Remove long-unused internal plugin system

We are trying to update Express to fix a vulnerability.

We would have to update the plugins as well, but since we are no longer
using the plugin system, we can just delete it instead.

src/node/plugin.ts

@@ -1,302 +0,0 @@
-import { field, Level, Logger } from "@coder/logger"
-import * as express from "express"
-import * as fs from "fs"
-import * as path from "path"
-import * as semver from "semver"
-import * as pluginapi from "../../typings/pluginapi"
-import { HttpCode, HttpError } from "../common/http"
-import { version } from "./constants"
-import { authenticated, ensureAuthenticated, replaceTemplates } from "./http"
-import { proxy } from "./proxy"
-import * as util from "./util"
-import { Router as WsRouter, WebsocketRouter, wss } from "./wsRouter"
-const fsp = fs.promises
-
-// Represents a required module which could be anything.
-type Module = any
-
-/**
- * Inject code-server when `require`d. This is required because the API provides
- * more than just types so these need to be provided at run-time.
- */
-const originalLoad = require("module")._load
-require("module")._load = function (request: string, parent: object, isMain: boolean): Module {
-  return request === "code-server" ? codeServer : originalLoad.apply(this, [request, parent, isMain])
-}
-
-/**
- * The module you get when importing "code-server".
- */
-export const codeServer = {
-  HttpCode,
-  HttpError,
-  Level,
-  authenticated,
-  ensureAuthenticated,
-  express,
-  field,
-  proxy,
-  replaceTemplates,
-  WsRouter,
-  wss,
-}
-
-interface Plugin extends pluginapi.Plugin {
-  /**
-   * These fields are populated from the plugin's package.json
-   * and now guaranteed to exist.
-   */
-  name: string
-  version: string
-
-  /**
-   * path to the node module on the disk.
-   */
-  modulePath: string
-}
-
-interface Application extends pluginapi.Application {
-  /*
-   * Clone of the above without functions.
-   */
-  plugin: Omit<Plugin, "init" | "deinit" | "router" | "applications">
-}
-
-/**
- * PluginAPI implements the plugin API described in typings/pluginapi.d.ts
- * Please see that file for details.
- */
-export class PluginAPI {
-  private readonly plugins = new Map<string, Plugin>()
-  private readonly logger: Logger
-
-  public constructor(
-    logger: Logger,
-    /**
-     * These correspond to $CS_PLUGIN_PATH and $CS_PLUGIN respectively.
-     */
-    private readonly csPlugin = "",
-    private readonly csPluginPath = `${path.join(util.paths.data, "plugins")}:/usr/share/code-server/plugins`,
-    private readonly workingDirectory: string | undefined = undefined,
-  ) {
-    this.logger = logger.named("pluginapi")
-  }
-
-  /**
-   * applications grabs the full list of applications from
-   * all loaded plugins.
-   */
-  public async applications(): Promise<Application[]> {
-    const apps = new Array<Application>()
-    for (const [, p] of this.plugins) {
-      if (!p.applications) {
-        continue
-      }
-      const pluginApps = await p.applications()
-
-      // Add plugin key to each app.
-      apps.push(
-        ...pluginApps.map((app) => {
-          app = { ...app, path: path.join(p.routerPath, app.path || "") }
-          app = { ...app, iconPath: path.join(app.path || "", app.iconPath) }
-          return {
-            ...app,
-            plugin: {
-              name: p.name,
-              version: p.version,
-              modulePath: p.modulePath,
-
-              displayName: p.displayName,
-              description: p.description,
-              routerPath: p.routerPath,
-              homepageURL: p.homepageURL,
-            },
-          }
-        }),
-      )
-    }
-    return apps
-  }
-
-  /**
-   * mount mounts all plugin routers onto r and websocket routers onto wr.
-   */
-  public mount(r: express.Router, wr: express.Router): void {
-    for (const [, p] of this.plugins) {
-      if (p.router) {
-        r.use(`${p.routerPath}`, p.router())
-      }
-      if (p.wsRouter) {
-        wr.use(`${p.routerPath}`, (p.wsRouter() as WebsocketRouter).router)
-      }
-    }
-  }
-
-  /**
-   * loadPlugins loads all plugins based on this.csPlugin,
-   * this.csPluginPath and the built in plugins.
-   */
-  public async loadPlugins(loadBuiltin = true): Promise<void> {
-    for (const dir of this.csPlugin.split(":")) {
-      if (!dir) {
-        continue
-      }
-      await this.loadPlugin(dir)
-    }
-
-    for (const dir of this.csPluginPath.split(":")) {
-      if (!dir) {
-        continue
-      }
-      await this._loadPlugins(dir)
-    }
-
-    if (loadBuiltin) {
-      await this._loadPlugins(path.join(__dirname, "../../plugins"))
-    }
-  }
-
-  /**
-   * _loadPlugins is the counterpart to loadPlugins.
-   *
-   * It differs in that it loads all plugins in a single
-   * directory whereas loadPlugins uses all available directories
-   * as documented.
-   */
-  private async _loadPlugins(dir: string): Promise<void> {
-    try {
-      const entries = await fsp.readdir(dir, { withFileTypes: true })
-      for (const ent of entries) {
-        if (!ent.isDirectory()) {
-          continue
-        }
-        await this.loadPlugin(path.join(dir, ent.name))
-      }
-    } catch (error: any) {
-      if (error.code !== "ENOENT") {
-        this.logger.warn(`failed to load plugins from ${q(dir)}: ${error.message}`)
-      }
-    }
-  }
-
-  private async loadPlugin(dir: string): Promise<void> {
-    try {
-      const str = await fsp.readFile(path.join(dir, "package.json"), {
-        encoding: "utf8",
-      })
-      const packageJSON: PackageJSON = JSON.parse(str)
-      for (const [, p] of this.plugins) {
-        if (p.name === packageJSON.name) {
-          this.logger.warn(
-            `ignoring duplicate plugin ${q(p.name)} at ${q(dir)}, using previously loaded ${q(p.modulePath)}`,
-          )
-          return
-        }
-      }
-      const p = this._loadPlugin(dir, packageJSON)
-      this.plugins.set(p.name, p)
-    } catch (error: any) {
-      if (error.code !== "ENOENT") {
-        this.logger.warn(`failed to load plugin: ${error.stack}`)
-      }
-    }
-  }
-
-  /**
-   * _loadPlugin is the counterpart to loadPlugin and actually
-   * loads the plugin now that we know there is no duplicate
-   * and that the package.json has been read.
-   */
-  private _loadPlugin(dir: string, packageJSON: PackageJSON): Plugin {
-    dir = path.resolve(dir)
-
-    const logger = this.logger.named(packageJSON.name)
-    logger.debug("loading plugin", field("plugin_dir", dir), field("package_json", packageJSON))
-
-    if (!packageJSON.name) {
-      throw new Error("plugin package.json missing name")
-    }
-    if (!packageJSON.version) {
-      throw new Error("plugin package.json missing version")
-    }
-    if (!packageJSON.engines || !packageJSON.engines["code-server"]) {
-      throw new Error(`plugin package.json missing code-server range like:
-  "engines": {
-    "code-server": "^3.7.0"
-   }
-`)
-    }
-    if (!semver.satisfies(version, packageJSON.engines["code-server"])) {
-      this.logger.warn(
-        `plugin range ${q(packageJSON.engines["code-server"])} incompatible` + ` with code-server version ${version}`,
-      )
-    }
-
-    const pluginModule = require(dir)
-    if (!pluginModule.plugin) {
-      throw new Error("plugin module does not export a plugin")
-    }
-
-    const p = {
-      name: packageJSON.name,
-      version: packageJSON.version,
-      modulePath: dir,
-      ...pluginModule.plugin,
-    } as Plugin
-
-    if (!p.displayName) {
-      throw new Error("plugin missing displayName")
-    }
-    if (!p.description) {
-      throw new Error("plugin missing description")
-    }
-    if (!p.routerPath) {
-      throw new Error("plugin missing router path")
-    }
-    if (!p.routerPath.startsWith("/")) {
-      throw new Error(`plugin router path ${q(p.routerPath)}: invalid`)
-    }
-    if (!p.homepageURL) {
-      throw new Error("plugin missing homepage")
-    }
-
-    p.init({
-      logger: logger,
-      workingDirectory: this.workingDirectory,
-    })
-
-    logger.debug("loaded")
-
-    return p
-  }
-
-  public async dispose(): Promise<void> {
-    await Promise.all(
-      Array.from(this.plugins.values()).map(async (p) => {
-        if (!p.deinit) {
-          return
-        }
-        try {
-          await p.deinit()
-        } catch (error: any) {
-          this.logger.error("plugin failed to deinit", field("name", p.name), field("error", error.message))
-        }
-      }),
-    )
-  }
-}
-
-interface PackageJSON {
-  name: string
-  version: string
-  engines: {
-    "code-server": string
-  }
-}
-
-function q(s: string | undefined): string {
-  if (s === undefined) {
-    s = "undefined"
-  }
-  return JSON.stringify(s)
-}

src/node/routes/apps.ts

@@ -1,17 +0,0 @@
-import * as express from "express"
-import { PluginAPI } from "../plugin"
-
-/**
- * Implements the /api/applications endpoint
- *
- * See typings/pluginapi.d.ts for details.
- */
-export function router(papi: PluginAPI): express.Router {
-  const router = express.Router()
-
-  router.get("/", async (req, res) => {
-    res.json(await papi.applications())
-  })
-
-  return router
-}

src/node/routes/errors.ts

@@ -2,8 +2,8 @@ import { logger } from "@coder/logger"
 import express from "express"
 import { promises as fs } from "fs"
 import path from "path"
-import { WebsocketRequest } from "../../../typings/pluginapi"
 import { HttpCode } from "../../common/http"
+import type { WebsocketRequest } from "../wsRouter"
 import { rootPath } from "../constants"
 import { replaceTemplates } from "../http"
 import { escapeHtml, getMediaMime } from "../util"

src/node/routes/index.ts

@@ -4,7 +4,6 @@ import * as express from "express"
 import { promises as fs } from "fs"
 import * as path from "path"
 import * as tls from "tls"
-import * as pluginapi from "../../../typings/pluginapi"
 import { Disposable } from "../../common/emitter"
 import { HttpCode, HttpError } from "../../common/http"
 import { plural } from "../../common/util"
@@ -12,12 +11,11 @@ import { App } from "../app"
 import { AuthType, DefaultedArgs } from "../cli"
 import { commit, rootPath } from "../constants"
 import { Heart } from "../heart"
-import { ensureAuthenticated, redirect } from "../http"
-import { PluginAPI } from "../plugin"
+import { redirect } from "../http"
 import { CoderSettings, SettingsProvider } from "../settings"
 import { UpdateProvider } from "../update"
+import type { WebsocketRequest } from "../wsRouter"
 import { getMediaMime, paths } from "../util"
-import * as apps from "./apps"
 import * as domainProxy from "./domainProxy"
 import { errorHandler, wsErrorHandler } from "./errors"
 import * as health from "./health"
@@ -113,7 +111,7 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
     await pathProxy.proxy(req, res)
   })
   app.wsRouter.get("/proxy/:port/:path(.*)?", async (req) => {
-    await pathProxy.wsProxy(req as pluginapi.WebsocketRequest)
+    await pathProxy.wsProxy(req as WebsocketRequest)
   })
   // These two routes pass through the path directly.
   // So the proxied app must be aware it is running
@@ -125,21 +123,12 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
     })
   })
   app.wsRouter.get("/absproxy/:port/:path(.*)?", async (req) => {
-    await pathProxy.wsProxy(req as pluginapi.WebsocketRequest, {
+    await pathProxy.wsProxy(req as WebsocketRequest, {
       passthroughPath: true,
       proxyBasePath: args["abs-proxy-base-path"],
     })
   })
 
-  let pluginApi: PluginAPI
-  if (!process.env.CS_DISABLE_PLUGINS) {
-    const workingDir = args._ && args._.length > 0 ? path.resolve(args._[args._.length - 1]) : undefined
-    pluginApi = new PluginAPI(logger, process.env.CS_PLUGIN, process.env.CS_PLUGIN_PATH, workingDir)
-    await pluginApi.loadPlugins()
-    pluginApi.mount(app.router, app.wsRouter)
-    app.router.use("/api/applications", ensureAuthenticated, apps.router(pluginApi))
-  }
-
   app.router.use(express.json())
   app.router.use(express.urlencoded({ extended: true }))
 
@@ -172,7 +161,9 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
 
   app.router.use("/update", update.router)
 
-  // Note that the root route is replaced in Coder Enterprise by the plugin API.
+  // For historic reasons we also load at /vscode because the root was replaced
+  // by a plugin in v1 of Coder.  The plugin system (which was for internal use
+  // only) has been removed, but leave the additional route for now.
   for (const routePrefix of ["/vscode", "/"]) {
     app.router.use(routePrefix, vscode.router)
     app.wsRouter.use(routePrefix, vscode.wsRouter.router)
@@ -187,7 +178,6 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
 
   return () => {
     heart.dispose()
-    pluginApi?.dispose()
     vscode.dispose()
   }
 }

src/node/routes/pathProxy.ts

@@ -1,9 +1,9 @@
 import { Request, Response } from "express"
 import * as path from "path"
-import * as pluginapi from "../../../typings/pluginapi"
 import { HttpCode, HttpError } from "../../common/http"
 import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy as _proxy } from "../proxy"
+import type { WebsocketRequest } from "../wsRouter"
 
 const getProxyTarget = (
   req: Request,
@@ -49,7 +49,7 @@ export async function proxy(
 }
 
 export async function wsProxy(
-  req: pluginapi.WebsocketRequest,
+  req: WebsocketRequest,
   opts?: {
     passthroughPath?: boolean
     proxyBasePath?: string

src/node/routes/vscode.ts

@@ -6,14 +6,13 @@ import * as http from "http"
 import * as net from "net"
 import * as path from "path"
 import * as os from "os"
-import { WebsocketRequest } from "../../../typings/pluginapi"
 import { logError } from "../../common/util"
 import { CodeArgs, toCodeArgs } from "../cli"
 import { isDevMode, vsRootPath } from "../constants"
 import { authenticated, ensureAuthenticated, ensureOrigin, redirect, replaceTemplates, self } from "../http"
 import { SocketProxyProvider } from "../socket"
 import { isFile } from "../util"
-import { Router as WsRouter } from "../wsRouter"
+import { type WebsocketRequest, Router as WsRouter } from "../wsRouter"
 
 export const router = express.Router()
 

src/node/wsRouter.ts

@@ -1,8 +1,17 @@
 import * as express from "express"
 import * as expressCore from "express-serve-static-core"
 import * as http from "http"
+import * as stream from "stream"
 import Websocket from "ws"
-import * as pluginapi from "../../typings/pluginapi"
+
+export interface WebsocketRequest extends express.Request {
+  ws: stream.Duplex
+  head: Buffer
+}
+
+interface InternalWebsocketRequest extends WebsocketRequest {
+  _ws_handled: boolean
+}
 
 export const handleUpgrade = (app: express.Express, server: http.Server): void => {
   server.on("upgrade", (req, socket, head) => {
@@ -22,9 +31,11 @@ export const handleUpgrade = (app: express.Express, server: http.Server): void =
   })
 }
 
-interface InternalWebsocketRequest extends pluginapi.WebsocketRequest {
-  _ws_handled: boolean
-}
+export type WebSocketHandler = (
+  req: WebsocketRequest,
+  res: express.Response,
+  next: express.NextFunction,
+) => void | Promise<void>
 
 export class WebsocketRouter {
   public readonly router = express.Router()
@@ -36,13 +47,13 @@ export class WebsocketRouter {
    * If the origin header exists it must match the host or the connection will
    * be prevented.
    */
-  public ws(route: expressCore.PathParams, ...handlers: pluginapi.WebSocketHandler[]): void {
+  public ws(route: expressCore.PathParams, ...handlers: WebSocketHandler[]): void {
     this.router.get(
       route,
       ...handlers.map((handler) => {
         const wrapped: express.Handler = (req, res, next) => {
           ;(req as InternalWebsocketRequest)._ws_handled = true
-          return handler(req as pluginapi.WebsocketRequest, res, next)
+          return handler(req as WebsocketRequest, res, next)
         }
         return wrapped
       }),