ExtractWorkspaceProxy extracts the external workspace proxy from the request using the external proxy auth token header.
(opts ExtractWorkspaceProxyConfig)
| 59 | // ExtractWorkspaceProxy extracts the external workspace proxy from the request |
| 60 | // using the external proxy auth token header. |
| 61 | func ExtractWorkspaceProxy(opts ExtractWorkspaceProxyConfig) func(http.Handler) http.Handler { |
| 62 | return func(next http.Handler) http.Handler { |
| 63 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 64 | ctx := r.Context() |
| 65 | |
| 66 | token := r.Header.Get(WorkspaceProxyAuthTokenHeader) |
| 67 | if token == "" { |
| 68 | if opts.Optional { |
| 69 | next.ServeHTTP(w, r) |
| 70 | return |
| 71 | } |
| 72 | |
| 73 | httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{ |
| 74 | Message: "Missing required external proxy token", |
| 75 | }) |
| 76 | return |
| 77 | } |
| 78 | |
| 79 | // Split the token and lookup the corresponding workspace proxy. |
| 80 | parts := strings.Split(token, ":") |
| 81 | if len(parts) != 2 { |
| 82 | httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{ |
| 83 | Message: "Invalid external proxy token", |
| 84 | }) |
| 85 | return |
| 86 | } |
| 87 | proxyID, err := uuid.Parse(parts[0]) |
| 88 | if err != nil { |
| 89 | httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{ |
| 90 | Message: "Invalid external proxy token", |
| 91 | }) |
| 92 | return |
| 93 | } |
| 94 | secret := parts[1] |
| 95 | if len(secret) != 64 { |
| 96 | httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{ |
| 97 | Message: "Invalid external proxy token", |
| 98 | }) |
| 99 | return |
| 100 | } |
| 101 | |
| 102 | // Get the proxy. |
| 103 | // nolint:gocritic // Get proxy by ID to check auth token |
| 104 | proxy, err := opts.DB.GetWorkspaceProxyByID(dbauthz.AsSystemRestricted(ctx), proxyID) |
| 105 | if xerrors.Is(err, sql.ErrNoRows) { |
| 106 | // Proxy IDs are public so we don't care about leaking them via |
| 107 | // timing attacks. |
| 108 | httpapi.Write(ctx, w, http.StatusUnauthorized, codersdk.Response{ |
| 109 | Message: "Invalid external proxy token", |
| 110 | Detail: "Proxy not found.", |
| 111 | }) |
| 112 | return |
| 113 | } |
| 114 | if err != nil { |
| 115 | httpapi.InternalServerError(w, err) |
| 116 | return |
| 117 | } |
| 118 | if proxy.Deleted { |