From f85ef401e58ea45c78c226e27d63042dba7a1b28 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 7 May 2025 16:12:13 -0500 Subject: [PATCH] chore: reject external auth early --- coderd/workspaceagents.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go index 050537705d107..e4c37af1ca235 100644 --- a/coderd/workspaceagents.go +++ b/coderd/workspaceagents.go @@ -1580,6 +1580,15 @@ func (api *API) workspaceAgentsExternalAuth(rw http.ResponseWriter, r *http.Requ return } + // Pre-check if the caller can read the external auth links for the owner of the + // workspace. Do this up front because a sql.ErrNoRows is expected if the user is + // in the flow of authenticating. If no row is present, the auth check is delayed + // until the user authenticates. It is preferred to reject early. + if !api.Authorize(r, policy.ActionReadPersonal, rbac.ResourceUserObject(workspace.OwnerID)) { + httpapi.Forbidden(rw) + return + } + var previousToken *database.ExternalAuthLink // handleRetrying will attempt to continually check for a new token // if listen is true. This is useful if an error is encountered in the