coder
diff --git a/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion b/‎cli/tokens.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions b/‎coderd/apikey.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions b/‎coderd/apikey_test.go
Lines changed: 52 additions & 21 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 15 additions & 5 deletions b/‎coderd/coderd.go
Lines changed: 15 additions & 5 deletions
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 5 additions & 0 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 8 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 8 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000060_app_sharing_level.down.sql
Lines changed: 5 additions & 0 deletions b/‎coderd/database/migrations/000060_app_sharing_level.down.sql
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000060_app_sharing_level.up.sql
Lines changed: 12 additions & 0 deletions b/‎coderd/database/migrations/000060_app_sharing_level.up.sql
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 21 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 21 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 13 additions & 5 deletions b/‎coderd/database/queries.sql.go
Lines changed: 13 additions & 5 deletions
@@ -55,7 +55,7 @@ func createToken() *cobra.Command {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}
 
-			res, err := client.CreateToken(cmd.Context(), codersdk.Me)
+			res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})
 			if err != nil {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
 
@@ -34,12 +34,23 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var createToken codersdk.CreateTokenRequest
+	if !httpapi.Read(ctx, rw, r, &createToken) {
+		return
+	}
+
+	scope := database.APIKeyScopeAll
+	if scope != "" {
+		scope = database.APIKeyScope(createToken.Scope)
+	}
+
 	// tokens last 100 years
 	lifeTime := time.Hour * 876000
 	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
 		UserID:          user.ID,
 		LoginType:       database.LoginTypeToken,
 		ExpiresAt:       database.Now().Add(lifeTime),
+		Scope:           scope,
 		LifetimeSeconds: int64(lifeTime.Seconds()),
 	})
 	if err != nil {
@@ -54,6 +65,7 @@ func (api *API) postToken(rw http.ResponseWriter, r *http.Request) {
 }
 
 // Creates a new session key, used for logging in via the CLI.
+// DEPRECATED: use postToken instead.
 func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
@@ -229,6 +241,11 @@ func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*h
 	if params.Scope != "" {
 		scope = params.Scope
 	}
+	switch scope {
+	case database.APIKeyScopeAll, database.APIKeyScopeApplicationConnect:
+	default:
+		return nil, xerrors.Errorf("invalid API key scope: %q", scope)
+	}
 
 	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
 		ID:              keyID,
 
@@ -14,30 +14,61 @@ import (
 
 func TestTokens(t *testing.T) {
 	t.Parallel()
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-	_ = coderdtest.CreateFirstUser(t, client)
-	keys, err := client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
 
-	res, err := client.CreateToken(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Greater(t, len(res.Key), 2)
+	t.Run("CRUD", func(t *testing.T) {
+		t.Parallel()
 
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.EqualValues(t, len(keys), 1)
-	require.Contains(t, res.Key, keys[0].ID)
-	// expires_at must be greater than 50 years
-	require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
 
-	err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
-	require.NoError(t, err)
-	keys, err = client.GetTokens(ctx, codersdk.Me)
-	require.NoError(t, err)
-	require.Empty(t, keys)
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, codersdk.APIKeyScopeAll, keys[0].Scope)
+
+		// no update
+
+		err = client.DeleteAPIKey(ctx, codersdk.Me, keys[0].ID)
+		require.NoError(t, err)
+		keys, err = client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.Empty(t, keys)
+	})
+
+	t.Run("Scoped", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		res, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
+			Scope: codersdk.APIKeyScopeApplicationConnect,
+		})
+		require.NoError(t, err)
+		require.Greater(t, len(res.Key), 2)
+
+		keys, err := client.GetTokens(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.EqualValues(t, len(keys), 1)
+		require.Contains(t, res.Key, keys[0].ID)
+		// expires_at must be greater than 50 years
+		require.Greater(t, keys[0].ExpiresAt, time.Now().Add(time.Hour*438300))
+		require.Equal(t, keys[0].Scope, codersdk.APIKeyScopeApplicationConnect)
+	})
 }
 
 func TestAPIKey(t *testing.T) {
 
@@ -197,7 +197,7 @@ func New(options *Options) *API {
 				RedirectToLogin: false,
 				Optional:        true,
 			}),
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		),
 		// Build-Version is helpful for debugging.
@@ -214,8 +214,18 @@ func New(options *Options) *API {
 		r.Use(
 			tracing.Middleware(api.TracerProvider),
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
-			apiKeyMiddlewareRedirect,
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+				DB:            options.Database,
+				OAuth2Configs: oauthConfigs,
+				// Optional is true to allow for public apps. If an
+				// authorization check fails and the user is not authenticated,
+				// they will be redirected to the login page by the app handler.
+				RedirectToLogin: false,
+				Optional:        true,
+			}),
+			// Redirect to the login page if the user tries to open an app with
+			// "me" as the username and they are not logged in.
+			httpmw.ExtractUserParam(api.Database, true),
 			// Extracts the <workspace.agent> from the url
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		)
@@ -310,7 +320,7 @@ func New(options *Options) *API {
 					r.Get("/roles", api.assignableOrgRoles)
 					r.Route("/{user}", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractUserParam(options.Database),
+							httpmw.ExtractUserParam(options.Database, false),
 							httpmw.ExtractOrganizationMemberParam(options.Database),
 						)
 						r.Put("/roles", api.putMemberRoles)
@@ -389,7 +399,7 @@ func New(options *Options) *API {
 					r.Get("/", api.assignableSiteRoles)
 				})
 				r.Route("/{user}", func(r chi.Router) {
-					r.Use(httpmw.ExtractUserParam(options.Database))
+					r.Use(httpmw.ExtractUserParam(options.Database, false))
 					r.Delete("/", api.deleteUser)
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 
@@ -2324,6 +2324,10 @@ func (q *fakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
+	if arg.SharingLevel == "" {
+		arg.SharingLevel = database.AppSharingLevelOwner
+	}
+
 	// nolint:gosimple
 	workspaceApp := database.WorkspaceApp{
 		ID:                   arg.ID,
@@ -2334,6 +2338,7 @@ func (q *fakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW
 		Command:              arg.Command,
 		Url:                  arg.Url,
 		Subdomain:            arg.Subdomain,
+		SharingLevel:         arg.SharingLevel,
 		HealthcheckUrl:       arg.HealthcheckUrl,
 		HealthcheckInterval:  arg.HealthcheckInterval,
 		HealthcheckThreshold: arg.HealthcheckThreshold,
 
@@ -0,0 +1,5 @@
+-- Drop column sharing_level from workspace_apps
+ALTER TABLE workspace_apps DROP COLUMN sharing_level;
+
+-- Drop type app_sharing_level
+DROP TYPE app_sharing_level;
@@ -0,0 +1,12 @@
+-- Add enum app_sharing_level
+CREATE TYPE app_sharing_level AS ENUM (
+	-- only the workspace owner can access the app
+	'owner',
+	-- any authenticated user on the site can access the app
+	'authenticated',
+	-- any user can access the app even if they are not authenticated
+	'public'
+);
+
+-- Add sharing_level column to workspace_apps table
+ALTER TABLE workspace_apps ADD COLUMN sharing_level app_sharing_level NOT NULL DEFAULT 'owner'::app_sharing_level;
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ func createToken() *cobra.Command {`
`55`	`55`	`return xerrors.Errorf("create codersdk client: %w", err)`
`56`	`56`	`}`
`57`	`57`
`58`		`- res, err := client.CreateToken(cmd.Context(), codersdk.Me)`
	`58`	`+ res, err := client.CreateToken(cmd.Context(), codersdk.Me, codersdk.CreateTokenRequest{})`
`59`	`59`	`if err != nil {`
`60`	`60`	`return xerrors.Errorf("create tokens: %w", err)`
`61`	`61`	`}`