feat: tokens (#4380)

2025-07-03 16:13:58 +00:00 · 2022-10-06 15:02:27 -04:00
parent fe7c9f8ec1
commit f5df54831a
21 changed files with 685 additions and 260 deletions
--- a/coderd/users.go
+++ b/coderd/users.go
@ -3,21 +3,17 @@ package coderd
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
 	"database/sql"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
-	"time"

 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 	"github.com/google/uuid"
-	"github.com/tabbed/pqtype"
 	"golang.org/x/xerrors"

 	"cdr.dev/slog"
@ -31,7 +27,6 @@ import (
 	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/coderd/util/slice"
 	"github.com/coder/coder/codersdk"
-	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/examples"
 )

@ -943,69 +938,6 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 	})
 }

-// Creates a new session key, used for logging in via the CLI.
-func (api *API) postAPIKey(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	user := httpmw.UserParam(r)
-
-	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
-	lifeTime := time.Hour * 24 * 7
-	cookie, err := api.createAPIKey(ctx, createAPIKeyParams{
-		UserID:     user.ID,
-		LoginType:  database.LoginTypePassword,
-		RemoteAddr: r.RemoteAddr,
-		// All api generated keys will last 1 week. Browser login tokens have
-		// a shorter life.
-		ExpiresAt:       database.Now().Add(lifeTime),
-		LifetimeSeconds: int64(lifeTime.Seconds()),
-	})
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Failed to create API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	// We intentionally do not set the cookie on the response here.
-	// Setting the cookie will couple the browser sesion to the API
-	// key we return here, meaning logging out of the website would
-	// invalid your CLI key.
-	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.GenerateAPIKeyResponse{Key: cookie.Value})
-}
-
-func (api *API) apiKey(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx  = r.Context()
-		user = httpmw.UserParam(r)
-	)
-
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceAPIKey.WithOwner(user.ID.String())) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
-	keyID := chi.URLParam(r, "keyid")
-	key, err := api.Database.GetAPIKeyByID(ctx, keyID)
-	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching API key.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	httpapi.Write(ctx, rw, http.StatusOK, convertAPIKey(key))
-}
-
 // Clear the user's session cookie.
 func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@ -1078,99 +1010,6 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	})
 }

-// Generates a new ID and secret for an API key.
-func generateAPIKeyIDSecret() (id string, secret string, err error) {
-	// Length of an API Key ID.
-	id, err = cryptorand.String(10)
-	if err != nil {
-		return "", "", err
-	}
-	// Length of an API Key secret.
-	secret, err = cryptorand.String(22)
-	if err != nil {
-		return "", "", err
-	}
-	return id, secret, nil
-}
-
-type createAPIKeyParams struct {
-	UserID     uuid.UUID
-	RemoteAddr string
-	LoginType  database.LoginType
-
-	// Optional.
-	ExpiresAt       time.Time
-	LifetimeSeconds int64
-	Scope           database.APIKeyScope
-}
-
-func (api *API) createAPIKey(ctx context.Context, params createAPIKeyParams) (*http.Cookie, error) {
-	keyID, keySecret, err := generateAPIKeyIDSecret()
-	if err != nil {
-		return nil, xerrors.Errorf("generate API key: %w", err)
-	}
-	hashed := sha256.Sum256([]byte(keySecret))
-
-	// Default expires at to now+lifetime, or just 24hrs if not set
-	if params.ExpiresAt.IsZero() {
-		if params.LifetimeSeconds != 0 {
-			params.ExpiresAt = database.Now().Add(time.Duration(params.LifetimeSeconds) * time.Second)
-		} else {
-			params.ExpiresAt = database.Now().Add(24 * time.Hour)
-		}
-	}
-
-	host, _, _ := net.SplitHostPort(params.RemoteAddr)
-	ip := net.ParseIP(host)
-	if ip == nil {
-		ip = net.IPv4(0, 0, 0, 0)
-	}
-	bitlen := len(ip) * 8
-
-	scope := database.APIKeyScopeAll
-	if params.Scope != "" {
-		scope = params.Scope
-	}
-
-	key, err := api.Database.InsertAPIKey(ctx, database.InsertAPIKeyParams{
-		ID:              keyID,
-		UserID:          params.UserID,
-		LifetimeSeconds: params.LifetimeSeconds,
-		IPAddress: pqtype.Inet{
-			IPNet: net.IPNet{
-				IP:   ip,
-				Mask: net.CIDRMask(bitlen, bitlen),
-			},
-			Valid: true,
-		},
-		// Make sure in UTC time for common time zone
-		ExpiresAt:    params.ExpiresAt.UTC(),
-		CreatedAt:    database.Now(),
-		UpdatedAt:    database.Now(),
-		HashedSecret: hashed[:],
-		LoginType:    params.LoginType,
-		Scope:        scope,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("insert API key: %w", err)
-	}
-
-	api.Telemetry.Report(&telemetry.Snapshot{
-		APIKeys: []telemetry.APIKey{telemetry.ConvertAPIKey(key)},
-	})
-
-	// This format is consumed by the APIKey middleware.
-	sessionToken := fmt.Sprintf("%s-%s", keyID, keySecret)
-	return &http.Cookie{
-		Name:     codersdk.SessionTokenKey,
-		Value:    sessionToken,
-		Path:     "/",
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   api.SecureAuthCookie,
-	}, nil
-}
-
 type CreateUserRequest struct {
 	codersdk.CreateUserRequest
 	LoginType database.LoginType