feat: Implement (but not enforce) CSRF for FE requests (#3786)

Future work is to enforce CSRF Co-authored-by: Presley Pizzo <presley@coder.com>
2025-07-15 22:20:27 +00:00 · 2022-09-13 15:26:46 -04:00
parent 9ab437d6e2
commit 9b5ee8f267
22 changed files with 211 additions and 115 deletions
--- a/coderd/httpmw/workspaceagent.go
+++ b/coderd/httpmw/workspaceagent.go
@ -29,14 +29,14 @@ func WorkspaceAgent(r *http.Request) database.WorkspaceAgent {
 func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			cookie, err := r.Cookie(codersdk.SessionTokenKey)
-			if err != nil {
+			cookieValue := apiTokenFromRequest(r)
+			if cookieValue == "" {
 				httpapi.Write(rw, http.StatusUnauthorized, codersdk.Response{
 					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenKey),
 				})
 				return
 			}
-			token, err := uuid.Parse(cookie.Value)
+			token, err := uuid.Parse(cookieValue)
 			if err != nil {
 				httpapi.Write(rw, http.StatusUnauthorized, codersdk.Response{
 					Message: "Agent token is invalid.",