AppConnectSessionTokenFromRequest returns the session token from the request if it exists. The access method is used to determine which cookie name to use. We use different cookie names for path apps and for subdomain apps to avoid both being set and sent to the server at the same time and the serv
(r *http.Request, accessMethod AccessMethod)
| 74 | // We prefer the access-method-specific cookie first, then fall back to standard |
| 75 | // Coder token extraction (query parameters, Coder-Session-Token header, etc.). |
| 76 | func (c AppCookies) TokenFromRequest(r *http.Request, accessMethod AccessMethod) string { |
| 77 | // Prefer the access-method-specific cookie first. |
| 78 | // |
| 79 | // Workspace app requests commonly include an `Authorization` header intended |
| 80 | // for the upstream app (e.g. API calls). `httpmw.APITokenFromRequest` supports |
| 81 | // RFC 6750 bearer tokens, so if we consult it first we'd incorrectly treat |
| 82 | // that upstream header as a Coder session token and ignore the app session |
| 83 | // cookie, breaking token renewal for subdomain apps. |
| 84 | cookie, err := r.Cookie(c.CookieNameForAccessMethod(accessMethod)) |
| 85 | if err == nil && cookie.Value != "" { |
| 86 | return cookie.Value |
| 87 | } |
| 88 | |
| 89 | // Fall back to standard Coder token extraction (session cookie, query param, |
| 90 | // Coder-Session-Token header, and then Authorization: Bearer). |
| 91 | token := httpmw.APITokenFromRequest(r) |
| 92 | if token != "" { |
| 93 | return token |
| 94 | } |
| 95 | |
| 96 | return "" |
| 97 | } |