coder · deansheather · Apr 4, 2023 · Mar 30, 2023 · Apr 3, 2023 · Apr 3, 2023
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -123,8 +123,8 @@ type Options struct {
 	SwaggerEndpoint       bool
 	SetUserGroups         func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
 	TemplateScheduleStore schedule.TemplateScheduleStore
-	// AppSigningKey denotes the symmetric key to use for signing app tickets.
-	// The key must be 64 bytes long.
+	// AppSigningKey denotes the symmetric key to use for signing temporary app
+	// tokens. The key must be 64 bytes long.
 	AppSigningKey      []byte
 	HealthcheckFunc    func(ctx context.Context) (*healthcheck.Report, error)
 	HealthcheckTimeout time.Duration
@@ -297,7 +297,7 @@ func New(options *Options) *API {
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
 		},
-		WorkspaceAppsProvider: workspaceapps.New(
+		WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
 			options.Logger.Named("workspaceapps"),
 			options.AccessURL,
 			options.Authorizer,
@@ -642,7 +642,7 @@ func New(options *Options) *API {
 				r.Post("/metadata/{key}", api.workspaceAgentPostMetadata)
 			})
 			// No middleware on the PTY endpoint since it uses workspace
-			// application auth and tickets.
+			// application auth and signed app tokens.
 			r.Get("/{workspaceagent}/pty", api.workspaceAgentPTY)
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 				r.Use(
@@ -788,7 +788,7 @@ type API struct {
 	metricsCache          *metricscache.Cache
 	workspaceAgentCache   *wsconncache.Cache
 	updateChecker         *updatecheck.Checker
-	WorkspaceAppsProvider *workspaceapps.Provider
+	WorkspaceAppsProvider workspaceapps.SignedTokenProvider
 
 	// Experiments contains the list of experiments currently enabled.
 	// This is used to gate features that are not yet ready for production.

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -80,7 +80,7 @@ import (
 	"github.com/coder/coder/testutil"
 )
 
-// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tickets in
+// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tokens in
 // tests.
 var AppSigningKey = must(hex.DecodeString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))
 

diff --git a/coderd/httpapi/cookie.go b/coderd/httpapi/cookie.go
@@ -24,7 +24,7 @@ func StripCoderCookies(header string) string {
 			name == codersdk.OAuth2StateCookie ||
 			name == codersdk.OAuth2RedirectCookie ||
 			name == codersdk.DevURLSessionTokenCookie ||
-			name == codersdk.DevURLSessionTicketCookie {
+			name == codersdk.DevURLSignedAppTokenCookie {
 			continue
 		}
 		cookies = append(cookies, part)

diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -564,7 +564,7 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 	api.WebsocketWaitMutex.Unlock()
 	defer api.WebsocketWaitGroup.Done()
 
-	ticket, ok := api.WorkspaceAppsProvider.ResolveRequest(rw, r, workspaceapps.Request{
+	appToken, ok := workspaceapps.ResolveRequest(api.Logger, api.AccessURL, api.WorkspaceAppsProvider, rw, r, workspaceapps.Request{
 		AccessMethod:  workspaceapps.AccessMethodTerminal,
 		BasePath:      r.URL.Path,
 		AgentNameOrID: chi.URLParam(r, "workspaceagent"),
@@ -608,7 +608,7 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 
 	go httpapi.Heartbeat(ctx, conn)
 
-	agentConn, release, err := api.workspaceAgentCache.Acquire(ticket.AgentID)
+	agentConn, release, err := api.workspaceAgentCache.Acquire(appToken.AgentID)
 	if err != nil {
 		_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("dial workspace agent: %s", err))
 		return

diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -124,7 +124,7 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 		chiPath = "/" + chiPath
 	}
 
-	ticket, ok := api.WorkspaceAppsProvider.ResolveRequest(rw, r, workspaceapps.Request{
+	token, ok := workspaceapps.ResolveRequest(api.Logger, api.AccessURL, api.WorkspaceAppsProvider, rw, r, workspaceapps.Request{
 		AccessMethod:      workspaceapps.AccessMethodPath,
 		BasePath:          basePath,
 		UsernameOrID:      chi.URLParam(r, "user"),
@@ -137,7 +137,7 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	api.proxyWorkspaceApplication(rw, r, *ticket, chiPath)
+	api.proxyWorkspaceApplication(rw, r, *token, chiPath)
 }
 
 // handleSubdomainApplications handles subdomain-based application proxy
@@ -247,7 +247,7 @@ func (api *API) handleSubdomainApplications(middlewares ...func(http.Handler) ht
 				return
 			}
 
-			ticket, ok := api.WorkspaceAppsProvider.ResolveRequest(rw, r, workspaceapps.Request{
+			token, ok := workspaceapps.ResolveRequest(api.Logger, api.AccessURL, api.WorkspaceAppsProvider, rw, r, workspaceapps.Request{
 				AccessMethod:      workspaceapps.AccessMethodSubdomain,
 				BasePath:          "/",
 				UsernameOrID:      app.Username,
@@ -263,7 +263,7 @@ func (api *API) handleSubdomainApplications(middlewares ...func(http.Handler) ht
 			// app.
 			mws := chi.Middlewares(middlewares)
 			mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-				api.proxyWorkspaceApplication(rw, r, *ticket, r.URL.Path)
+				api.proxyWorkspaceApplication(rw, r, *token, r.URL.Path)
 			})).ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
@@ -561,7 +561,7 @@ func (api *API) setWorkspaceAppCookie(rw http.ResponseWriter, r *http.Request, t
 	return true
 }
 
-func (api *API) proxyWorkspaceApplication(rw http.ResponseWriter, r *http.Request, ticket workspaceapps.Ticket, path string) {
+func (api *API) proxyWorkspaceApplication(rw http.ResponseWriter, r *http.Request, appToken workspaceapps.SignedToken, path string) {
 	ctx := r.Context()
 
 	// Filter IP headers from untrusted origins.
@@ -573,12 +573,12 @@ func (api *API) proxyWorkspaceApplication(rw http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	appURL, err := url.Parse(ticket.AppURL)
+	appURL, err := url.Parse(appToken.AppURL)
 	if err != nil {
 		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
 			Status:       http.StatusBadRequest,
 			Title:        "Bad Request",
-			Description:  fmt.Sprintf("Application has an invalid URL %q: %s", ticket.AppURL, err.Error()),
+			Description:  fmt.Sprintf("Application has an invalid URL %q: %s", appToken.AppURL, err.Error()),
 			RetryEnabled: true,
 			DashboardURL: api.AccessURL.String(),
 		})
@@ -592,7 +592,7 @@ func (api *API) proxyWorkspaceApplication(rw http.ResponseWriter, r *http.Reques
 		portInt, err := strconv.Atoi(port)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-				Message: fmt.Sprintf("App URL %q has an invalid port %q.", ticket.AppURL, port),
+				Message: fmt.Sprintf("App URL %q has an invalid port %q.", appToken.AppURL, port),
 				Detail:  err.Error(),
 			})
 			return
@@ -639,7 +639,7 @@ func (api *API) proxyWorkspaceApplication(rw http.ResponseWriter, r *http.Reques
 		})
 	}
 
-	conn, release, err := api.workspaceAgentCache.Acquire(ticket.AgentID)
+	conn, release, err := api.workspaceAgentCache.Acquire(appToken.AgentID)
 	if err != nil {
 		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
 			Status:       http.StatusBadGateway,