Summary:

We are using Coder to provision VSCode instances for programming tests, and we need a way to disable workspace authentication in these environments. While we understand this may not be a current priority, we’d like to know if there’s a native solution for this, as we haven’t found anything in the documentation. We've already tried several approaches, including passing the coder_session_token via an iframe, but the session doesn’t seem to persist.

Our Use Case:

We are using Coder to provision environments for programming tests. These are isolated, temporary environments specifically created for test-takers. In these cases, authentication becomes a blocker, as the participants don’t need to go through the standard authentication process.

• Programming Tests: Since these environments are short-lived and dedicated to candidates taking tests, requiring full authentication for each session is unnecessary and slows down the test setup process.
• Non-Production Use: The environments contain no sensitive data or production-level activities, making authentication more of a friction point rather than a security requirement.

What We Have Tried:

1. Passing coder_session_token via iframe:

   • We attempted to pass the coder_session_token as a query parameter in the iframe to persist the session, but it appears that the session does not persist when loading the environment via an iframe.

2. Reverse Proxy-Based Bypass Using NGINX:

   • We configured NGINX to intercept requests such as /api/v2/users/me and /api/v2/authcheck and return mock responses for 401 Unauthorized errors.
   • While this worked, it introduced unnecessary complexity, required ongoing maintenance, and wasn’t sustainable for scaling the number of environments.

3. Manual Adjustments to Authentication Logic:

   • We explored manually bypassing authentication within the API, but this requires too many manual changes and is not ideal for ongoing use.

Proposed Solution:

We’re wondering if there’s a native solution for bypassing authentication in these specific use cases, such as a configurable flag or environment variable. Something like:

• ENV: DISABLE_WORKSPACE_AUTH=true
• YAML Config: disableWorkspaceAuth: true

This would allow us to:

• Bypass authentication for programming test environments.
• Avoid unnecessary complexity with proxy configurations or manual API adjustments.
• Simplify the workflow for participants who are only focused on completing their tests.

Note:

We understand that implementing this feature might not be a priority at this time. However, it would be helpful to know if there’s already an existing way to achieve this, as we couldn’t find anything in the documentation.