Add test for query param session token

f0ssel · f0ssel · commit ec066aaa848d · 2022-05-17T20:38:05.000Z
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -17,8 +17,8 @@ import (
 	"github.com/coder/coder/coderd/httpapi"
 )
 
-// AuthCookie represents the name of the cookie the API key is stored in.
-const AuthCookie = "session_token"
+// SessionTokenKey represents the name of the cookie or query paramater the API key is stored in.
+const SessionTokenKey = "session_token"
 
 type apiKeyContextKey struct{}
 
@@ -44,23 +44,23 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			var cookieValue string
-			cookie, err := r.Cookie(AuthCookie)
+			cookie, err := r.Cookie(SessionTokenKey)
 			if err != nil {
-				cookieValue = r.URL.Query().Get(AuthCookie)
+				cookieValue = r.URL.Query().Get(SessionTokenKey)
 			} else {
 				cookieValue = cookie.Value
 			}
 			if cookieValue == "" {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: fmt.Sprintf("%q cookie or query parameter must be provided", AuthCookie),
+					Message: fmt.Sprintf("%q cookie or query parameter must be provided", SessionTokenKey),
 				})
 				return
 			}
 			parts := strings.Split(cookieValue, "-")
 			// APIKeys are formatted: ID-SECRET
 			if len(parts) != 2 {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: fmt.Sprintf("invalid %q cookie api key format", AuthCookie),
+					Message: fmt.Sprintf("invalid %q cookie api key format", SessionTokenKey),
 				})
 				return
 			}
@@ -69,13 +69,13 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 			// Ensuring key lengths are valid.
 			if len(keyID) != 10 {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: fmt.Sprintf("invalid %q cookie api key id", AuthCookie),
+					Message: fmt.Sprintf("invalid %q cookie api key id", SessionTokenKey),
 				})
 				return
 			}
 			if len(keySecret) != 22 {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: fmt.Sprintf("invalid %q cookie api key secret", AuthCookie),
+					Message: fmt.Sprintf("invalid %q cookie api key secret", SessionTokenKey),
 				})
 				return
 			}
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -56,7 +56,7 @@ func TestAPIKey(t *testing.T) {
 			rw = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: "test-wow-hello",
 		})
 
@@ -74,7 +74,7 @@ func TestAPIKey(t *testing.T) {
 			rw = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: "test-wow",
 		})
 
@@ -92,7 +92,7 @@ func TestAPIKey(t *testing.T) {
 			rw = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: "testtestid-wow",
 		})
 
@@ -111,7 +111,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -130,7 +130,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -157,7 +157,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -182,7 +182,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -209,6 +209,37 @@ func TestAPIKey(t *testing.T) {
 		require.Equal(t, sentAPIKey.ExpiresAt, gotAPIKey.ExpiresAt)
 	})
 
+	t.Run("QueryParameter", func(t *testing.T) {
+		t.Parallel()
+		var (
+			db         = databasefake.New()
+			id, secret = randomAPIKeyParts()
+			hashed     = sha256.Sum256([]byte(secret))
+			r          = httptest.NewRequest("GET", "/", nil)
+			rw         = httptest.NewRecorder()
+		)
+		q := r.URL.Query()
+		q.Add(httpmw.SessionTokenKey, fmt.Sprintf("%s-%s", id, secret))
+		r.URL.RawQuery = q.Encode()
+
+		_, err := db.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
+			ID:           id,
+			HashedSecret: hashed[:],
+			ExpiresAt:    database.Now().AddDate(0, 0, 1),
+		})
+		require.NoError(t, err)
+		httpmw.ExtractAPIKey(db, nil)(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			// Checks that it exists on the context!
+			_ = httpmw.APIKey(r)
+			httpapi.Write(rw, http.StatusOK, httpapi.Response{
+				Message: "it worked!",
+			})
+		})).ServeHTTP(rw, r)
+		res := rw.Result()
+		defer res.Body.Close()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+	})
+
 	t.Run("ValidUpdateLastUsed", func(t *testing.T) {
 		t.Parallel()
 		var (
@@ -219,7 +250,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -252,7 +283,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -285,7 +316,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
@@ -319,7 +350,7 @@ func TestAPIKey(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/authorize_test.go b/coderd/httpmw/authorize_test.go
@@ -94,7 +94,7 @@ func TestExtractUserRoles(t *testing.T) {
 
 			req := httptest.NewRequest("GET", "/", nil)
 			req.AddCookie(&http.Cookie{
-				Name:  httpmw.AuthCookie,
+				Name:  httpmw.SessionTokenKey,
 				Value: token,
 			})
 
diff --git a/coderd/httpmw/organizationparam_test.go b/coderd/httpmw/organizationparam_test.go
@@ -29,7 +29,7 @@ func TestOrganizationParam(t *testing.T) {
 			hashed     = sha256.Sum256([]byte(secret))
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/templateparam_test.go b/coderd/httpmw/templateparam_test.go
@@ -29,7 +29,7 @@ func TestTemplateParam(t *testing.T) {
 		)
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/templateversionparam_test.go b/coderd/httpmw/templateversionparam_test.go
@@ -29,7 +29,7 @@ func TestTemplateVersionParam(t *testing.T) {
 		)
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/userparam_test.go b/coderd/httpmw/userparam_test.go
@@ -29,7 +29,7 @@ func TestUserParam(t *testing.T) {
 			rw         = httptest.NewRecorder()
 		)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -28,10 +28,10 @@ func WorkspaceAgent(r *http.Request) database.WorkspaceAgent {
 func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			cookie, err := r.Cookie(AuthCookie)
+			cookie, err := r.Cookie(SessionTokenKey)
 			if err != nil {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: fmt.Sprintf("%q cookie must be provided", AuthCookie),
+					Message: fmt.Sprintf("%q cookie must be provided", SessionTokenKey),
 				})
 				return
 			}
diff --git a/coderd/httpmw/workspaceagent_test.go b/coderd/httpmw/workspaceagent_test.go
@@ -22,7 +22,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		token := uuid.New()
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: token.String(),
 		})
 		return r, token
diff --git a/coderd/httpmw/workspaceagentparam_test.go b/coderd/httpmw/workspaceagentparam_test.go
@@ -29,7 +29,7 @@ func TestWorkspaceAgentParam(t *testing.T) {
 		)
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/workspacebuildparam_test.go b/coderd/httpmw/workspacebuildparam_test.go
@@ -29,7 +29,7 @@ func TestWorkspaceBuildParam(t *testing.T) {
 		)
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/httpmw/workspaceparam_test.go b/coderd/httpmw/workspaceparam_test.go
@@ -29,7 +29,7 @@ func TestWorkspaceParam(t *testing.T) {
 		)
 		r := httptest.NewRequest("GET", "/", nil)
 		r.AddCookie(&http.Cookie{
-			Name:  httpmw.AuthCookie,
+			Name:  httpmw.SessionTokenKey,
 			Value: fmt.Sprintf("%s-%s", id, secret),
 		})
 
diff --git a/coderd/users.go b/coderd/users.go
@@ -690,7 +690,7 @@ func (*api) postLogout(rw http.ResponseWriter, _ *http.Request) {
 	cookie := &http.Cookie{
 		// MaxAge < 0 means to delete the cookie now
 		MaxAge: -1,
-		Name:   httpmw.AuthCookie,
+		Name:   httpmw.SessionTokenKey,
 		Path:   "/",
 	}
 
@@ -748,7 +748,7 @@ func (api *api) createAPIKey(rw http.ResponseWriter, r *http.Request, params dat
 	// This format is consumed by the APIKey middleware.
 	sessionToken := fmt.Sprintf("%s-%s", keyID, keySecret)
 	http.SetCookie(rw, &http.Cookie{
-		Name:     httpmw.AuthCookie,
+		Name:     httpmw.SessionTokenKey,
 		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -122,7 +122,7 @@ func TestPostLogout(t *testing.T) {
 		cookies := response.Cookies()
 		require.Len(t, cookies, 1, "Exactly one cookie should be returned")
 
-		require.Equal(t, cookies[0].Name, httpmw.AuthCookie, "Cookie should be the auth cookie")
+		require.Equal(t, cookies[0].Name, httpmw.SessionTokenKey, "Cookie should be the auth cookie")
 		require.Equal(t, cookies[0].MaxAge, -1, "Cookie should be set to delete")
 	})
 }
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -64,7 +64,7 @@ func (c *Client) Request(ctx context.Context, method, path string, body interfac
 		return nil, xerrors.Errorf("create request: %w", err)
 	}
 	req.AddCookie(&http.Cookie{
-		Name:  httpmw.AuthCookie,
+		Name:  httpmw.SessionTokenKey,
 		Value: c.SessionToken,
 	})
 	if body != nil {
@@ -99,7 +99,7 @@ func (c *Client) websocket(ctx context.Context, path string) (*websocket.Conn, e
 	}
 	apiURL.Path = path
 	q := apiURL.Query()
-	q.Add(httpmw.AuthCookie, c.SessionToken)
+	q.Add(httpmw.SessionTokenKey, c.SessionToken)
 	apiURL.RawQuery = q.Encode()
 
 	//nolint:bodyclose
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -188,7 +188,7 @@ func (c *Client) ListenWorkspaceAgent(ctx context.Context, logger slog.Logger) (
 		return agent.Metadata{}, nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(serverURL, []*http.Cookie{{
-		Name:  httpmw.AuthCookie,
+		Name:  httpmw.SessionTokenKey,
 		Value: c.SessionToken,
 	}})
 	httpClient := &http.Client{
@@ -263,7 +263,7 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 		return nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(serverURL, []*http.Cookie{{
-		Name:  httpmw.AuthCookie,
+		Name:  httpmw.SessionTokenKey,
 		Value: c.SessionToken,
 	}})
 	httpClient := &http.Client{
@@ -351,7 +351,7 @@ func (c *Client) WorkspaceAgentReconnectingPTY(ctx context.Context, agentID, rec
 		return nil, xerrors.Errorf("create cookie jar: %w", err)
 	}
 	jar.SetCookies(serverURL, []*http.Cookie{{
-		Name:  httpmw.AuthCookie,
+		Name:  httpmw.SessionTokenKey,
 		Value: c.SessionToken,
 	}})
 	httpClient := &http.Client{

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestOrganizationParam(t *testing.T) {`
`29`	`29`	`hashed = sha256.Sum256([]byte(secret))`
`30`	`30`	`)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestTemplateParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r := httptest.NewRequest("GET", "/", nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestTemplateVersionParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r := httptest.NewRequest("GET", "/", nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestUserParam(t *testing.T) {`
`29`	`29`	`rw = httptest.NewRecorder()`
`30`	`30`	`)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceAgentParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r := httptest.NewRequest("GET", "/", nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceBuildParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r := httptest.NewRequest("GET", "/", nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ func TestWorkspaceParam(t *testing.T) {`
`29`	`29`	`)`
`30`	`30`	`r := httptest.NewRequest("GET", "/", nil)`
`31`	`31`	`r.AddCookie(&http.Cookie{`
`32`		`- Name: httpmw.AuthCookie,`
	`32`	`+ Name: httpmw.SessionTokenKey,`
`33`	`33`	`Value: fmt.Sprintf("%s-%s", id, secret),`
`34`	`34`	`})`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ func TestPostLogout(t *testing.T) {`
`122`	`122`	`cookies := response.Cookies()`
`123`	`123`	`require.Len(t, cookies, 1, "Exactly one cookie should be returned")`
`124`	`124`
`125`		`- require.Equal(t, cookies[0].Name, httpmw.AuthCookie, "Cookie should be the auth cookie")`
	`125`	`+ require.Equal(t, cookies[0].Name, httpmw.SessionTokenKey, "Cookie should be the auth cookie")`
`126`	`126`	`require.Equal(t, cookies[0].MaxAge, -1, "Cookie should be set to delete")`
`127`	`127`	`})`
`128`	`128`	`}`