exhaustruct httpmw package

johnstcn · johnstcn · commit 94dd2435fc35 · 2023-07-11T11:19:49.000+01:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -389,6 +389,7 @@ func New(options *Options) *API {
 		RedirectToLogin:             false,
 		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
 		Optional:                    false,
+		SessionTokenFunc:            nil, // Default behaviour
 	})
 	// Same as above but it redirects to the login page.
 	apiKeyMiddlewareRedirect := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
@@ -397,6 +398,7 @@ func New(options *Options) *API {
 		RedirectToLogin:             true,
 		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
 		Optional:                    false,
+		SessionTokenFunc:            nil, // Default behaviour
 	})
 	// Same as the first but it's optional.
 	apiKeyMiddlewareOptional := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
@@ -405,6 +407,7 @@ func New(options *Options) *API {
 		RedirectToLogin:             false,
 		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
 		Optional:                    true,
+		SessionTokenFunc:            nil, // Default behaviour
 	})
 
 	// API rate limit middleware. The counter is local and not shared between
diff --git a/coderd/httpmw/hsts.go b/coderd/httpmw/hsts.go
@@ -20,7 +20,7 @@ type HSTSConfig struct {
 func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error) {
 	if maxAge <= 0 {
 		// No header, so no need to build the header string.
-		return HSTSConfig{}, nil
+		return HSTSConfig{HeaderValue: ""}, nil
 	}
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
diff --git a/coderd/httpmw/realip.go b/coderd/httpmw/realip.go
@@ -56,7 +56,10 @@ func ExtractRealIP(config *RealIPConfig) func(next http.Handler) http.Handler {
 // configuration and headers. It does not mutate the original request.
 func ExtractRealIPAddress(config *RealIPConfig, req *http.Request) (net.IP, error) {
 	if config == nil {
-		config = &RealIPConfig{}
+		config = &RealIPConfig{
+			TrustedOrigins: []*net.IPNet{},
+			TrustedHeaders: []string{},
+		}
 	}
 
 	cf := isContainedIn(config.TrustedOrigins, getRemoteAddress(req.RemoteAddr))
@@ -208,7 +211,10 @@ func RealIP(ctx context.Context) *RealIPState {
 // ParseRealIPConfig takes a raw string array of headers and origins
 // to produce a config.
 func ParseRealIPConfig(headers, origins []string) (*RealIPConfig, error) {
-	config := &RealIPConfig{}
+	config := &RealIPConfig{
+		TrustedOrigins: []*net.IPNet{},
+		TrustedHeaders: []string{},
+	}
 	for _, origin := range origins {
 		_, network, err := net.ParseCIDR(origin)
 		if err != nil {
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -88,13 +88,15 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 		RedirectToLogin:             false,
 		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
 		Optional:                    false,
+		SessionTokenFunc:            nil, // Default behaviour
 	})
 	apiKeyMiddlewareOptional := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
 		DB:                          options.Database,
 		OAuth2Configs:               oauthConfigs,
 		RedirectToLogin:             false,
 		DisableSessionExpiryRefresh: options.DeploymentValues.DisableSessionExpiryRefresh.Value(),
 		Optional:                    true,
+		SessionTokenFunc:            nil, // Default behaviour
 	})
 
 	deploymentID, err := options.Database.GetDeploymentID(ctx)
diff --git a/site/site.go b/site/site.go
@@ -290,8 +290,15 @@ func (h *Handler) renderHTMLWithState(rw http.ResponseWriter, r *http.Request, f
 	// Cookies are sent when requesting HTML, so we can get the user
 	// and pre-populate the state for the frontend to reduce requests.
 	apiKey, actor, _ := httpmw.ExtractAPIKey(rw, r, httpmw.ExtractAPIKeyConfig{
-		Optional: true,
-		DB:       h.opts.Database,
+		DB: h.opts.Database,
+		OAuth2Configs: &httpmw.OAuth2Configs{
+			Github: nil,
+			OIDC:   nil,
+		},
+		RedirectToLogin:             false,
+		DisableSessionExpiryRefresh: false,
+		Optional:                    true,
+		SessionTokenFunc:            nil,
 	})
 	if apiKey != nil && actor != nil {
 		ctx := dbauthz.As(r.Context(), actor.Actor)

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ type HSTSConfig struct {`
`20`	`20`	`func HSTSConfigOptions(maxAge int, options []string) (HSTSConfig, error) {`
`21`	`21`	`if maxAge <= 0 {`
`22`	`22`	`// No header, so no need to build the header string.`
`23`		`- return HSTSConfig{}, nil`
	`23`	`+ return HSTSConfig{HeaderValue: ""}, nil`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security`