chore: swagger docs omit brower based credentials, rely on swagger auth (#13742)

* chore: swagger docs omit brower based credentials, rely on swagger auth Swagger has an "Authorize" button which should be the only authentication being used in the api requests
2025-07-13 21:36:50 +00:00 · 2024-07-01 08:44:35 -10:00
parent cd069faf01
commit 10c2817f4d
2 changed files with 40 additions and 1 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -87,7 +87,31 @@ import (
 var globalHTTPSwaggerHandler http.HandlerFunc

 func init() {
-	globalHTTPSwaggerHandler = httpSwagger.Handler(httpSwagger.URL("/swagger/doc.json"))
+	globalHTTPSwaggerHandler = httpSwagger.Handler(
+		httpSwagger.URL("/swagger/doc.json"),
+		// The swagger UI has an "Authorize" button that will input the
+		// credentials into the Coder-Session-Token header. This bypasses
+		// CSRF checks **if** there is no cookie auth also present.
+		// (If the cookie matches, then it's ok too)
+		//
+		// Because swagger is hosted on the same domain, we have the cookie
+		// auth and the header auth competing. This can cause CSRF errors,
+		// and can be confusing what authentication is being used.
+		//
+		// So remove authenticating via a cookie, and rely on the authorization
+		// header passed in.
+		httpSwagger.UIConfig(map[string]string{
+			// Pulled from https://swagger.io/docs/open-source-tools/swagger-ui/usage/configuration/
+			// 'withCredentials' should disable fetch sending browser credentials, but
+			// for whatever reason it does not.
+			// So this `requestInterceptor` ensures browser credentials are
+			// omitted from all requests.
+			"requestInterceptor": `(a => {
+				a.credentials = "omit";
+				return a;
+			})`,
+			"withCredentials": "false",
+		}))
 }

 var expDERPOnce = sync.Once{}
--- a/coderd/httpmw/csrf.go
+++ b/coderd/httpmw/csrf.go
@ -1,6 +1,7 @@
 package httpmw

 import (
+	"fmt"
 	"net/http"
 	"regexp"
 	"strings"
@ -20,6 +21,20 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 		mw := nosurf.New(next)
 		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
 		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
+			if err == nil && r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
+				// If a user is using header authentication and cookie auth, but the values
+				// do not match, the cookie value takes priority.
+				// At the very least, return a more helpful error to the user.
+				http.Error(w,
+					fmt.Sprintf("CSRF error encountered. Authentication via %q cookie and %q header detected, but the values do not match. "+
+						"To resolve this issue ensure the values used in both match, or only use one of the authentication methods. "+
+						"You can also try clearing your cookies if this error persists.",
+						codersdk.SessionTokenCookie, codersdk.SessionTokenHeader),
+					http.StatusBadRequest)
+				return
+			}
+
 			http.Error(w, "Something is wrong with your CSRF token. Please refresh the page. If this error persists, try clearing your cookies.", http.StatusBadRequest)
 		}))