coder
diff --git a/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions b/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/deployment/flags.go
Lines changed: 1 addition & 1 deletion b/‎cli/deployment/flags.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 11 additions & 3 deletions b/‎cli/server.go
Lines changed: 11 additions & 3 deletions
diff --git a/‎cli/templatecreate.go
Lines changed: 4 additions & 3 deletions b/‎cli/templatecreate.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎cli/templatepull.go
Lines changed: 1 addition & 1 deletion b/‎cli/templatepull.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion b/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion b/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/activitybump_test.go
Lines changed: 9 additions & 1 deletion b/‎coderd/activitybump_test.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions b/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions b/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions
diff --git a/‎coderd/audit/audit.go
Lines changed: 6 additions & 2 deletions b/‎coderd/audit/audit.go
Lines changed: 6 additions & 2 deletions
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 29 additions & 10 deletions b/‎coderd/coderd.go
Lines changed: 29 additions & 10 deletions
@@ -25,6 +25,7 @@
     "drpcserver",
     "Dsts",
     "enablements",
+    "eventsourcemock",
     "fatih",
     "Formik",
     "gitsshkey",
 
@@ -32,7 +32,7 @@ func Flags() *codersdk.DeploymentFlags {
 			Name:        "Wildcard Address URL",
 			Flag:        "wildcard-access-url",
 			EnvVar:      "CODER_WILDCARD_ACCESS_URL",
-			Description: `Specifies the wildcard hostname to use for workspace applications in the form "*.example.com".`,
+			Description: `Specifies the wildcard hostname to use for workspace applications in the form "*.example.com" or "*-suffix.example.com". Ports or schemes should not be included. The scheme will be copied from the access URL.`,
 		},
 		Address: &codersdk.StringFlag{
 			Name:        "Bind Address",
 
@@ -17,6 +17,7 @@ import (
 	"os/signal"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync"
@@ -53,6 +54,7 @@ import (
 	"github.com/coder/coder/coderd/database/migrations"
 	"github.com/coder/coder/coderd/devtunnel"
 	"github.com/coder/coder/coderd/gitsshkey"
+	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/prometheusmetrics"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/tracing"
@@ -297,13 +299,19 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				return xerrors.Errorf("create derp map: %w", err)
 			}
 
-			appHostname := strings.TrimPrefix(dflags.WildcardAccessURL.Value, "http://")
-			appHostname = strings.TrimPrefix(appHostname, "https://")
-			appHostname = strings.TrimPrefix(appHostname, "*.")
+			appHostname := strings.TrimSpace(dflags.WildcardAccessURL.Value)
+			var appHostnameRegex *regexp.Regexp
+			if appHostname != "" {
+				appHostnameRegex, err = httpapi.CompileHostnamePattern(appHostname)
+				if err != nil {
+					return xerrors.Errorf("parse wildcard access URL %q: %w", appHostname, err)
+				}
+			}
 
 			options := &coderd.Options{
 				AccessURL:                   accessURLParsed,
 				AppHostname:                 appHostname,
+				AppHostnameRegex:            appHostnameRegex,
 				Logger:                      logger.Named("coderd"),
 				Database:                    databasefake.New(),
 				DERPMap:                     derpMap,
 
@@ -10,6 +10,7 @@ import (
 	"unicode/utf8"
 
 	"github.com/briandowns/spinner"
+	"github.com/google/uuid"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
@@ -91,7 +92,7 @@ func templateCreate() *cobra.Command {
 				Client:        client,
 				Organization:  organization,
 				Provisioner:   database.ProvisionerType(provisioner),
-				FileHash:      resp.Hash,
+				FileID:        resp.ID,
 				ParameterFile: parameterFile,
 			})
 			if err != nil {
@@ -148,7 +149,7 @@ type createValidTemplateVersionArgs struct {
 	Client        *codersdk.Client
 	Organization  codersdk.Organization
 	Provisioner   database.ProvisionerType
-	FileHash      string
+	FileID        uuid.UUID
 	ParameterFile string
 	// Template is only required if updating a template's active version.
 	Template *codersdk.Template
@@ -165,7 +166,7 @@ func createValidTemplateVersion(cmd *cobra.Command, args createValidTemplateVers
 	req := codersdk.CreateTemplateVersionRequest{
 		Name:            args.Name,
 		StorageMethod:   codersdk.ProvisionerStorageMethodFile,
-		StorageSource:   args.FileHash,
+		FileID:          args.FileID,
 		Provisioner:     codersdk.ProvisionerType(args.Provisioner),
 		ParameterValues: parameters,
 	}
 
@@ -66,7 +66,7 @@ func templatePull() *cobra.Command {
 			latest := versions[0]
 
 			// Download the tar archive.
-			raw, ctype, err := client.Download(ctx, latest.Job.StorageSource)
+			raw, ctype, err := client.Download(ctx, latest.Job.FileID)
 			if err != nil {
 				return xerrors.Errorf("download template: %w", err)
 			}
 
@@ -80,7 +80,7 @@ func templatePush() *cobra.Command {
 				Client:          client,
 				Organization:    organization,
 				Provisioner:     database.ProvisionerType(provisioner),
-				FileHash:        resp.Hash,
+				FileID:          resp.ID,
 				ParameterFile:   parameterFile,
 				Template:        &template,
 				ReuseParameters: !alwaysPrompt,
 
@@ -55,7 +55,7 @@ func createToken() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			res, err := client.CreateToken(cmd.Context(), codersdk.Me)
+			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})
 			if err != nil {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
 
@@ -23,7 +23,15 @@ func TestWorkspaceActivityBump(t *testing.T) {
 	setupActivityTest := func(t *testing.T) (client *codersdk.Client, workspace codersdk.Workspace, assertBumped func(want bool)) {
 		var ttlMillis int64 = 60 * 1000
 
-		client, _, workspace, _ = setupProxyTest(t, func(cwr *codersdk.CreateWorkspaceRequest) {
+		client = coderdtest.New(t, &coderdtest.Options{
+			AppHostname:                 proxyTestSubdomainRaw,
+			IncludeProvisionerDaemon:    true,
+			AgentStatsRefreshInterval:   time.Millisecond * 100,
+			MetricsCacheRefreshInterval: time.Millisecond * 100,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		workspace = createWorkspaceWithApps(t, client, user.OrganizationID, 1234, func(cwr *codersdk.CreateWorkspaceRequest) {
 			cwr.TTLMillis = &ttlMillis
 		})
 
 
@@ -34,12 +34,23 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var createToken codersdk.CreateTokenRequest
+	if !httpapi.Read(ctx, rw, r, &createToken) {
+		return
+	}
+
+	scope := database.APIKeyScopeAll
+	if scope != "" {
+		scope = database.APIKeyScope(createToken.Scope)
+	}
+
 	// tokens last 100 years
 	lifeTime := time.Hour * 876000
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		ExpiresAt:       database.Now().Add(lifeTime),
+		Scope:           scope,
 		LifetimeSeconds: int64(lifeTime.Seconds()),
 	})
 	if err != nil {
@@ -54,6 +65,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 }
 
 // Creates a new session key, used for logging in via the CLI.
+// DEPRECATED: use postToken instead.
 func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
@@ -229,6 +241,11 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 	if params.Scope != "" {
 		scope = params.Scope
 	}
+	switch scope {
+	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
+	default:
+		return nil, xerrors.Errorf("invalid API key scope: %q", scope)
+	}
 
 	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
 		ID:              keyID,
 
@@ -14,30 +14,61 @@ import (
 
 func TestTokens(t *testing.T) {
 	t.Parallel()
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	_ = coderdtest.CreateFirstUser(t, client)
-	keys, err := client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
 
-	res, err := client.CreateToken(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Greater(t, len(res.Key), 2)
+	t.Run("CRUD", func(t *testing.T) {
+		t.Parallel()
 
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.EqualValues(t, len(keys), 1)
-	require.Contains(t, res.Key, keys[0].ID)
-	// expires_at must be greater than 50 years
-	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
 
-	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
-	require.NoError(t, err)
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+
+		// no update
+
+		err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+		require.NoError(t, err)
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
+	})
+
+	t.Run("Scoped", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Scope: codersdk.APIKeyScopeApplicationConnect,
+		})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	})
 }
 
 func TestAPIKey(t *testing.T) {
 
@@ -21,7 +21,9 @@ func (nop) Export(context.Context, database.AuditLog) error {
 	return nil
 }
 
-func (nop) diff(any, any) Map { return Map{} }
+func (nop) diff(any, any) Map {
+	return Map{}
+}
 
 func NewMock() *MockAuditor {
 	return &MockAuditor{}
@@ -36,4 +38,6 @@ func (a *MockAuditor) Export(_ context.Context, alog database.AuditLog) error {
 	return nil
 }
 
-func (*MockAuditor) diff(any, any) Map { return Map{} }
+func (*MockAuditor) diff(any, any) Map {
+	return Map{}
+}
@@ -276,7 +276,7 @@ func build(ctx context.Context, store database.Store, workspace database.Workspa
 		Provisioner:    template.Provisioner,
 		Type:           database.ProvisionerJobTypeWorkspaceBuild,
 		StorageMethod:  priorJob.StorageMethod,
-		StorageSource:  priorJob.StorageSource,
+		FileID:         priorJob.FileID,
 		Input:          input,
 	})
 	if err != nil {
 
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"path/filepath"
+	"regexp"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -46,11 +47,16 @@ import (
 type Options struct {
 	AccessURL *url.URL
 	// AppHostname should be the wildcard hostname to use for workspace
-	// applications without the asterisk or leading dot. E.g. "apps.coder.com".
+	// applications INCLUDING the asterisk, (optional) suffix and leading dot.
+	// E.g. "*.apps.coder.com" or "*-apps.coder.com".
 	AppHostname string
-	Logger      slog.Logger
-	Database    database.Store
-	Pubsub      database.Pubsub
+	// AppHostnameRegex contains the regex version of options.AppHostname as
+	// generated by httpapi.CompileHostnamePattern(). It MUST be set if
+	// options.AppHostname is set.
+	AppHostnameRegex *regexp.Regexp
+	Logger           slog.Logger
+	Database         database.Store
+	Pubsub           database.Pubsub
 
 	// CacheDir is used for caching files served by the API.
 	CacheDir string
@@ -90,6 +96,9 @@ func New(options *Options) *API {
 	if options == nil {
 		options = &Options{}
 	}
+	if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil {
+		panic("coderd: both AppHostname and AppHostnameRegex must be set or unset")
+	}
 	if options.AgentConnectionUpdateFrequency == 0 {
 		options.AgentConnectionUpdateFrequency = 3 * time.Second
 	}
@@ -197,7 +206,7 @@ func New(options *Options) *API {
 				RedirectToLogin: false,
 				Optional:        true,
 			}),
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		),
 		// Build-Version is helpful for debugging.
@@ -214,8 +223,18 @@ func New(options *Options) *API {
 		r.Use(
 			tracing.Middleware(api.TracerProvider),
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
-			apiKeyMiddlewareRedirect,
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+				DB:            options.Database,
+				OAuth2Configs: oauthConfigs,
+				// Optional is true to allow for public apps. If an
+				// authorization check fails and the user is not authenticated,
+				// they will be redirected to the login page by the app handler.
+				RedirectToLogin: false,
+				Optional:        true,
+			}),
+			// Redirect to the login page if the user tries to open an app with
+			// "me" as the username and they are not logged in.
+			httpmw.ExtractUserParam(api.Database, true),
 			// Extracts the <workspace.agent> from the url
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		)
@@ -280,7 +299,7 @@ func New(options *Options) *API {
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),
 			)
-			r.Get("/{hash}", api.fileByHash)
+			r.Get("/{fileID}", api.fileByID)
 			r.Post("/", api.postFile)
 		})
 
@@ -310,7 +329,7 @@ func New(options *Options) *API {
 					r.Get("/roles", api.assignableOrgRoles)
 					r.Route("/{user}", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractUserParam(options.Database),
+							httpmw.ExtractUserParam(options.Database, false),
 							httpmw.ExtractOrganizationMemberParam(options.Database),
 						)
 						r.Put("/roles", api.putMemberRoles)
@@ -389,7 +408,7 @@ func New(options *Options) *API {
 					r.Get("/", api.assignableSiteRoles)
 				})
 				r.Route("/{user}", func(r chi.Router) {
-					r.Use(httpmw.ExtractUserParam(options.Database))
+					r.Use(httpmw.ExtractUserParam(options.Database, false))
 					r.Delete("/", api.deleteUser)
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func templatePull() *cobra.Command {`
`66`	`66`	`latest := versions[0]`
`67`	`67`
`68`	`68`	`// Download the tar archive.`
`69`		`- raw, ctype, err := client.Download(ctx, latest.Job.StorageSource)`
	`69`	`+ raw, ctype, err := client.Download(ctx, latest.Job.FileID)`
`70`	`70`	`if err != nil {`
`71`	`71`	`return xerrors.Errorf("download template: %w", err)`
`72`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func createToken() *cobra.Command {`
`55`	`55`	`return xerrors.Errorf("create codersdk client: %w", err)`
`56`	`56`	`}`
`57`	`57`
`58`		`- res, err := client.CreateToken(cmd.Context(), codersdk.Me)`
	`58`	`+ res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})`
`59`	`59`	`if err != nil {`
`60`	`60`	`return xerrors.Errorf("create tokens: %w", err)`
`61`	`61`	`}`