Skip to content

bug: coder_signed_app_token is not renewed when an Authorization header is sent #21467

New issue
New issue
Open
Bug
Open
bug: coder_signed_app_token is not renewed when an Authorization header is sent#21467
Bug
Labels
needs-triageIssue that require triage
@leo-wr-ps

Description

@leo-wr-ps
leo-wr-ps
opened on Jan 9, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I am using Coder to develop a web application with both frontend and backend components running in the same workspace pod, on kubernetes. The web application serves pages on port 8080, while the backend listens on port 8081.

To preview my application, I share both ports, which are accessible via the subdomain: https://port--agent--workspace--username.coder.example.com. Backend requests (port 8081) requires an Authorization header, and because of that, they never reach the workspace.

Coder verifies that the user is authorized to access the subdomain using the coder_subdomain_app_session_token_* session cookie and the coder_signed_app_token short-lived cookie.

When the coder_signed_app_token expires, the coder_subdomain_app_session_token_* is used to renew it. However, if any Authorization header is sent, the coder_subdomain_app_session_token_* is ignored: you get a redirect to the /applications/auth-redirect endpoint (which for a backend call requires manual handling in the code to follow and re-authenticate)

Relevant Log Output



Expected Behavior


When accessing a Coder app, if the coder_subdomain_app_session_token_* cookie indicates that the user is authorized, the request is forwarded to the workspace agent along with the Authorization header. Additionally, a coder_signed_app_token cookie is sent back to the caller.


Steps to Reproduce


    

  1. Start a basic coder workspace
    2. 

  2. Upsert a workspace agent port share from the workspace dashboard (Open Ports > Share Ports > 8080 HTTP Authenticated). It doesn't meter weather a process is listening on that port.
    3. 

  3. Visit https://8080--agent--workspace--username.coder.example.com
    4. 

  4. Inspect the browser and copy the coder_subdomain_app_session_token_* cookie
    5. 

  5. Send curl requests to reproduce, with and without Authorization header
    6. 



curl -v --cookie "coder_subdomain_app_session_token_*=TOKEN" https://8080--agent--workspace--username.coder.example.com/

< HTTP/2 200
< set-cookie: coder_signed_app_token=TOKEN
(This works as expected. We also get the coder_signed_app_token that will be used until expired)



curl -v -H "Authorization: bearer whatever" --cookie "coder_subdomain_app_session_token_*=TOKEN" https://8081--agent--workspace--username.coder.example.com/
< HTTP/2 303 
< location: https://coder.example.com/api/v2/applications/auth-redirect?redirect_uri=https%3A%2F%2F8081--agent--workspace--username.coder.example.com%2F
(This request doesn't reach the workspace pod. Moreover, no coder_signed_app_token cookie is sent)



Environment


    

  • Host OS: k8s deployment, helm chart version 2.27.8
    • 

  • Coder version: v2.27.8+42f06c8
    • 



Additional Context


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    needs-triageIssue that require triage
    Type
    Bug
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions