feat: implement provisioner auth middleware and proper org params (#12330)

* feat: provisioner auth in mw to allow ExtractOrg Step to enable org scoped provisioner daemons * chore: handle default org handling for provisioner daemons
2025-07-15 22:20:27 +00:00 · 2024-03-04 15:15:41 -06:00
parent 926fd7ffa6
commit 5c6974e55f
11 changed files with 201 additions and 30 deletions
--- a/coderd/httpmw/actor.go
+++ b/coderd/httpmw/actor.go
@ -64,3 +64,32 @@ func RequireAPIKeyOrWorkspaceAgent() func(http.Handler) http.Handler {
 		})
 	}
 }
+
+// RequireAPIKeyOrProvisionerDaemonAuth is middleware that should be inserted
+// after optional ExtractAPIKey and ExtractProvisionerDaemonAuthenticated
+// middlewares to ensure one of the two authentication methods is provided.
+//
+// If both are provided, an error is returned to avoid misuse.
+func RequireAPIKeyOrProvisionerDaemonAuth() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, hasAPIKey := APIKeyOptional(r)
+			hasProvisionerDaemon := ProvisionerDaemonAuthenticated(r)
+
+			if hasAPIKey && hasProvisionerDaemon {
+				httpapi.Write(r.Context(), w, http.StatusBadRequest, codersdk.Response{
+					Message: "API key and external provisioner authentication provided, but only one is allowed",
+				})
+				return
+			}
+			if !hasAPIKey && !hasProvisionerDaemon {
+				httpapi.Write(r.Context(), w, http.StatusUnauthorized, codersdk.Response{
+					Message: "API key or external provisioner authentication required, but none provided",
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}