feat: allow prefixing coder_session_token cookie

johnstcn · johnstcn · commit 9ce243702ff0 · 2025-07-22T16:55:00.000+01:00
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -418,7 +418,7 @@ func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*
 	})
 
 	return api.DeploymentValues.HTTPCookies.Apply(&http.Cookie{
-		Name:     codersdk.SessionTokenCookie,
+		Name:     codersdk.GetSessionTokenCookie(),
 		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -373,7 +373,7 @@ func TestCSRFExempt(t *testing.T) {
 		u := client.URL.JoinPath(fmt.Sprintf("/@%s/%s.%s/apps/%s", owner.Username, wrk.Workspace.Name, agentSlug, appSlug)).String()
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, u, nil)
 		req.AddCookie(&http.Cookie{
-			Name:   codersdk.SessionTokenCookie,
+			Name:   codersdk.GetSessionTokenCookie(),
 			Value:  client.SessionToken(),
 			Path:   "/",
 			Domain: client.URL.String(),
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -1333,7 +1333,7 @@ func RequestExternalAuthCallback(t testing.TB, providerID string, client *coders
 		Value: state,
 	})
 	req.AddCookie(&http.Cookie{
-		Name:  codersdk.SessionTokenCookie,
+		Name:  codersdk.GetSessionTokenCookie(),
 		Value: client.SessionToken(),
 	})
 	for _, opt := range opts {
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
@@ -624,7 +624,7 @@ func (f *FakeIDP) LoginWithClient(t testing.TB, client *codersdk.Client, idToken
 	var user *codersdk.Client
 	cookies := cli.Jar.Cookies(client.URL)
 	for _, cookie := range cookies {
-		if cookie.Name == codersdk.SessionTokenCookie {
+		if cookie.Name == codersdk.GetSessionTokenCookie() {
 			user = codersdk.New(client.URL)
 			user.SetSessionToken(cookie.Value)
 		}
diff --git a/coderd/httpapi/cookie.go b/coderd/httpapi/cookie.go
@@ -20,7 +20,7 @@ func StripCoderCookies(header string) string {
 			continue
 		}
 		name, _, _ := strings.Cut(part, "=")
-		if name == codersdk.SessionTokenCookie ||
+		if name == codersdk.GetSessionTokenCookie() ||
 			name == codersdk.OAuth2StateCookie ||
 			name == codersdk.OAuth2RedirectCookie ||
 			name == codersdk.PathAppSessionTokenCookie ||
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -159,7 +159,7 @@ func APIKeyFromRequest(ctx context.Context, db database.Store, sessionTokenFunc
 	if token == "" {
 		return nil, codersdk.Response{
 			Message: SignedOutErrorMessage,
-			Detail:  fmt.Sprintf("Cookie %q or query parameter must be provided.", codersdk.SessionTokenCookie),
+			Detail:  fmt.Sprintf("Cookie %q or query parameter must be provided.", codersdk.GetSessionTokenCookie()),
 		}, false
 	}
 
@@ -711,12 +711,12 @@ func APITokenFromRequest(r *http.Request) string {
 	// Prioritize existing Coder custom authentication methods first
 	// to maintain backward compatibility and existing behavior
 
-	cookie, err := r.Cookie(codersdk.SessionTokenCookie)
+	cookie, err := r.Cookie(codersdk.GetSessionTokenCookie())
 	if err == nil && cookie.Value != "" {
 		return cookie.Value
 	}
 
-	urlValue := r.URL.Query().Get(codersdk.SessionTokenCookie)
+	urlValue := r.URL.Query().Get(codersdk.GetSessionTokenCookie())
 	if urlValue != "" {
 		return urlValue
 	}
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -320,7 +320,7 @@ func TestAPIKey(t *testing.T) {
 			rw = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenCookie,
+			Name:  codersdk.GetSessionTokenCookie(),
 			Value: token,
 		})
 
@@ -357,7 +357,7 @@ func TestAPIKey(t *testing.T) {
 			rw = httptest.NewRecorder()
 		)
 		q := r.URL.Query()
-		q.Add(codersdk.SessionTokenCookie, token)
+		q.Add(codersdk.GetSessionTokenCookie(), token)
 		r.URL.RawQuery = q.Encode()
 
 		httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{
diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
@@ -21,7 +21,7 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
 		mw := nosurf.New(next)
 		mw.SetBaseCookie(*cookieCfg.Apply(&http.Cookie{Path: "/", HttpOnly: true}))
 		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
+			sessCookie, err := r.Cookie(codersdk.GetSessionTokenCookie())
 			if err == nil &&
 				r.Header.Get(codersdk.SessionTokenHeader) != "" &&
 				r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
@@ -32,7 +32,7 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
 					fmt.Sprintf("CSRF error encountered. Authentication via %q cookie and %q header detected, but the values do not match. "+
 						"To resolve this issue ensure the values used in both match, or only use one of the authentication methods. "+
 						"You can also try clearing your cookies if this error persists.",
-						codersdk.SessionTokenCookie, codersdk.SessionTokenHeader),
+						codersdk.GetSessionTokenCookie(), codersdk.SessionTokenHeader),
 					http.StatusBadRequest)
 				return
 			}
@@ -70,7 +70,7 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
 			// CSRF only affects requests that automatically attach credentials via a cookie.
 			// If no cookie is present, then there is no risk of CSRF.
 			//nolint:govet
-			sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
+			sessCookie, err := r.Cookie(codersdk.GetSessionTokenCookie())
 			if xerrors.Is(err, http.ErrNoCookie) {
 				return true
 			}
@@ -82,7 +82,7 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
 				return true
 			}
 
-			if token := r.URL.Query().Get(codersdk.SessionTokenCookie); token == sessCookie.Value {
+			if token := r.URL.Query().Get(codersdk.GetSessionTokenCookie()); token == sessCookie.Value {
 				// If the auth is set in a url param and matches the cookie, it
 				// is the same as just using the url param.
 				return true
diff --git a/coderd/httpmw/csrf_test.go b/coderd/httpmw/csrf_test.go
@@ -63,7 +63,7 @@ func TestCSRFExemptList(t *testing.T) {
 			r, err := http.NewRequestWithContext(context.Background(), http.MethodPost, c.URL, nil)
 			require.NoError(t, err)
 
-			r.AddCookie(&http.Cookie{Name: codersdk.SessionTokenCookie, Value: "test"})
+			r.AddCookie(&http.Cookie{Name: codersdk.GetSessionTokenCookie(), Value: "test"})
 			exempt := csrfmw.IsExempt(r)
 			require.Equal(t, c.Exempt, exempt)
 		})
@@ -96,7 +96,7 @@ func TestCSRFError(t *testing.T) {
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, urlPath, nil)
 		require.NoError(t, err)
 
-		req.AddCookie(&http.Cookie{Name: codersdk.SessionTokenCookie, Value: "session_token_value"})
+		req.AddCookie(&http.Cookie{Name: codersdk.GetSessionTokenCookie(), Value: "session_token_value"})
 		req.AddCookie(&http.Cookie{Name: nosurf.CookieName, Value: csrfCookieValue})
 		req.Header.Add(nosurf.HeaderName, csrfHeaderValue)
 
@@ -113,7 +113,7 @@ func TestCSRFError(t *testing.T) {
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, urlPath, nil)
 		require.NoError(t, err)
 
-		req.AddCookie(&http.Cookie{Name: codersdk.SessionTokenCookie, Value: "session_token_value"})
+		req.AddCookie(&http.Cookie{Name: codersdk.GetSessionTokenCookie(), Value: "session_token_value"})
 		req.AddCookie(&http.Cookie{Name: nosurf.CookieName, Value: csrfCookieValue})
 
 		rec := httptest.NewRecorder()
@@ -132,7 +132,7 @@ func TestCSRFError(t *testing.T) {
 		req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, urlPath, nil)
 		require.NoError(t, err)
 
-		req.AddCookie(&http.Cookie{Name: codersdk.SessionTokenCookie, Value: "session_token_value"})
+		req.AddCookie(&http.Cookie{Name: codersdk.GetSessionTokenCookie(), Value: "session_token_value"})
 		req.AddCookie(&http.Cookie{Name: nosurf.CookieName, Value: csrfCookieValue})
 		req.Header.Add(codersdk.SessionTokenHeader, "mismatched_value")
 
diff --git a/coderd/httpmw/rfc6750_extended_test.go b/coderd/httpmw/rfc6750_extended_test.go
@@ -262,7 +262,7 @@ func TestOAuth2BearerTokenPrecedence(t *testing.T) {
 		req := httptest.NewRequest("GET", "/test", nil)
 		// Set both cookie and Bearer header - cookie should take precedence
 		req.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenCookie,
+			Name:  codersdk.GetSessionTokenCookie(),
 			Value: validToken,
 		})
 		req.Header.Set("Authorization", "Bearer invalid-token")
@@ -279,7 +279,7 @@ func TestOAuth2BearerTokenPrecedence(t *testing.T) {
 		// Set both query parameter and Bearer header - query should take precedence
 		u, _ := url.Parse("/test")
 		q := u.Query()
-		q.Set(codersdk.SessionTokenCookie, validToken)
+		q.Set(codersdk.GetSessionTokenCookie(), validToken)
 		u.RawQuery = q.Encode()
 
 		req := httptest.NewRequest("GET", u.String(), nil)
@@ -329,13 +329,13 @@ func TestOAuth2BearerTokenPrecedence(t *testing.T) {
 		u, _ := url.Parse("/test")
 		q := u.Query()
 		q.Set("access_token", validToken)
-		q.Set(codersdk.SessionTokenCookie, validToken)
+		q.Set(codersdk.GetSessionTokenCookie(), validToken)
 		u.RawQuery = q.Encode()
 
 		req := httptest.NewRequest("GET", u.String(), nil)
 		req.Header.Set("Authorization", "Bearer "+validToken)
 		req.AddCookie(&http.Cookie{
-			Name:  codersdk.SessionTokenCookie,
+			Name:  codersdk.GetSessionTokenCookie(),
 			Value: validToken,
 		})
 		rec := httptest.NewRecorder()
diff --git a/coderd/httpmw/rfc6750_test.go b/coderd/httpmw/rfc6750_test.go
@@ -204,7 +204,7 @@ func TestAPITokenFromRequest(t *testing.T) {
 			name: "CookiePriorityOverBearer",
 			setupReq: func(req *http.Request) {
 				req.AddCookie(&http.Cookie{
-					Name:  codersdk.SessionTokenCookie,
+					Name:  codersdk.GetSessionTokenCookie(),
 					Value: cookieToken,
 				})
 				req.Header.Set("Authorization", "Bearer "+token)
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -78,7 +78,7 @@ func ExtractWorkspaceAgentAndLatestBuild(opts ExtractWorkspaceAgentAndLatestBuil
 			tokenValue := APITokenFromRequest(r)
 			if tokenValue == "" {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
-					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenCookie),
+					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.GetSessionTokenCookie()),
 				})
 				return
 			}
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -702,7 +702,7 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	cookie := &http.Cookie{
 		// MaxAge < 0 means to delete the cookie now.
 		MaxAge: -1,
-		Name:   codersdk.SessionTokenCookie,
+		Name:   codersdk.GetSessionTokenCookie(),
 		Path:   "/",
 	}
 	http.SetCookie(rw, cookie)
@@ -1914,7 +1914,7 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 			)
 		}
 		cookies = append(cookies, api.DeploymentValues.HTTPCookies.Apply(&http.Cookie{
-			Name:     codersdk.SessionTokenCookie,
+			Name:     codersdk.GetSessionTokenCookie(),
 			Path:     "/",
 			MaxAge:   -1,
 			HttpOnly: true,
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -2476,7 +2476,7 @@ func i64ptr(i int64) *int64 {
 
 func authCookieValue(cookies []*http.Cookie) string {
 	for _, cookie := range cookies {
-		if cookie.Name == codersdk.SessionTokenCookie {
+		if cookie.Name == codersdk.GetSessionTokenCookie() {
 			return cookie.Value
 		}
 	}
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -618,8 +618,8 @@ func TestPostLogout(t *testing.T) {
 
 		var found bool
 		for _, cookie := range cookies {
-			if cookie.Name == codersdk.SessionTokenCookie {
-				require.Equal(t, codersdk.SessionTokenCookie, cookie.Name, "Cookie should be the auth cookie")
+			if cookie.Name == codersdk.GetSessionTokenCookie() {
+				require.Equal(t, codersdk.GetSessionTokenCookie(), cookie.Name, "Cookie should be the auth cookie")
 				require.Equal(t, -1, cookie.MaxAge, "Cookie should be set to delete")
 				found = true
 			}
diff --git a/coderd/workspaceapps/apptest/setup.go b/coderd/workspaceapps/apptest/setup.go
@@ -261,7 +261,7 @@ func appServer(t *testing.T, headers http.Header, isHTTPS bool) uint16 {
 	server := httptest.NewUnstartedServer(
 		http.HandlerFunc(
 			func(w http.ResponseWriter, r *http.Request) {
-				_, err := r.Cookie(codersdk.SessionTokenCookie)
+				_, err := r.Cookie(codersdk.GetSessionTokenCookie())
 				assert.ErrorIs(t, err, http.ErrNoCookie)
 				w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
 				w.Header().Set("X-Got-Host", r.Host)
diff --git a/codersdk/agentsdk/agentsdk.go b/codersdk/agentsdk/agentsdk.go
@@ -262,7 +262,7 @@ func (c *Client) connectRPCVersion(ctx context.Context, version *apiversion.APIV
 		return nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(rpcURL, []*http.Cookie{{
-		Name:  codersdk.SessionTokenCookie,
+		Name:  codersdk.GetSessionTokenCookie(),
 		Value: c.SDK.SessionToken(),
 	}})
 	httpClient := &http.Client{
@@ -705,7 +705,7 @@ func (c *Client) WaitForReinit(ctx context.Context) (*ReinitializationEvent, err
 		return nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(rpcURL, []*http.Cookie{{
-		Name:  codersdk.SessionTokenCookie,
+		Name:  codersdk.GetSessionTokenCookie(),
 		Value: c.SDK.SessionToken(),
 	}})
 	httpClient := &http.Client{
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -12,6 +12,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"os"
 	"strings"
 	"sync"
 
@@ -20,6 +21,7 @@ import (
 	"go.opentelemetry.io/otel/semconv/v1.14.0/httpconv"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/v2/buildinfo"
 	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/websocket"
 
@@ -30,7 +32,10 @@ import (
 // shouldn't be likely to conflict with any user-application set cookies.
 // Be sure to strip additional cookies in httpapi.StripCoderCookies!
 const (
-	// SessionTokenCookie represents the name of the cookie or query parameter the API key is stored in.
+	// SessionTokenCookie represents the name of the cookie or query parameter in
+	// which the API key is stored.
+	// DEVELOPER NOTE: Please avoid referencing this value directly and use
+	// GetSessionTokenCookie() instead.
 	SessionTokenCookie = "coder_session_token"
 	// SessionTokenHeader is the custom header to use for authentication.
 	SessionTokenHeader = "Coder-Session-Token"
@@ -94,6 +99,22 @@ const (
 	EntitlementsWarningHeader = "X-Coder-Entitlements-Warning"
 )
 
+// GetSessionTokenCookie returns the name of the session token cookie.
+// In almost all production cases, this will just be SessionTokenCookie.
+// However, when developing inside a Coder workspace and accessing the UI
+// proxied through a Coder deployment, we need to prefix the cookie name
+// to avoid conflicting with the "parent" deployment. The prefix is controlled
+// by the CODER_DEV_SESSION_TOKEN_COOKIE_PREFIX environment variable, and only
+// applies in development builds.
+func GetSessionTokenCookie() string {
+	if buildinfo.IsDev() {
+		if pfx, found := os.LookupEnv("CODER_DEV_SESSION_TOKEN_COOKIE_PREFIX"); found && pfx != "" {
+			return pfx + "_" + SessionTokenCookie
+		}
+	}
+	return SessionTokenCookie
+}
+
 // loggableMimeTypes is a list of MIME types that are safe to log
 // the output of. This is useful for debugging or testing.
 var loggableMimeTypes = map[string]struct{}{
diff --git a/codersdk/provisionerdaemons.go b/codersdk/provisionerdaemons.go
@@ -215,7 +215,7 @@ func (c *Client) provisionerJobLogsAfter(ctx context.Context, path string, after
 		return nil, nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(followURL, []*http.Cookie{{
-		Name:  SessionTokenCookie,
+		Name:  GetSessionTokenCookie(),
 		Value: c.SessionToken(),
 	}})
 	httpClient := &http.Client{
@@ -302,7 +302,7 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
 			return nil, xerrors.Errorf("create cookie jar: %w", err)
 		}
 		jar.SetCookies(serverURL, []*http.Cookie{{
-			Name:  SessionTokenCookie,
+			Name:  GetSessionTokenCookie(),
 			Value: c.SessionToken(),
 		}})
 		httpClient.Jar = jar
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -545,7 +545,7 @@ func (c *Client) WatchWorkspaceAgentContainers(ctx context.Context, agentID uuid
 	}
 
 	jar.SetCookies(reqURL, []*http.Cookie{{
-		Name:  SessionTokenCookie,
+		Name:  GetSessionTokenCookie(),
 		Value: c.SessionToken(),
 	}})
 
@@ -630,7 +630,7 @@ func (c *Client) WorkspaceAgentLogsAfter(ctx context.Context, agentID uuid.UUID,
 		return nil, nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(reqURL, []*http.Cookie{{
-		Name:  SessionTokenCookie,
+		Name:  GetSessionTokenCookie(),
 		Value: c.SessionToken(),
 	}})
 	httpClient := &http.Client{
diff --git a/codersdk/workspacesdk/workspacesdk.go b/codersdk/workspacesdk/workspacesdk.go
@@ -380,7 +380,7 @@ func (c *Client) AgentReconnectingPTY(ctx context.Context, opts WorkspaceAgentRe
 			return nil, xerrors.Errorf("create cookie jar: %w", err)
 		}
 		jar.SetCookies(serverURL, []*http.Cookie{{
-			Name:  codersdk.SessionTokenCookie,
+			Name:  codersdk.GetSessionTokenCookie(),
 			Value: c.client.SessionToken(),
 		}})
 		httpClient = &http.Client{

Original file line number	Diff line number	Diff line change
`@@ -624,7 +624,7 @@ func (f FakeIDP) LoginWithClient(t testing.TB, client codersdk.Client, idToken`
`624`	`624`	`var user *codersdk.Client`
`625`	`625`	`cookies := cli.Jar.Cookies(client.URL)`
`626`	`626`	`for _, cookie := range cookies {`
`627`		`- if cookie.Name == codersdk.SessionTokenCookie {`
	`627`	`+ if cookie.Name == codersdk.GetSessionTokenCookie() {`
`628`	`628`	`user = codersdk.New(client.URL)`
`629`	`629`	`user.SetSessionToken(cookie.Value)`
`630`	`630`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func StripCoderCookies(header string) string {`
`20`	`20`	`continue`
`21`	`21`	`}`
`22`	`22`	`name, _, _ := strings.Cut(part, "=")`
`23`		`- if name == codersdk.SessionTokenCookie \|\|`
	`23`	`+ if name == codersdk.GetSessionTokenCookie() \|\|`
`24`	`24`	`name == codersdk.OAuth2StateCookie \|\|`
`25`	`25`	`name == codersdk.OAuth2RedirectCookie \|\|`
`26`	`26`	`name == codersdk.PathAppSessionTokenCookie \|\|`