fix: improve error messages when the agent token is invalid (coder#5423)

kylecarbs · web-flow · commit c0b251ac529b · 2022-12-14T12:24:22.000-06:00
I'm not sure why this issue is common, but it seems to be based on: coder#4551. This improves the error messages to be unique, and also fixes a small edge-case bug a user ran into.
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -30,25 +30,27 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			cookieValue := apiTokenFromRequest(r)
-			if cookieValue == "" {
+			tokenValue := apiTokenFromRequest(r)
+			if tokenValue == "" {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
 					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenKey),
 				})
 				return
 			}
-			token, err := uuid.Parse(cookieValue)
+			token, err := uuid.Parse(tokenValue)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-					Message: "Agent token is invalid.",
+					Message: "Workspace agent token invalid.",
+					Detail:  fmt.Sprintf("An agent token must be a valid UUIDv4. (len %d)", len(tokenValue)),
 				})
 				return
 			}
 			agent, err := db.GetWorkspaceAgentByAuthToken(ctx, token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-						Message: "Agent token is invalid.",
+						Message: "Workspace agent not authorized.",
+						Detail:  "The agent cannot authenticate until the workspace provision job has been completed. If the job is no longer running, this agent is invalid.",
 					})
 					return
 				}
diff --git a/provisioner/terraform/resources.go b/provisioner/terraform/resources.go
@@ -218,8 +218,15 @@ func ConvertResources(module *tfjson.StateModule, rawGraph string) ([]*proto.Res
 				if agent.Id != agentID {
 					continue
 				}
-				agent.Auth = &proto.Agent_InstanceId{
-					InstanceId: instanceID,
+				// Only apply the instance ID if the agent authentication
+				// type is set to do so. A user ran into a bug where they
+				// had the instance ID block, but auth was set to "token". See:
+				// https://github.com/coder/coder/issues/4551#issuecomment-1336293468
+				switch t := agent.Auth.(type) {
+				case *proto.Agent_Token:
+					continue
+				case *proto.Agent_InstanceId:
+					t.InstanceId = instanceID
 				}
 				break
 			}

Original file line number	Diff line number	Diff line change
`@@ -218,8 +218,15 @@ func ConvertResources(module tfjson.StateModule, rawGraph string) ([]proto.Res`
`218`	`218`	`if agent.Id != agentID {`
`219`	`219`	`continue`
`220`	`220`	`}`
`221`		`- agent.Auth = &proto.Agent_InstanceId{`
`222`		`- InstanceId: instanceID,`
	`221`	`+ // Only apply the instance ID if the agent authentication`
	`222`	`+ // type is set to do so. A user ran into a bug where they`
	`223`	`+ // had the instance ID block, but auth was set to "token". See:`
	`224`	`+ // https://github.com/coder/coder/issues/4551#issuecomment-1336293468`
	`225`	`+ switch t := agent.Auth.(type) {`
	`226`	`+ case *proto.Agent_Token:`
	`227`	`+ continue`
	`228`	`+ case *proto.Agent_InstanceId:`
	`229`	`+ t.InstanceId = instanceID`
`223`	`230`	`}`
`224`	`231`	`break`
`225`	`232`	`}`