APITokenFromRequest returns the api token from the request. Find the session token from: 1: The cookie 2. The coder_session_token query parameter 3. The custom auth header 4. RFC 6750 Authorization: Bearer header 5. RFC 6750 access_token query parameter API tokens for apps are read from workspaceap
(r *http.Request)
| 936 | // |
| 937 | // API tokens for apps are read from workspaceapps/cookies.go. |
| 938 | func APITokenFromRequest(r *http.Request) string { |
| 939 | // Prioritize existing Coder custom authentication methods first |
| 940 | // to maintain backward compatibility and existing behavior |
| 941 | |
| 942 | cookie, err := r.Cookie(codersdk.SessionTokenCookie) |
| 943 | if err == nil && cookie.Value != "" { |
| 944 | return cookie.Value |
| 945 | } |
| 946 | |
| 947 | urlValue := r.URL.Query().Get(codersdk.SessionTokenCookie) |
| 948 | if urlValue != "" { |
| 949 | return urlValue |
| 950 | } |
| 951 | |
| 952 | headerValue := r.Header.Get(codersdk.SessionTokenHeader) |
| 953 | if headerValue != "" { |
| 954 | return headerValue |
| 955 | } |
| 956 | |
| 957 | // RFC 6750 Bearer Token support (added as fallback methods) |
| 958 | // Check Authorization: Bearer <token> header (case-insensitive per RFC 6750) |
| 959 | authHeader := r.Header.Get("Authorization") |
| 960 | if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") { |
| 961 | // Skip "Bearer " (7 characters) and trim surrounding whitespace |
| 962 | return strings.TrimSpace(authHeader[7:]) |
| 963 | } |
| 964 | |
| 965 | // Check access_token query parameter |
| 966 | accessToken := r.URL.Query().Get("access_token") |
| 967 | if accessToken != "" { |
| 968 | return strings.TrimSpace(accessToken) |
| 969 | } |
| 970 | |
| 971 | return "" |
| 972 | } |
| 973 | |
| 974 | // SplitAPIToken verifies the format of an API key and returns the split ID and |
| 975 | // secret. |