fix: avoid redirect loop on workspace proxies (#9389)

* fix: avoid redirect loop on workspace proxies --------- Co-authored-by: Steven Masley <stevenmasley@coder.com>
2025-07-03 16:13:58 +00:00 · 2023-08-28 18:34:52 -07:00
parent eb68684327
commit 5993f85ec9
12 changed files with 265 additions and 99 deletions
--- a/coderd/workspaceapps/provider.go
+++ b/coderd/workspaceapps/provider.go
@ -7,7 +7,6 @@ import (
 	"time"

 	"cdr.dev/slog"
-	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/codersdk"
 )

@ -58,7 +57,7 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 		AppRequest:     appReq,
 		PathAppBaseURL: opts.PathAppBaseURL.String(),
 		AppHostname:    opts.AppHostname,
-		SessionToken:   httpmw.APITokenFromRequest(r),
+		SessionToken:   AppConnectSessionTokenFromRequest(r, appReq.AccessMethod),
 		AppPath:        opts.AppPath,
 		AppQuery:       opts.AppQuery,
 	}
@ -68,11 +67,16 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 		return nil, false
 	}

-	// Write the signed app token cookie. We always want this to apply to the
-	// current hostname (even for subdomain apps, without any wildcard
-	// shenanigans, because the token is only valid for a single app).
+	// Write the signed app token cookie.
+	//
+	// For path apps, this applies to only the path app base URL on the current
+	// domain, e.g.
+	//   /@user/workspace[.agent]/apps/path-app/
+	//
+	// For subdomain apps, this applies to the entire subdomain, e.g.
+	//   app--agent--workspace--user.apps.example.com
 	http.SetCookie(rw, &http.Cookie{
-		Name:    codersdk.DevURLSignedAppTokenCookie,
+		Name:    codersdk.SignedAppTokenCookie,
 		Value:   tokenStr,
 		Path:    appReq.BasePath,
 		Expires: token.Expiry,