feat: allow prefixes at the beginning of subdomain app hostnames #10150
Conversation
|
Do we need to have it toggleable? |
|
I guess we don't have to |
| "github.com/coder/coder/v2/provisioner/echo" | ||
| "github.com/coder/coder/v2/provisionersdk/proto" | ||
| "github.com/coder/coder/v2/testutil" | ||
| ) | ||
|
|
||
| const ( | ||
| proxyTestAgentName = "agent-name" | ||
| proxyTestAgentName = "agnt-name" |
There was a problem hiding this comment.
Lol did we hit a limit in the test?
There was a problem hiding this comment.
Yeah we hit the 62 char limit lol, Marcin reverted his PR though so it should be fine now hopefully
|
Hi @deansheather, does "we can change URL format later" mean you can fix this #9186 ? We are planing to deploy a combination of WAP + WAF in front of Coder. So this mean we have to disable this standard OWASP rule in order to get this working. |
@MrPeacockNLB we don't have any plans to fix that issue. We use double hyphens so we can support single hyphens in app names, agent names, workspace names and usernames. |
|
The "we can change the URL format later" is more about adding or removing segments. The agent name segment is not necessary if you provide an app slug because apps are unique per template, not per agent. Currently the URL format requires the agent name, but in the future we could make it not required. |
Changes hostname parsing and signed app token generation/verification to allow for
(prefix---)?app--agent--workspace--userin subdomain app URLs. Signed app tokens now include the prefix in their payload and will verify it on new requests.Old signed app tokens will become invalid (but they have an expiry of 1 minute anyways so it doesn't matter).They actually won't become invalid because prefixes weren't a thing before so the JSON parsing will default to"".The prefix must be separated by 3 hyphens to distinguish it from the rest of the segments in the URL. This is to allow for changes to our URL format (like adding or removing segments) in the future without conflicting with prefixes.
E.g.
https://frontend---8080--main--dev--deansheather.example.comis the same app ashttps://8080--main--dev--deansheather.example.com.Apps can view the full Host so they can route based on this prefix if they wish.
TODO:
Put behind a configuration flag (disabled by default)Closes #9903