/‎coderd/database/queries/apikeys.sql
Lines changed: 8 additions & 2 deletions b/‎coderd/database/queries/apikeys.sql
Lines changed: 8 additions & 2 deletions
diff --git a/‎coderd/userauth.go
Lines changed: 11 additions & 42 deletions b/‎coderd/userauth.go
Lines changed: 11 additions & 42 deletions
@@ -76,6 +76,7 @@ import (
 	"github.com/coder/coder/coderd/tracing"
 	"github.com/coder/coder/coderd/updatecheck"
 	"github.com/coder/coder/coderd/util/slice"
+	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/provisioner/echo"
@@ -799,12 +800,9 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					}
 				}
 
-				appSigningKey, err := hex.DecodeString(appSigningKeyStr)
+				appSigningKey, err := workspaceapps.KeyFromString(appSigningKeyStr)
 				if err != nil {
-					return xerrors.Errorf("decode app signing key from database as hex: %w", err)
-				}
-				if len(appSigningKey) != 64 {
-					return xerrors.Errorf("app signing key must be 64 bytes, key in database is %d bytes", len(appSigningKey))
+					return xerrors.Errorf("decode app signing key from database: %w", err)
 				}
 
 				options.AppSigningKey = appSigningKey
 
@@ -668,8 +668,7 @@ func TestServer(t *testing.T) {
 				if c.tlsListener {
 					accessURLParsed, err := url.Parse(c.requestURL)
 					require.NoError(t, err)
-					client := codersdk.New(accessURLParsed)
-					client.HTTPClient = &http.Client{
+					client := &http.Client{
 						CheckRedirect: func(req *http.Request, via []*http.Request) error {
 							return http.ErrUseLastResponse
 						},
@@ -682,11 +681,15 @@ func TestServer(t *testing.T) {
 							},
 						},
 					}
-					defer client.HTTPClient.CloseIdleConnections()
-					_, err = client.HasFirstUser(ctx)
-					if err != nil {
-						require.ErrorContains(t, err, "Invalid application URL")
-					}
+					defer client.CloseIdleConnections()
+
+					req, err := http.NewRequestWithContext(ctx, http.MethodGet, accessURLParsed.String(), nil)
+					require.NoError(t, err)
+					resp, err := client.Do(req)
+					// We don't care much about the response, just that TLS
+					// worked.
+					require.NoError(t, err)
+					defer resp.Body.Close()
 				}
 			})
 		}
 
@@ -124,8 +124,8 @@ type Options struct {
 	SetUserGroups         func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
 	TemplateScheduleStore schedule.TemplateScheduleStore
 	// AppSigningKey denotes the symmetric key to use for signing temporary app
-	// tokens. The key must be 64 bytes long.
-	AppSigningKey      []byte
+	// tokens.
+	AppSigningKey      workspaceapps.AppSigningKey
 	HealthcheckFunc    func(ctx context.Context) (*healthcheck.Report, error)
 	HealthcheckTimeout time.Duration
 	HealthcheckRefresh time.Duration
@@ -237,9 +237,6 @@ func New(options *Options) *API {
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = schedule.NewAGPLTemplateScheduleStore()
 	}
-	if len(options.AppSigningKey) != 64 {
-		panic("coderd: AppSigningKey must be 64 bytes long")
-	}
 	if options.HealthcheckFunc == nil {
 		options.HealthcheckFunc = func(ctx context.Context) (*healthcheck.Report, error) {
 			return healthcheck.Run(ctx, &healthcheck.ReportOptions{
@@ -331,6 +328,21 @@ func New(options *Options) *API {
 	api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgentTailnet, 0)
 	api.TailnetCoordinator.Store(&options.TailnetCoordinator)
 
+	workspaceAppServer := workspaceapps.WorkspaceAppServer{
+		Logger: options.Logger.Named("workspaceapps"),
+
+		PrimaryAccessURL: api.AccessURL,
+		AccessURL:        api.AccessURL,
+		AppHostname:      api.AppHostname,
+		AppHostnameRegex: api.AppHostnameRegex,
+		DeploymentValues: options.DeploymentValues,
+		RealIPConfig:     options.RealIPConfig,
+
+		TokenProvider:      api.WorkspaceAppsProvider,
+		WorkspaceConnCache: api.workspaceAgentCache,
+		AppSigningKey:      options.AppSigningKey,
+	}
+
 	apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
 		DB:                          options.Database,
 		OAuth2Configs:               oauthConfigs,
@@ -363,11 +375,12 @@ func New(options *Options) *API {
 		httpmw.ExtractRealIP(api.RealIPConfig),
 		httpmw.Logger(api.Logger),
 		httpmw.Prometheus(options.PrometheusRegistry),
-		// handleSubdomainApplications checks if the first subdomain is a valid
-		// app URL. If it is, it will serve that application.
+		// SubdomainAppMW checks if the first subdomain is a valid app URL. If
+		// it is, it will serve that application.
 		//
-		// Workspace apps do their own auth.
-		api.handleSubdomainApplications(apiRateLimiter),
+		// Workspace apps do their own auth and must be BEFORE the auth
+		// middleware.
+		workspaceAppServer.SubdomainAppMW(apiRateLimiter),
 		// Build-Version is helpful for debugging.
 		func(next http.Handler) http.Handler {
 			return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -390,16 +403,9 @@ func New(options *Options) *API {
 
 	r.Get("/healthz", func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write([]byte("OK")) })
 
-	apps := func(r chi.Router) {
-		// Workspace apps do their own auth.
-		r.Use(apiRateLimiter)
-		r.HandleFunc("/*", api.workspaceAppsProxyPath)
-	}
-	// %40 is the encoded character of the @ symbol. VS Code Web does
-	// not handle character encoding properly, so it's safe to assume
-	// other applications might not as well.
-	r.Route("/%40{user}/{workspace_and_agent}/apps/{workspaceapp}", apps)
-	r.Route("/@{user}/{workspace_and_agent}/apps/{workspaceapp}", apps)
+	// Attach workspace apps routes.
+	workspaceAppServer.Attach(r, apiRateLimiter)
+
 	r.Route("/derp", func(r chi.Router) {
 		r.Get("/", derpHandler.ServeHTTP)
 		// This is used when UDP is blocked, and latency must be checked via HTTP(s).
@@ -641,9 +647,6 @@ func New(options *Options) *API {
 				r.Post("/report-lifecycle", api.workspaceAgentReportLifecycle)
 				r.Post("/metadata/{key}", api.workspaceAgentPostMetadata)
 			})
-			// No middleware on the PTY endpoint since it uses workspace
-			// application auth and signed app tokens.
-			r.Get("/{workspaceagent}/pty", api.workspaceAgentPTY)
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 				r.Use(
 					apiKeyMiddleware,
@@ -652,11 +655,12 @@ func New(options *Options) *API {
 				)
 				r.Get("/", api.workspaceAgent)
 				r.Get("/watch-metadata", api.watchWorkspaceAgentMetadata)
-				r.Get("/pty", api.workspaceAgentPTY)
 				r.Get("/startup-logs", api.workspaceAgentStartupLogs)
 				r.Get("/listening-ports", api.workspaceAgentListeningPorts)
 				r.Get("/connection", api.workspaceAgentConnection)
 				r.Get("/coordinate", api.workspaceAgentClientCoordinate)
+
+				// PTY is part of workspaceAppServer.
 			})
 		})
 		r.Route("/workspaces", func(r chi.Router) {
 
@@ -11,7 +11,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/base64"
-	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -68,6 +67,7 @@ import (
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/updatecheck"
 	"github.com/coder/coder/coderd/util/ptr"
+	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/codersdk/agentsdk"
 	"github.com/coder/coder/cryptorand"
@@ -82,7 +82,7 @@ import (
 
 // AppSigningKey is a 64-byte key used to sign JWTs for workspace app tokens in
 // tests.
-var AppSigningKey = must(hex.DecodeString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))
+var AppSigningKey = must(workspaceapps.KeyFromString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))
 
 type Options struct {
 	// AccessURL denotes a custom access URL. By default we use the httptest
 
@@ -994,6 +994,16 @@ func (q *querier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]dat
 	return q.db.GetTemplateUserRoles(ctx, id)
 }
 
+func (q *querier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, userID uuid.UUID) error {
+	// TODO: This is not 100% correct because it omits apikey IDs.
+	err := q.authorizeContext(ctx, rbac.ActionDelete,
+		rbac.ResourceAPIKey.WithOwner(userID.String()))
+	if err != nil {
+		return err
+	}
+	return q.db.DeleteApplicationConnectAPIKeysByUserID(ctx, userID)
+}
+
 func (q *querier) DeleteAPIKeysByUserID(ctx context.Context, userID uuid.UUID) error {
 	// TODO: This is not 100% correct because it omits apikey IDs.
 	err := q.authorizeContext(ctx, rbac.ActionDelete,
 
@@ -677,6 +677,19 @@ func (q *fakeQuerier) DeleteAPIKeyByID(_ context.Context, id string) error {
 	return sql.ErrNoRows
 }
 
+func (q *fakeQuerier) DeleteApplicationConnectAPIKeysByUserID(_ context.Context, userID uuid.UUID) error {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for i := len(q.apiKeys) - 1; i >= 0; i-- {
+		if q.apiKeys[i].UserID == userID && q.apiKeys[i].Scope == database.APIKeyScopeApplicationConnect {
+			q.apiKeys = append(q.apiKeys[:i], q.apiKeys[i+1:]...)
+		}
+	}
+
+	return nil
+}
+
 func (q *fakeQuerier) DeleteAPIKeysByUserID(_ context.Context, userID uuid.UUID) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -66,12 +66,18 @@ WHERE
 	id = $1;
 
 -- name: DeleteAPIKeyByID :exec
-DELETE
-FROM
+DELETE FROM
 	api_keys
 WHERE
 	id = $1;
 
+-- name: DeleteApplicationConnectAPIKeysByUserID :exec
+DELETE FROM
+	api_keys
+WHERE
+	user_id = $1 AND
+	scope = 'application_connect'::api_key_scope;
+
 -- name: DeleteAPIKeysByUserID :exec
 DELETE FROM
 	api_keys
 
@@ -194,48 +194,17 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Deployments should not host app tokens on the same domain as the
-	// primary deployment. But in the case they are, we should also delete this
-	// token.
-	if appCookie, _ := r.Cookie(codersdk.DevURLSessionTokenCookie); appCookie != nil {
-		appCookieRemove := &http.Cookie{
-			// MaxAge < 0 means to delete the cookie now.
-			MaxAge: -1,
-			Name:   codersdk.DevURLSessionTokenCookie,
-			Path:   "/",
-			Domain: "." + api.AccessURL.Hostname(),
-		}
-		http.SetCookie(rw, appCookieRemove)
-
-		id, _, err := httpmw.SplitAPIToken(appCookie.Value)
-		if err == nil {
-			err = api.Database.DeleteAPIKeyByID(ctx, id)
-			if err != nil {
-				// Don't block logout, just log any errors.
-				api.Logger.Warn(r.Context(), "failed to delete devurl token on logout",
-					slog.Error(err),
-					slog.F("id", id),
-				)
-			}
-		}
-	}
-
-	// This code should be removed after Jan 1 2023.
-	// This code logs out of the old session cookie before we renamed it
-	// if it is a valid coder token. Otherwise, this old cookie hangs around
-	// and we never log out of the user.
-	oldCookie, err := r.Cookie("session_token")
-	if err == nil && oldCookie != nil {
-		_, _, err := httpmw.SplitAPIToken(oldCookie.Value)
-		if err == nil {
-			cookie := &http.Cookie{
-				// MaxAge < 0 means to delete the cookie now.
-				MaxAge: -1,
-				Name:   "session_token",
-				Path:   "/",
-			}
-			http.SetCookie(rw, cookie)
-		}
+	// Invalidate all subdomain app tokens. This saves us from having to
+	// track which app tokens are associated which this browser session and
+	// doesn't inconvenience the user as they'll just get redirected if they try
+	// to access the app again.
+	err = api.Database.DeleteApplicationConnectAPIKeysByUserID(ctx, apiKey.UserID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error deleting app tokens.",
+			Detail:  err.Error(),
+		})
+		return
 	}
 
 	aReq.New = database.APIKey{}