MCPcopy Index your code
hub / github.com/coder/coder / APITokenFromRequest

Function APITokenFromRequest

coderd/httpmw/apikey.go:938–972  ·  view source on GitHub ↗

APITokenFromRequest returns the api token from the request. Find the session token from: 1: The cookie 2. The coder_session_token query parameter 3. The custom auth header 4. RFC 6750 Authorization: Bearer header 5. RFC 6750 access_token query parameter API tokens for apps are read from workspaceap

(r *http.Request)

Source from the content-addressed store, hash-verified

936//
937// API tokens for apps are read from workspaceapps/cookies.go.
938func APITokenFromRequest(r *http.Request) string {
939 // Prioritize existing Coder custom authentication methods first
940 // to maintain backward compatibility and existing behavior
941
942 cookie, err := r.Cookie(codersdk.SessionTokenCookie)
943 if err == nil && cookie.Value != "" {
944 return cookie.Value
945 }
946
947 urlValue := r.URL.Query().Get(codersdk.SessionTokenCookie)
948 if urlValue != "" {
949 return urlValue
950 }
951
952 headerValue := r.Header.Get(codersdk.SessionTokenHeader)
953 if headerValue != "" {
954 return headerValue
955 }
956
957 // RFC 6750 Bearer Token support (added as fallback methods)
958 // Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)
959 authHeader := r.Header.Get("Authorization")
960 if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
961 // Skip "Bearer " (7 characters) and trim surrounding whitespace
962 return strings.TrimSpace(authHeader[7:])
963 }
964
965 // Check access_token query parameter
966 accessToken := r.URL.Query().Get("access_token")
967 if accessToken != "" {
968 return strings.TrimSpace(accessToken)
969 }
970
971 return ""
972}
973
974// SplitAPIToken verifies the format of an API key and returns the split ID and
975// secret.

Callers 6

debugDeploymentHealthMethod · 0.92
mcpHTTPHandlerMethod · 0.92
TestAPITokenFromRequestFunction · 0.92
TokenFromRequestMethod · 0.92

Calls 1

GetMethod · 0.65

Tested by 1

TestAPITokenFromRequestFunction · 0.74