Skip to content

feat: allow bypassing current CORS magic based on template config #18706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat: allow bypassing current CORS magic based on template config #18706

wants to merge 15 commits into from
+1,152 −110

Conversation

cstyan
Copy link
Contributor

@cstyan cstyan commented Jul 1, 2025
edited
Loading

Solves #15096

This is a slight rework/refactor of the earlier PRs from @dannykopping and @Emyrk:

Rather than having a per-app CORS behaviour setting and additionally a template level setting for ports, this PR adds a single template level CORS behaviour setting that is then used by all apps/ports for workspaces created from that template.

The main changes are in proxy.go and request.go to:
a) get the CORS behaviour setting from the template
b) have HandleSubdomain bypass the CORS middleware handler if the selected behaviour is passthru
c) in proxyWorkspaceApp, do not modify the response if the selected behaviour is passthru

cstyan added 3 commits July 7, 2025 20:35
@cstyan
wip
94e423b 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
wip 2
b2e9c6d 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
fix broken build and tests
5b2b80e 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
cstyan added 7 commits July 7, 2025 21:29
@cstyan
rename sql files
1af9d2f 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
fix TS files for tests/linting
6c136cf 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
wip proxy changes, still broken
8b21d0c 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
commit cors package
20c3ffd 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
port test
20dbf97 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
this should fix most tests, thanks blink
432aff6 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
Merge branch 'main' into callum-cors
e75fb3b 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
Emyrk
Emyrk reviewed Jul 9, 2025
View reviewed changes
coderd/workspaceapps/proxy.go Outdated
Comment on lines 598 to 602
// If passthru behavior is set, disable our CORS header stripping.
if cors.HasBehavior(r.Request.Context(), codersdk.CORSBehaviorPassthru) {
fmt.Println("not modifying headers!!!")
return nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this the main change to fix things?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed on slack but for record keeping:

Yes, that and the owner client in apptest.go.

Without changing the owner client from sdk client to app client the template id was different in the test setup where we try to set the templates cors behaviour vs in the actual code path where we check the cors behaviour on a template. For tests that were using that owner client.

cstyan added 5 commits July 9, 2025 17:25
@cstyan
move cors mw after app handle subdomain
5b5e766 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
Merge branch 'main' into callum-cors
039240b 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
merge missed removing dbmem
8251d8e 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
fix leftover merge conflict
22c0711 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan
fix linting
a5ad58b 
Signed-off-by: Callum Styan <callumstyan@gmail.com>
@cstyan cstyan changed the title WIP: Allow bypassing current CORS magic based on template config. feat: Allow bypassing current CORS magic based on template config. Jul 9, 2025
@cstyan cstyan changed the title feat: Allow bypassing current CORS magic based on template config. feat: allow bypassing current CORS magic based on template config. Jul 9, 2025
@cstyan cstyan changed the title feat: allow bypassing current CORS magic based on template config. feat: allow bypassing current CORS magic based on template config Jul 9, 2025
@cstyan cstyan marked this pull request as ready for review July 9, 2025 19:12
@github-actions GitHub Actions
Copy link

🚀 Deploying PR 18706 ...

cstyan
cstyan commented Jul 15, 2025
View reviewed changes
coderd/workspaceapps/proxy.go
@@ -323,6 +324,37 @@ func (s *Server) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
s.proxyWorkspaceApp(rw, r, *token, chiPath, appurl.ApplicationURL{})
}

// determineCORSBehavior examines the given token and conditionally applies
// CORS middleware if the token specifies that behavior.
func (s *Server) determineCORSBehavior(token *SignedToken, app appurl.ApplicationURL) func(http.Handler) http.Handler {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know all the details behind when a token is issued. For example, if user 1 has an app with a share level of authenticated (or same but shared port), how can user 2 access the app? We need the signed token to grab the CORS behaviour, but if the user just goes to the apps externally accessible URL, will the correct token be issued?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Emyrk Emyrk Emyrk left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@cstyan cstyan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cstyan @Emyrk