Skip to content

feat: Add support for update checks and notifications #4810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Dec 1, 2022
Merged

feat: Add support for update checks and notifications #4810

Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
cc28c1b
feat: Add support for checking for updates
mafredri Oct 31, 2022
c163af8
wip(site): Add support for informing of updates
mafredri Oct 31, 2022
e9ed0b7
Add /api/v2/updatecheck to noauthorize list
mafredri Oct 31, 2022
64ad0f5
Fix edge case where update check has never succeeded
mafredri Oct 31, 2022
0238d5a
Fix logging
mafredri Oct 31, 2022
9e1ea9e
Use AlertBanner for coder version notice
mafredri Nov 29, 2022
979ff80
Update golden files
mafredri Nov 29, 2022
b80de3c
Fix margins, improve alert banner and add stories
mafredri Nov 30, 2022
81d11dd
Add authorization, dismissal and fetch after login
mafredri Nov 30, 2022
392d06e
Apply suggestions from code review
mafredri Dec 1, 2022
ad38c3b
Add forgotten UpdateCheckBanner.stories.tsx
mafredri Nov 30, 2022
1c9dbc1
fix(api): Amend PR comments
mafredri Dec 1, 2022
49a7bfc
fix(site): Always show prefix for update check errors, remove as const
mafredri Dec 1, 2022
44f6475
fix(site): Add jest tests for UpdateCheckBanner
mafredri Dec 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add /api/v2/updatecheck to noauthorize list
  • Loading branch information
@mafredri
mafredri committed Nov 29, 2022
commit e9ed0b753a1c605e22290ec4120c824ab048cb11
1 change: 1 addition & 0 deletions coderd/coderdtest/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
"GET:/healthz": {NoAuthorize: true},
"GET:/api/v2": {NoAuthorize: true},
"GET:/api/v2/buildinfo": {NoAuthorize: true},
"GET:/api/v2/updatecheck": {NoAuthorize: true},
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review(api): Technically, we restrict access in the WebUI so that only owners can view this information. It's not sensitive information by any means, but it's somewhat pointless to show to users. That's why we do not require authorization here (but I can change it if this behavior seems too weird).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the "updatecheck" can trigger a real update and potentially crash the deployment, I guess that it's safe to expose it to everyone. On the other hand, if there is a known security issue, all users would be informed that there is an update to install, so the system is currently vulnerable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updatecheck is read-only, so it won't do anything scandalous. If we ever add a POST endpoint, that should obviously be protected. You raised a good point about vulnerabilities. Since Coder is an open source product, this information would be available to anyone checking the GitHub releases too. More than protecting this endpoint, we should consider how we convey this information through our releases.

"GET:/api/v2/users/first": {NoAuthorize: true},
"POST:/api/v2/users/first": {NoAuthorize: true},
"POST:/api/v2/users/login": {NoAuthorize: true},
Expand Down