coder
diff --git a/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions b/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/templatecreate.go
Lines changed: 4 additions & 3 deletions b/‎cli/templatecreate.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎cli/templatepull.go
Lines changed: 1 addition & 1 deletion b/‎cli/templatepull.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion b/‎cli/templatepush.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion b/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions b/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions b/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 16 additions & 6 deletions b/‎coderd/coderd.go
Lines changed: 16 additions & 6 deletions
diff --git a/‎coderd/coderdtest/authorize.go
Lines changed: 2 additions & 2 deletions b/‎coderd/coderdtest/authorize.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 2 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 2 deletions
@@ -26,6 +26,7 @@
     "drpcserver",
     "Dsts",
     "enablements",
+    "eventsourcemock",
     "fatih",
     "Formik",
     "gitsshkey",
 
@@ -10,6 +10,7 @@ import (
 	"unicode/utf8"
 
 	"github.com/briandowns/spinner"
+	"github.com/google/uuid"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
@@ -91,7 +92,7 @@ func templateCreate() *cobra.Command {
 				Client:        client,
 				Organization:  organization,
 				Provisioner:   database.ProvisionerType(provisioner),
-				FileHash:      resp.Hash,
+				FileID:        resp.ID,
 				ParameterFile: parameterFile,
 			})
 			if err != nil {
@@ -148,7 +149,7 @@ type createValidTemplateVersionArgs struct {
 	Client        *codersdk.Client
 	Organization  codersdk.Organization
 	Provisioner   database.ProvisionerType
-	FileHash      string
+	FileID        uuid.UUID
 	ParameterFile string
 	// Template is only required if updating a template's active version.
 	Template *codersdk.Template
@@ -165,7 +166,7 @@ func createValidTemplateVersion(cmd *cobra.Command, args createValidTemplateVers
 	req := codersdk.CreateTemplateVersionRequest{
 		Name:            args.Name,
 		StorageMethod:   codersdk.ProvisionerStorageMethodFile,
-		StorageSource:   args.FileHash,
+		FileID:          args.FileID,
 		Provisioner:     codersdk.ProvisionerType(args.Provisioner),
 		ParameterValues: parameters,
 	}
 
@@ -66,7 +66,7 @@ func templatePull() *cobra.Command {
 			latest := versions[0]
 
 			// Download the tar archive.
-			raw, ctype, err := client.Download(ctx, latest.Job.StorageSource)
+			raw, ctype, err := client.Download(ctx, latest.Job.FileID)
 			if err != nil {
 				return xerrors.Errorf("download template: %w", err)
 			}
 
@@ -80,7 +80,7 @@ func templatePush() *cobra.Command {
 				Client:          client,
 				Organization:    organization,
 				Provisioner:     database.ProvisionerType(provisioner),
-				FileHash:        resp.Hash,
+				FileID:          resp.ID,
 				ParameterFile:   parameterFile,
 				Template:        &template,
 				ReuseParameters: !alwaysPrompt,
 
@@ -55,7 +55,7 @@ func createToken() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			res, err := client.CreateToken(cmd.Context(), codersdk.Me)
+			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})
 			if err != nil {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
 
@@ -34,12 +34,23 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var createToken codersdk.CreateTokenRequest
+	if !httpapi.Read(ctx, rw, r, &createToken) {
+		return
+	}
+
+	scope := database.APIKeyScopeAll
+	if scope != "" {
+		scope = database.APIKeyScope(createToken.Scope)
+	}
+
 	// tokens last 100 years
 	lifeTime := time.Hour * 876000
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		ExpiresAt:       database.Now().Add(lifeTime),
+		Scope:           scope,
 		LifetimeSeconds: int64(lifeTime.Seconds()),
 	})
 	if err != nil {
@@ -54,6 +65,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 }
 
 // Creates a new session key, used for logging in via the CLI.
+// DEPRECATED: use postToken instead.
 func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
@@ -229,6 +241,11 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 	if params.Scope != "" {
 		scope = params.Scope
 	}
+	switch scope {
+	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
+	default:
+		return nil, xerrors.Errorf("invalid API key scope: %q", scope)
+	}
 
 	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
 		ID:              keyID,
 
@@ -14,30 +14,61 @@ import (
 
 func TestTokens(t *testing.T) {
 	t.Parallel()
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	_ = coderdtest.CreateFirstUser(t, client)
-	keys, err := client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
 
-	res, err := client.CreateToken(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Greater(t, len(res.Key), 2)
+	t.Run("CRUD", func(t *testing.T) {
+		t.Parallel()
 
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.EqualValues(t, len(keys), 1)
-	require.Contains(t, res.Key, keys[0].ID)
-	// expires_at must be greater than 50 years
-	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
 
-	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
-	require.NoError(t, err)
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+
+		// no update
+
+		err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+		require.NoError(t, err)
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
+	})
+
+	t.Run("Scoped", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Scope: codersdk.APIKeyScopeApplicationConnect,
+		})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	})
 }
 
 func TestAPIKey(t *testing.T) {
 
@@ -276,7 +276,7 @@ func build(ctx context.Context, store database.Store, workspace database.Workspa
 		Provisioner:    template.Provisioner,
 		Type:           database.ProvisionerJobTypeWorkspaceBuild,
 		StorageMethod:  priorJob.StorageMethod,
-		StorageSource:  priorJob.StorageSource,
+		FileID:         priorJob.FileID,
 		Input:          input,
 	})
 	if err != nil {
 
@@ -202,7 +202,7 @@ func New(options *Options) *API {
 				RedirectToLogin: false,
 				Optional:        true,
 			}),
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		),
 		// Build-Version is helpful for debugging.
@@ -219,8 +219,18 @@ func New(options *Options) *API {
 		r.Use(
 			tracing.Middleware(api.TracerProvider),
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
-			apiKeyMiddlewareRedirect,
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+				DB:            options.Database,
+				OAuth2Configs: oauthConfigs,
+				// Optional is true to allow for public apps. If an
+				// authorization check fails and the user is not authenticated,
+				// they will be redirected to the login page by the app handler.
+				RedirectToLogin: false,
+				Optional:        true,
+			}),
+			// Redirect to the login page if the user tries to open an app with
+			// "me" as the username and they are not logged in.
+			httpmw.ExtractUserParam(api.Database, true),
 			// Extracts the <workspace.agent> from the url
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		)
@@ -285,7 +295,7 @@ func New(options *Options) *API {
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),
 			)
-			r.Get("/{hash}", api.fileByHash)
+			r.Get("/{fileID}", api.fileByID)
 			r.Post("/", api.postFile)
 		})
 
@@ -315,7 +325,7 @@ func New(options *Options) *API {
 					r.Get("/roles", api.assignableOrgRoles)
 					r.Route("/{user}", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractUserParam(options.Database),
+							httpmw.ExtractUserParam(options.Database, false),
 							httpmw.ExtractOrganizationMemberParam(options.Database),
 						)
 						r.Put("/roles", api.putMemberRoles)
@@ -394,7 +404,7 @@ func New(options *Options) *API {
 					r.Get("/", api.assignableSiteRoles)
 				})
 				r.Route("/{user}", func(r chi.Router) {
-					r.Use(httpmw.ExtractUserParam(options.Database))
+					r.Use(httpmw.ExtractUserParam(options.Database, false))
 					r.Delete("/", api.deleteUser)
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 
@@ -142,7 +142,7 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 			AssertObject: rbac.ResourceTemplate.InOrg(a.Template.OrganizationID),
 		},
 		"POST:/api/v2/files": {AssertAction: rbac.ActionCreate, AssertObject: rbac.ResourceFile},
-		"GET:/api/v2/files/{hash}": {
+		"GET:/api/v2/files/{fileID}": {
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceFile.WithOwner(a.Admin.UserID.String()),
 		},
@@ -369,7 +369,7 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 		"{workspaceagent}":      workspace.LatestBuild.Resources[0].Agents[0].ID.String(),
 		"{buildnumber}":         strconv.FormatInt(int64(workspace.LatestBuild.BuildNumber), 10),
 		"{template}":            template.ID.String(),
-		"{hash}":                file.Hash,
+		"{fileID}":              file.ID.String(),
 		"{workspaceresource}":   workspace.LatestBuild.Resources[0].ID.String(),
 		"{workspaceapp}":        workspace.LatestBuild.Resources[0].Agents[0].Apps[0].Name,
 		"{templateversion}":     version.ID.String(),
 
@@ -390,7 +390,7 @@ func CreateTemplateVersion(t *testing.T, client *codersdk.Client, organizationID
 	file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, data)
 	require.NoError(t, err)
 	templateVersion, err := client.CreateTemplateVersion(context.Background(), organizationID, codersdk.CreateTemplateVersionRequest{
-		StorageSource: file.Hash,
+		FileID:        file.ID,
 		StorageMethod: codersdk.ProvisionerStorageMethodFile,
 		Provisioner:   codersdk.ProvisionerTypeEcho,
 	})
@@ -438,7 +438,7 @@ func UpdateTemplateVersion(t *testing.T, client *codersdk.Client, organizationID
 	require.NoError(t, err)
 	templateVersion, err := client.CreateTemplateVersion(context.Background(), organizationID, codersdk.CreateTemplateVersionRequest{
 		TemplateID:    templateID,
-		StorageSource: file.Hash,
+		FileID:        file.ID,
 		StorageMethod: codersdk.ProvisionerStorageMethodFile,
 		Provisioner:   codersdk.ProvisionerTypeEcho,
 	})
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func templatePull() *cobra.Command {`
`66`	`66`	`latest := versions[0]`
`67`	`67`
`68`	`68`	`// Download the tar archive.`
`69`		`- raw, ctype, err := client.Download(ctx, latest.Job.StorageSource)`
	`69`	`+ raw, ctype, err := client.Download(ctx, latest.Job.FileID)`
`70`	`70`	`if err != nil {`
`71`	`71`	`return xerrors.Errorf("download template: %w", err)`
`72`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func createToken() *cobra.Command {`
`55`	`55`	`return xerrors.Errorf("create codersdk client: %w", err)`
`56`	`56`	`}`
`57`	`57`
`58`		`- res, err := client.CreateToken(cmd.Context(), codersdk.Me)`
	`58`	`+ res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})`
`59`	`59`	`if err != nil {`
`60`	`60`	`return xerrors.Errorf("create tokens: %w", err)`
`61`	`61`	`}`