coder
diff --git a/‎coderd/audit.go
+6-2 b/‎coderd/audit.go
+6-2
diff --git a/‎coderd/audit/audit.go
+1-1 b/‎coderd/audit/audit.go
+1-1
diff --git a/‎coderd/audit/request.go
+5-4 b/‎coderd/audit/request.go
+5-4
diff --git a/‎coderd/coderd.go
+16-10 b/‎coderd/coderd.go
+16-10
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+7 b/‎coderd/database/dbauthz/dbauthz.go
+7
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+13 b/‎coderd/database/dbauthz/dbauthz_test.go
+13
diff --git a/‎coderd/database/dbmem/dbmem.go
+59 b/‎coderd/database/dbmem/dbmem.go
+59
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
+7 b/‎coderd/database/dbmetrics/querymetrics.go
+7
diff --git a/‎coderd/database/dbmock/dbmock.go
+15 b/‎coderd/database/dbmock/dbmock.go
+15
diff --git a/‎coderd/database/dump.sql
+42 b/‎coderd/database/dump.sql
+42
diff --git a/‎coderd/database/foreign_key_constraint.go
+1 b/‎coderd/database/foreign_key_constraint.go
+1
diff --git a/‎coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql
+1 b/‎coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql
+1
@@ -282,10 +282,14 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
 		_, _ = b.WriteString("{user} ")
 	}
 
-	if alog.AuditLog.StatusCode >= 400 {
+	switch {
+	case alog.AuditLog.StatusCode == int32(http.StatusSeeOther):
+		_, _ = b.WriteString("was redirected attempting to ")
+		_, _ = b.WriteString(string(alog.AuditLog.Action))
+	case alog.AuditLog.StatusCode >= 400:
 		_, _ = b.WriteString("unsuccessfully attempted to ")
 		_, _ = b.WriteString(string(alog.AuditLog.Action))
-	} else {
+	default:
 		_, _ = b.WriteString(codersdk.AuditAction(alog.AuditLog.Action).Friendly())
 	}
 
 
@@ -93,7 +93,7 @@ func (a *MockAuditor) Contains(t testing.TB, expected database.AuditLog) bool {
 			t.Logf("audit log %d: expected UserID %s, got %s", idx+1, expected.UserID, al.UserID)
 			continue
 		}
-		if expected.OrganizationID != uuid.Nil && al.UserID != expected.UserID {
+		if expected.OrganizationID != uuid.Nil && al.OrganizationID != expected.OrganizationID {
 			t.Logf("audit log %d: expected OrganizationID %s, got %s", idx+1, expected.OrganizationID, al.OrganizationID)
 			continue
 		}
 
@@ -71,6 +71,7 @@ type BackgroundAuditParams[T Auditable] struct {
 	Action         database.AuditAction
 	OrganizationID uuid.UUID
 	IP             string
+	UserAgent      string
 	// todo: this should automatically marshal an interface{} instead of accepting a raw message.
 	AdditionalFields json.RawMessage
 
@@ -422,7 +423,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 			action = req.Action
 		}
 
-		ip := parseIP(p.Request.RemoteAddr)
+		ip := ParseIP(p.Request.RemoteAddr)
 		auditLog := database.AuditLog{
 			ID:               uuid.New(),
 			Time:             dbtime.Now(),
@@ -453,7 +454,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 // BackgroundAudit creates an audit log for a background event.
 // The audit log is committed upon invocation.
 func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[T]) {
-	ip := parseIP(p.IP)
+	ip := ParseIP(p.IP)
 
 	diff := Diff(p.Audit, p.Old, p.New)
 	var err error
@@ -479,7 +480,7 @@ func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[
 		UserID:           p.UserID,
 		OrganizationID:   requireOrgID[T](ctx, p.OrganizationID, p.Log),
 		Ip:               ip,
-		UserAgent:        sql.NullString{},
+		UserAgent:        sql.NullString{Valid: p.UserAgent != "", String: p.UserAgent},
 		ResourceType:     either(p.Old, p.New, ResourceType[T], p.Action),
 		ResourceID:       either(p.Old, p.New, ResourceID[T], p.Action),
 		ResourceTarget:   either(p.Old, p.New, ResourceTarget[T], p.Action),
@@ -566,7 +567,7 @@ func either[T Auditable, R any](old, new T, fn func(T) R, auditAction database.A
 	panic("both old and new are nil")
 }
 
-func parseIP(ipStr string) pqtype.Inet {
+func ParseIP(ipStr string) pqtype.Inet {
 	ip := net.ParseIP(ipStr)
 	ipNet := net.IPNet{}
 	if ip != nil {
 
@@ -226,6 +226,10 @@ type Options struct {
 	UpdateAgentMetrics func(ctx context.Context, labels prometheusmetrics.AgentMetricLabels, metrics []*agentproto.Stats_Metric)
 	StatsBatcher       workspacestats.Batcher
 
+	// WorkspaceAppAuditSessionTimeout allows changing the timeout for audit
+	// sessions. Raising or lowering this value will directly affect the write
+	// load of the audit log table. This is used for testing. Default 1 hour.
+	WorkspaceAppAuditSessionTimeout    time.Duration
 	WorkspaceAppsStatsCollectorOptions workspaceapps.StatsCollectorOptions
 
 	// This janky function is used in telemetry to parse fields out of the raw
@@ -534,16 +538,6 @@ func New(options *Options) *API {
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
 		},
-		WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
-			options.Logger.Named("workspaceapps"),
-			options.AccessURL,
-			options.Authorizer,
-			options.Database,
-			options.DeploymentValues,
-			oauthConfigs,
-			options.AgentInactiveDisconnectTimeout,
-			options.AppSigningKeyCache,
-		),
 		metricsCache:                metricsCache,
 		Auditor:                     atomic.Pointer[audit.Auditor]{},
 		TailnetCoordinator:          atomic.Pointer[tailnet.Coordinator]{},
@@ -561,6 +555,18 @@ func New(options *Options) *API {
 		),
 		dbRolluper: options.DatabaseRolluper,
 	}
+	api.WorkspaceAppsProvider = workspaceapps.NewDBTokenProvider(
+		options.Logger.Named("workspaceapps"),
+		options.AccessURL,
+		options.Authorizer,
+		&api.Auditor,
+		options.Database,
+		options.DeploymentValues,
+		oauthConfigs,
+		options.AgentInactiveDisconnectTimeout,
+		options.WorkspaceAppAuditSessionTimeout,
+		options.AppSigningKeyCache,
+	)
 
 	f := appearance.NewDefaultFetcher(api.DeploymentValues.DocsURL.String())
 	api.AppearanceFetcher.Store(&f)
 
@@ -4615,6 +4615,13 @@ func (q *querier) UpsertWorkspaceAgentPortShare(ctx context.Context, arg databas
 	return q.db.UpsertWorkspaceAgentPortShare(ctx, arg)
 }
 
+func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
+		return time.Time{}, err
+	}
+	return q.db.UpsertWorkspaceAppAuditSession(ctx, arg)
+}
+
 func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) {
 	// TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
 	return q.GetTemplatesWithFilter(ctx, arg)
 
@@ -4065,6 +4065,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	s.Run("InsertWorkspaceAppStats", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(database.InsertWorkspaceAppStatsParams{}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
 	}))
+	s.Run("UpsertWorkspaceAppAuditSession", s.Subtest(func(db database.Store, check *expects) {
+		u := dbgen.User(s.T(), db, database.User{})
+		pj := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
+		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: pj.ID})
+		agent := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
+		app := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: agent.ID})
+		check.Args(database.UpsertWorkspaceAppAuditSessionParams{
+			AgentID: agent.ID,
+			AppID:   app.ID,
+			UserID:  u.ID,
+			Ip:      "127.0.0.1",
+		}).Asserts(rbac.ResourceSystem, policy.ActionUpdate)
+	}))
 	s.Run("InsertWorkspaceAgentScriptTimings", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 		check.Args(database.InsertWorkspaceAgentScriptTimingsParams{
 
@@ -92,6 +92,7 @@ func New() database.Store {
 			workspaceAgentLogs:        make([]database.WorkspaceAgentLog, 0),
 			workspaceBuilds:           make([]database.WorkspaceBuild, 0),
 			workspaceApps:             make([]database.WorkspaceApp, 0),
+			workspaceAppAuditSessions: make([]database.WorkspaceAppAuditSession, 0),
 			workspaces:                make([]database.WorkspaceTable, 0),
 			workspaceProxies:          make([]database.WorkspaceProxy, 0),
 		},
@@ -237,6 +238,7 @@ type data struct {
 	workspaceAgentMemoryResourceMonitors []database.WorkspaceAgentMemoryResourceMonitor
 	workspaceAgentVolumeResourceMonitors []database.WorkspaceAgentVolumeResourceMonitor
 	workspaceApps                        []database.WorkspaceApp
+	workspaceAppAuditSessions            []database.WorkspaceAppAuditSession
 	workspaceAppStatsLastInsertID        int64
 	workspaceAppStats                    []database.WorkspaceAppStat
 	workspaceBuilds                      []database.WorkspaceBuild
@@ -12281,6 +12283,63 @@ func (q *FakeQuerier) UpsertWorkspaceAgentPortShare(_ context.Context, arg datab
 	return psl, nil
 }
 
+func (q *FakeQuerier) UpsertWorkspaceAppAuditSession(_ context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return time.Time{}, err
+	}
+
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for i, s := range q.workspaceAppAuditSessions {
+		if s.AgentID != arg.AgentID {
+			continue
+		}
+		if s.AppID != arg.AppID {
+			continue
+		}
+		if s.UserID != arg.UserID {
+			continue
+		}
+		if s.Ip != arg.Ip {
+			continue
+		}
+		if s.UserAgent != arg.UserAgent {
+			continue
+		}
+		if s.SlugOrPort != arg.SlugOrPort {
+			continue
+		}
+		if s.StatusCode != arg.StatusCode {
+			continue
+		}
+
+		staleTime := dbtime.Now().Add(-(time.Duration(arg.StaleIntervalMS) * time.Millisecond))
+		fresh := s.UpdatedAt.After(staleTime)
+
+		q.workspaceAppAuditSessions[i].UpdatedAt = arg.UpdatedAt
+		if !fresh {
+			q.workspaceAppAuditSessions[i].StartedAt = arg.StartedAt
+			return arg.StartedAt, nil
+		}
+		return s.StartedAt, nil
+	}
+
+	q.workspaceAppAuditSessions = append(q.workspaceAppAuditSessions, database.WorkspaceAppAuditSession{
+		AgentID:    arg.AgentID,
+		AppID:      arg.AppID,
+		UserID:     arg.UserID,
+		Ip:         arg.Ip,
+		UserAgent:  arg.UserAgent,
+		SlugOrPort: arg.SlugOrPort,
+		StatusCode: arg.StatusCode,
+		StartedAt:  arg.StartedAt,
+		UpdatedAt:  arg.UpdatedAt,
+	})
+	return arg.StartedAt, nil
+}
+
 func (q *FakeQuerier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]database.Template, error) {
 	if err := validateDatabaseType(arg); err != nil {
 		return nil, err
 
@@ -0,0 +1 @@
+DROP TABLE workspace_app_audit_sessions;
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func (a *MockAuditor) Contains(t testing.TB, expected database.AuditLog) bool {`
`93`	`93`	`t.Logf("audit log %d: expected UserID %s, got %s", idx+1, expected.UserID, al.UserID)`
`94`	`94`	`continue`
`95`	`95`	`}`
`96`		`- if expected.OrganizationID != uuid.Nil && al.UserID != expected.UserID {`
	`96`	`+ if expected.OrganizationID != uuid.Nil && al.OrganizationID != expected.OrganizationID {`
`97`	`97`	`t.Logf("audit log %d: expected OrganizationID %s, got %s", idx+1, expected.OrganizationID, al.OrganizationID)`
`98`	`98`	`continue`
`99`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+DROP TABLE workspace_app_audit_sessions;`