fix broken build and tests

cstyan · cstyan · commit 5b2b80e5b32f · 2025-07-07T20:39:47.000Z
Signed-off-by: Callum Styan &lt;callumstyan@gmail.com&gt;
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -1348,6 +1348,7 @@ func (s *MethodTestSuite) TestTemplate() {
 			Provisioner:         "echo",
 			OrganizationID:      orgID,
 			MaxPortSharingLevel: database.AppSharingLevelOwner,
+			CorsBehavior:        database.CorsBehaviorSimple,
 		}).Asserts(rbac.ResourceTemplate.InOrg(orgID), policy.ActionCreate)
 	}))
 	s.Run("InsertTemplateVersion", s.Subtest(func(db database.Store, check *expects) {
@@ -1468,6 +1469,7 @@ func (s *MethodTestSuite) TestTemplate() {
 		check.Args(database.UpdateTemplateMetaByIDParams{
 			ID:                  t1.ID,
 			MaxPortSharingLevel: "owner",
+			CorsBehavior:        database.CorsBehaviorSimple,
 		}).Asserts(t1, policy.ActionUpdate)
 	}))
 	s.Run("UpdateTemplateVersionByID", s.Subtest(func(db database.Store, check *expects) {
diff --git a/coderd/database/migrations/000347_template_level_cors.down.sql b/coderd/database/migrations/000347_template_level_cors.down.sql
@@ -28,7 +28,7 @@ CREATE VIEW template_with_names AS
     templates.deprecated,
     templates.activity_bump,
     templates.max_port_sharing_level,
-	templates.use_classic_parameter_flow,
+		templates.use_classic_parameter_flow,
     COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
     COALESCE(visible_users.username, ''::text) AS created_by_username,
     COALESCE(visible_users.name, ''::text) AS created_by_name,
@@ -42,3 +42,5 @@ CREATE VIEW template_with_names AS
 COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
 
 ALTER TABLE templates DROP COLUMN cors_behavior;
+
+DROP TYPE IF EXISTS cors_behavior;
diff --git a/coderd/prometheusmetrics/prometheusmetrics_test.go b/coderd/prometheusmetrics/prometheusmetrics_test.go
@@ -744,6 +744,7 @@ func insertTemplates(t *testing.T, db database.Store, u database.User, org datab
 		MaxPortSharingLevel: database.AppSharingLevelAuthenticated,
 		CreatedBy:           u.ID,
 		OrganizationID:      org.ID,
+		CorsBehavior:        database.CorsBehaviorSimple,
 	}))
 	pj := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{})
 
@@ -763,6 +764,7 @@ func insertTemplates(t *testing.T, db database.Store, u database.User, org datab
 		MaxPortSharingLevel: database.AppSharingLevelAuthenticated,
 		CreatedBy:           u.ID,
 		OrganizationID:      org.ID,
+		CorsBehavior:        database.CorsBehaviorSimple,
 	}))
 
 	require.NoError(t, db.InsertTemplateVersion(context.Background(), database.InsertTemplateVersionParams{
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -352,12 +352,12 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
 		}
 	}
 
-	if createTemplate.CORSBehavior != nil {
-		val := codersdk.CORSBehavior(*createTemplate.CORSBehavior)
+	if createTemplate.CORSBehavior != nil && *createTemplate.CORSBehavior != "" {
+		val := createTemplate.CORSBehavior
 		if err := val.Validate(); err != nil {
 			validErrs = append(validErrs, codersdk.ValidationError{Field: "cors_behavior", Detail: err.Error()})
 		} else {
-			corsBehavior = database.CorsBehavior(val)
+			corsBehavior = database.CorsBehavior(*val)
 		}
 	}
 
@@ -664,7 +664,6 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 		validErrs                            []codersdk.ValidationError
 		autostopRequirementDaysOfWeekParsed  uint8
 		autostartRequirementDaysOfWeekParsed uint8
-		corsBehavior                         database.CorsBehavior
 	)
 	if req.DefaultTTLMillis < 0 {
 		validErrs = append(validErrs, codersdk.ValidationError{Field: "default_ttl_ms", Detail: "Must be a positive integer."})
@@ -737,12 +736,13 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if req.CORSBehavior != nil {
-		val := codersdk.CORSBehavior(*req.CORSBehavior)
+	corsBehavior := template.CorsBehavior
+	if req.CORSBehavior != nil && *req.CORSBehavior != "" {
+		val := req.CORSBehavior
 		if err := val.Validate(); err != nil {
 			validErrs = append(validErrs, codersdk.ValidationError{Field: "cors_behavior", Detail: err.Error()})
 		} else {
-			corsBehavior = database.CorsBehavior(val)
+			corsBehavior = database.CorsBehavior(*val)
 		}
 	}
 
@@ -1107,7 +1107,7 @@ func (api *API) convertTemplate(
 		DeprecationMessage:      templateAccessControl.Deprecated,
 		MaxPortShareLevel:       maxPortShareLevel,
 		UseClassicParameterFlow: template.UseClassicParameterFlow,
-		CORSBehavior:            (*codersdk.CORSBehavior)(&template.CorsBehavior),
+		CORSBehavior:            codersdk.CORSBehavior(template.CorsBehavior),
 	}
 }
 
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -152,6 +152,7 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
 	if dbReq.AppURL != nil {
 		token.AppURL = dbReq.AppURL.String()
 	}
+	token.CORSBehavior = codersdk.CORSBehavior(dbReq.CorsBehavior)
 
 	// Verify the user has access to the app.
 	authed, warnings, err := p.authorizeRequest(r.Context(), authz, dbReq)
diff --git a/coderd/workspaceapps/db_test.go b/coderd/workspaceapps/db_test.go
@@ -318,11 +318,12 @@ func Test_ResolveRequest(t *testing.T) {
 						RegisteredClaims: jwtutils.RegisteredClaims{
 							Expiry: jwt.NewNumericDate(token.Expiry.Time()),
 						},
-						Request:     req,
-						UserID:      me.ID,
-						WorkspaceID: workspace.ID,
-						AgentID:     agentID,
-						AppURL:      appURL,
+						Request:      req,
+						UserID:       me.ID,
+						WorkspaceID:  workspace.ID,
+						AgentID:      agentID,
+						AppURL:       appURL,
+						CORSBehavior: codersdk.CORSBehaviorSimple,
 					}, token)
 					require.NotZero(t, token.Expiry)
 					require.WithinDuration(t, time.Now().Add(workspaceapps.DefaultTokenExpiry), token.Expiry.Time(), time.Minute)
diff --git a/coderd/workspaceapps/request.go b/coderd/workspaceapps/request.go
@@ -204,6 +204,9 @@ type databaseRequest struct {
 	// AppSharingLevel is the sharing level of the app. This is forced to be set
 	// to AppSharingLevelOwner if the access method is terminal.
 	AppSharingLevel database.AppSharingLevel
+	// CorsBehavior is set at the template level for all apps/ports in a workspace, and can
+	// either be the current CORS middleware 'simple' or bypass the cors middleware with 'passthru'.
+	CorsBehavior database.CorsBehavior
 }
 
 // getDatabase does queries to get the owner user, workspace and agent
@@ -296,14 +299,14 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
 		// First check if it's a port-based URL with an optional "s" suffix for HTTPS.
 		potentialPortStr      = strings.TrimSuffix(r.AppSlugOrPort, "s")
 		portUint, portUintErr = strconv.ParseUint(potentialPortStr, 10, 16)
-		// corsBehavior          database.CorsBehavior
+		corsBehavior          database.CorsBehavior
 	)
 
-	// tmpl, err := db.GetTemplateByID(ctx, workspace.TemplateID)
-	// if err != nil {
-	// 	return nil, xerrors.Errorf("get template %q: %w", workspace.TemplateID, err)
-	// }
-	// corsBehavior = tmpl.CorsBehavior
+	tmpl, err := db.GetTemplateByID(ctx, workspace.TemplateID)
+	if err != nil {
+		return nil, xerrors.Errorf("get template %q: %w", workspace.TemplateID, err)
+	}
+	corsBehavior = tmpl.CorsBehavior
 	//nolint:nestif
 	if portUintErr == nil {
 		protocol := "http"
@@ -424,7 +427,7 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
 		App:             app,
 		AppURL:          appURLParsed,
 		AppSharingLevel: appSharingLevel,
-		// CorsBehavior:    corsBehavior,
+		CorsBehavior:    corsBehavior,
 	}, nil
 }
 
diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -22,10 +22,11 @@ type SignedToken struct {
 	// Request details.
 	Request `json:"request"`
 
-	UserID      uuid.UUID `json:"user_id"`
-	WorkspaceID uuid.UUID `json:"workspace_id"`
-	AgentID     uuid.UUID `json:"agent_id"`
-	AppURL      string    `json:"app_url"`
+	UserID       uuid.UUID             `json:"user_id"`
+	WorkspaceID  uuid.UUID             `json:"workspace_id"`
+	AgentID      uuid.UUID             `json:"agent_id"`
+	AppURL       string                `json:"app_url"`
+	CORSBehavior codersdk.CORSBehavior `json:"cors_behavior"`
 }
 
 // MatchesRequest returns true if the token matches the request. Any token that
diff --git a/codersdk/cors_behavior.go b/codersdk/cors_behavior.go
@@ -1,16 +1,18 @@
 package codersdk
 
-import "golang.org/x/xerrors"
+import (
+	"golang.org/x/xerrors"
+)
 
 type CORSBehavior string
 
 const (
-	AppCORSBehaviorSimple   CORSBehavior = "simple"
-	AppCORSBehaviorPassthru CORSBehavior = "passthru"
+	CORSBehaviorSimple   CORSBehavior = "simple"
+	CORSBehaviorPassthru CORSBehavior = "passthru"
 )
 
 func (c CORSBehavior) Validate() error {
-	if c != AppCORSBehaviorSimple && c != AppCORSBehaviorPassthru {
+	if c != CORSBehaviorSimple && c != CORSBehaviorPassthru {
 		return xerrors.New("Invalid CORS behavior.")
 	}
 	return nil
diff --git a/codersdk/templates.go b/codersdk/templates.go
@@ -61,7 +61,7 @@ type Template struct {
 	// template version.
 	RequireActiveVersion bool                         `json:"require_active_version"`
 	MaxPortShareLevel    WorkspaceAgentPortShareLevel `json:"max_port_share_level"`
-	CORSBehavior         *CORSBehavior                `json:"cors_behavior"`
+	CORSBehavior         CORSBehavior                 `json:"cors_behavior"`
 
 	UseClassicParameterFlow bool `json:"use_classic_parameter_flow"`
 }
@@ -253,7 +253,7 @@ type UpdateTemplateMeta struct {
 	// of the template.
 	DisableEveryoneGroupAccess bool                          `json:"disable_everyone_group_access"`
 	MaxPortShareLevel          *WorkspaceAgentPortShareLevel `json:"max_port_share_level,omitempty"`
-	CORSBehavior               *CORSBehavior                 `json:"cors_behavior"`
+	CORSBehavior               *CORSBehavior                 `json:"cors_behavior,omitempty"`
 	// UseClassicParameterFlow is a flag that switches the default behavior to use the classic
 	// parameter flow when creating a workspace. This only affects deployments with the experiment
 	// "dynamic-parameters" enabled. This setting will live for a period after the experiment is
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx
@@ -4,6 +4,7 @@ import FormHelperText from "@mui/material/FormHelperText";
 import MenuItem from "@mui/material/MenuItem";
 import TextField from "@mui/material/TextField";
 import {
+	CORSBehaviors,
 	type Template,
 	type UpdateTemplateMeta,
 	WorkspaceAppSharingLevels,
@@ -53,6 +54,7 @@ export const validationSchema = Yup.object({
 	use_classic_parameter_flow: Yup.boolean(),
 	deprecation_message: Yup.string(),
 	max_port_sharing_level: Yup.string().oneOf(WorkspaceAppSharingLevels),
+	cors_behavior: Yup.string().oneOf(Object.values(CORSBehaviors)),
 });
 
 export interface TemplateSettingsForm {
@@ -94,6 +96,7 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
 			disable_everyone_group_access: false,
 			max_port_share_level: template.max_port_share_level,
 			use_classic_parameter_flow: template.use_classic_parameter_flow,
+			cors_behavior: template.cors_behavior,
 		},
 		validationSchema,
 		onSubmit,
@@ -339,6 +342,28 @@ export const TemplateSettingsForm: FC<TemplateSettingsForm> = ({
 				</FormFields>
 			</FormSection>
 
+			<FormSection
+				title="CORS Behavior"
+				description="Control how Cross-Origin Resource Sharing (CORS) requests are handled for all shared ports."
+			>
+				<FormFields>
+					<TextField
+						{...getFieldHelpers("cors_behavior", {
+							helperText:
+								"Use Passthru to bypass Coder's built-in CORS protection.",
+						})}
+						disabled={isSubmitting}
+						fullWidth
+						select
+						value={form.values.cors_behavior}
+						label="CORS Behavior"
+					>
+						<MenuItem value="simple">Simple</MenuItem>
+						<MenuItem value="passthru">Passthru</MenuItem>
+					</TextField>
+				</FormFields>
+			</FormSection>
+
 			<FormFooter>
 				<Button onClick={onCancel} variant="outline">
 					Cancel
diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsPage.test.tsx
@@ -55,6 +55,7 @@ const validFormValues: FormValues = {
 	disable_everyone_group_access: false,
 	max_port_share_level: "owner",
 	use_classic_parameter_flow: true,
+	cors_behavior: "simple",
 };
 
 const renderTemplateSettingsPage = async () => {
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
@@ -827,6 +827,7 @@ export const MockTemplate: TypesGen.Template = {
 	deprecation_message: "",
 	max_port_share_level: "public",
 	use_classic_parameter_flow: true,
+	cors_behavior: "simple",
 };
 
 const MockTemplateVersionFiles: TemplateVersionFiles = {

Original file line number	Diff line number	Diff line change
`@@ -352,12 +352,12 @@ func (api API) postTemplateByOrganization(rw http.ResponseWriter, r http.Reque`
`352`	`352`	`}`
`353`	`353`	`}`
`354`	`354`
`355`		`- if createTemplate.CORSBehavior != nil {`
`356`		`- val := codersdk.CORSBehavior(*createTemplate.CORSBehavior)`
	`355`	`+ if createTemplate.CORSBehavior != nil && *createTemplate.CORSBehavior != "" {`
	`356`	`+ val := createTemplate.CORSBehavior`
`357`	`357`	`if err := val.Validate(); err != nil {`
`358`	`358`	`validErrs = append(validErrs, codersdk.ValidationError{Field: "cors_behavior", Detail: err.Error()})`
`359`	`359`	`} else {`
`360`		`- corsBehavior = database.CorsBehavior(val)`
	`360`	`+ corsBehavior = database.CorsBehavior(*val)`
`361`	`361`	`}`
`362`	`362`	`}`
`363`	`363`
`@@ -664,7 +664,6 @@ func (api API) patchTemplateMeta(rw http.ResponseWriter, r http.Request) {`
`664`	`664`	`validErrs []codersdk.ValidationError`
`665`	`665`	`autostopRequirementDaysOfWeekParsed uint8`
`666`	`666`	`autostartRequirementDaysOfWeekParsed uint8`
`667`		`- corsBehavior database.CorsBehavior`
`668`	`667`	`)`
`669`	`668`	`if req.DefaultTTLMillis < 0 {`
`670`	`669`	`validErrs = append(validErrs, codersdk.ValidationError{Field: "default_ttl_ms", Detail: "Must be a positive integer."})`
`@@ -737,12 +736,13 @@ func (api API) patchTemplateMeta(rw http.ResponseWriter, r http.Request) {`
`737`	`736`	`}`
`738`	`737`	`}`
`739`	`738`
`740`		`- if req.CORSBehavior != nil {`
`741`		`- val := codersdk.CORSBehavior(*req.CORSBehavior)`
	`739`	`+ corsBehavior := template.CorsBehavior`
	`740`	`+ if req.CORSBehavior != nil && *req.CORSBehavior != "" {`
	`741`	`+ val := req.CORSBehavior`
`742`	`742`	`if err := val.Validate(); err != nil {`
`743`	`743`	`validErrs = append(validErrs, codersdk.ValidationError{Field: "cors_behavior", Detail: err.Error()})`
`744`	`744`	`} else {`
`745`		`- corsBehavior = database.CorsBehavior(val)`
	`745`	`+ corsBehavior = database.CorsBehavior(*val)`
`746`	`746`	`}`
`747`	`747`	`}`
`748`	`748`
`@@ -1107,7 +1107,7 @@ func (api *API) convertTemplate(`
`1107`	`1107`	`DeprecationMessage: templateAccessControl.Deprecated,`
`1108`	`1108`	`MaxPortShareLevel: maxPortShareLevel,`
`1109`	`1109`	`UseClassicParameterFlow: template.UseClassicParameterFlow,`
`1110`		`- CORSBehavior: (*codersdk.CORSBehavior)(&template.CorsBehavior),`
	`1110`	`+ CORSBehavior: codersdk.CORSBehavior(template.CorsBehavior),`
`1111`	`1111`	`}`
`1112`	`1112`	`}`
`1113`	`1113`
Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,7 @@ func (p DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r `
`152`	`152`	`if dbReq.AppURL != nil {`
`153`	`153`	`token.AppURL = dbReq.AppURL.String()`
`154`	`154`	`}`
	`155`	`+ token.CORSBehavior = codersdk.CORSBehavior(dbReq.CorsBehavior)`
`155`	`156`
`156`	`157`	`// Verify the user has access to the app.`
`157`	`158`	`authed, warnings, err := p.authorizeRequest(r.Context(), authz, dbReq)`