• Enables running subdomain apps on a different domain instead of underneath the coder subdomain.
• Enables configuration of the app domain (defaults to disabled).
• Adds a new "optional" mode to ExtractAPIKey and turn the parameters into a struct.
• Adds an auth redirection flow to authenticate into the app domain while avoiding phishing etc.
  • Unauthenticated requests to devurls get redirected to /api/v2/applications/auth-redirect?redirect_uri=...
    • Redirects to the login page (with redirect query parameter set) if the user is not logged in
    • Validates the redirect_uri to avoid redirecting to insecure domains
    • Generates a new API key scoped to only devurl access
    • Encrypts the API key with it's own hashed secret
    • Redirects to ?redirect_uri=x with ?coder_application_api_key_...=$encrypted_key
  • Requests to devurls with ?coder_application_api_key get intercepted and not proxied
    • Decrypt the API key and ensure it's valid
    • Store it as a cookie on .apps.coder.com
    • Redirect to the same URL without the query parameters
• Adds thorough testing for:
  • API key encryption
  • API key generation (with permissions checks)
  • API key validation
• Adds /api/v2/authcheck because I wanted to use it in a test.
• Deletes /api/v2/users/:userid/authorization in favor of the above

The new auth flow looks like this from a network perspective:

TODO:

• Documentation (probably future PR)
• Support for multiple certificates in coder server (and helm chart) (probably in another PR)
• Manual testing in multiple browsers
• UI (future PR)