Fix incorrect argon2 target in arm builds (#6453)

* Fix building from source on arm

Not building from source causes argon2 to pull the wrong arch, so we
have to build from source.

But building from source is causing the new Kerberos module to fail on
arm64 and keytar to fail on both.

The latter has been very difficult to debug because the GitHub image
provides a different result to containers based on Ubuntu 20.04.
Because of this, use a container instead.

Use debian:buster as the container because it is easier to set up the
architecture sources (no need to modify the sources) and because it
seems to come with glibc 2.28 rather than 2.31.

Also use the exact version of Node (18.15.0) for reproducibility.

* Set owner and group during tar to zero

Otherwise you get IDs that can cause (benign) errors while extracting,
which might be confusing.  At the very least, I did not see these errors
from previous tars (although they seem to use 1001).

There is no guarantee what IDs might exist so 0 seems the most
reasonable.

.github/workflows/publish.yaml

@@ -29,10 +29,10 @@ jobs:
       - name: Checkout code-server
         uses: actions/checkout@v3
 
-      - name: Install Node.js v16
+      - name: Install Node.js v18
         uses: actions/setup-node@v3
         with:
-          node-version: "16"
+          node-version: "18"
           cache: "yarn"
 
       - name: Download npm package from release artifacts

.github/workflows/release.yaml

@@ -38,7 +38,7 @@ jobs:
       - name: Install Node.js v18
         uses: actions/setup-node@v3
         with:
-          node-version: "18"
+          node-version: "18.15.0"
 
       - name: Install development tools
         run: |
@@ -100,27 +100,38 @@ jobs:
           discussion_category_name: "📣 Announcements"
           files: ./release-packages/*
 
-  # TODO: We should use the same CentOS image to cross-compile if possible?
   package-linux-cross:
     name: Linux cross-compile builds
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     timeout-minutes: 15
     needs: npm-version
+    container: "debian:buster"
     strategy:
       matrix:
         include:
           - prefix: aarch64-linux-gnu
-            arch: arm64
+            npm_arch: arm64
+            apt_arch: arm64
           - prefix: arm-linux-gnueabihf
-            arch: armv7l
+            npm_arch: armv7l
+            apt_arch: armhf
 
     env:
       AR: ${{ format('{0}-ar', matrix.prefix) }}
+      AS: ${{ format('{0}-as', matrix.prefix) }}
       CC: ${{ format('{0}-gcc', matrix.prefix) }}
+      CPP: ${{ format('{0}-cpp', matrix.prefix) }}
       CXX: ${{ format('{0}-g++', matrix.prefix) }}
-      LINK: ${{ format('{0}-g++', matrix.prefix) }}
-      npm_config_arch: ${{ matrix.arch }}
+      FC: ${{ format('{0}-gfortran', matrix.prefix) }}
+      LD: ${{ format('{0}-ld', matrix.prefix) }}
+      STRIP: ${{ format('{0}-strip', matrix.prefix) }}
+      PKG_CONFIG_PATH: ${{ format('/usr/lib/{0}/pkgconfig', matrix.prefix) }}
+      TARGET_ARCH: ${{ matrix.apt_arch }}
+      npm_config_arch: ${{ matrix.npm_arch }}
       NODE_VERSION: v18.15.0
+      # Not building from source results in an x86_64 argon2, as if
+      # npm_config_arch is being ignored.
+      npm_config_build_from_source: true
 
     steps:
       - name: Checkout repo
@@ -131,30 +142,25 @@ jobs:
         with:
           node-version: "18.15.0"
 
+      - name: Install cross-compiler and system dependencies
+        run: |
+          dpkg --add-architecture $TARGET_ARCH
+          apt-get update && apt-get install -y --no-install-recommends \
+            crossbuild-essential-$TARGET_ARCH \
+            libx11-dev:$TARGET_ARCH \
+            libx11-xcb-dev:$TARGET_ARCH \
+            libxkbfile-dev:$TARGET_ARCH \
+            libsecret-1-dev:$TARGET_ARCH \
+            libkrb5-dev:$TARGET_ARCH \
+            ca-certificates \
+            curl wget rsync gettext-base
+
       - name: Install nfpm
         run: |
           mkdir -p ~/.local/bin
           curl -sSfL https://github.com/goreleaser/nfpm/releases/download/v2.3.1/nfpm_2.3.1_`uname -s`_`uname -m`.tar.gz | tar -C ~/.local/bin -zxv nfpm
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Install cross-compiler and system dependencies (arm64)
-        if: ${{ matrix.arch != 'armv7l' }}
-        run: sudo apt update && sudo apt install -y $PACKAGE libkrb5-dev
-        env:
-          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
-
-      - name: Install cross-compiler and system dependencies (armv7l)
-        if: ${{ matrix.arch == 'armv7l' }}
-        run: |
-          sudo sed -i "s/^deb/deb [arch=amd64,i386]/g" /etc/apt/sources.list
-          echo "deb [arch=arm64,armhf] http://ports.ubuntu.com/ $(lsb_release -s -c) main universe multiverse restricted" | sudo tee -a /etc/apt/sources.list
-          echo "deb [arch=arm64,armhf] http://ports.ubuntu.com/ $(lsb_release -s -c)-updates main universe multiverse restricted" | sudo tee -a /etc/apt/sources.list
-          sudo dpkg --add-architecture armhf
-          sudo apt update
-          sudo apt install -y $PACKAGE libkrb5-dev:armhf
-        env:
-          PACKAGE: ${{ format('g++-{0}', matrix.prefix) }}
-
       - name: Download npm package
         uses: actions/download-artifact@v3
         with:
@@ -182,7 +188,7 @@ jobs:
       - name: Build packages with nfpm
         env:
           VERSION: ${{ env.VERSION }}
-        run: yarn package ${npm_config_arch}
+        run: npm run package ${npm_config_arch}
 
       - uses: softprops/action-gh-release@v1
         with:
@@ -202,7 +208,7 @@ jobs:
       - name: Install Node.js v18
         uses: actions/setup-node@v3
         with:
-          node-version: "18"
+          node-version: "18.15.0"
 
       - name: Install nfpm
         run: |

CHANGELOG.md

@@ -22,6 +22,30 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.17.0](https://github.com/coder/code-server/releases/tag/v4.17.0) - 2023-09-22
+
+Code v1.82.2
+
+### Added
+
+- Japanese locale.
+- `CODE_SERVER_HOST` environment variable.
+
+### Changed
+
+- Update to Code 1.82.2. This includes an update to Node 18, which also means
+  that the minimum glibc is now 2.28. If you need to maintain a lower glibc then
+  you can take a version of Node 18 that is compiled with a lower glibc and use
+  that to build code-server (or at a minimum rebuild the native modules).
+- Display paths to config files in full rather than abbreviated. If you have
+  trouble with the password not working please update and make sure the
+  displayed config paths are what you expect.
+
+### Fixed
+
+- Fix some dependency issues for the standalone arm64 and armv7l releases. If
+  you had issues with missing or failing modules please try these new builds.
+
 ## [4.16.1](https://github.com/coder/code-server/releases/tag/v4.16.1) - 2023-07-31
 
 Code v1.80.2

ci/build/build-packages.sh

@@ -27,7 +27,7 @@ main() {
 release_archive() {
   local release_name="code-server-$VERSION-$OS-$ARCH"
   if [[ $OS == "linux" ]]; then
-    tar -czf "release-packages/$release_name.tar.gz" --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone
+    tar -czf "release-packages/$release_name.tar.gz" --owner=0 --group=0 --transform "s/^\.\/release-standalone/$release_name/" ./release-standalone
   else
     tar -czf "release-packages/$release_name.tar.gz" -s "/^release-standalone/$release_name/" release-standalone
   fi

ci/build/build-standalone-release.sh

@@ -9,11 +9,11 @@ main() {
   rsync "$RELEASE_PATH/" "$RELEASE_PATH-standalone"
   RELEASE_PATH+=-standalone
 
-  # We cannot find the path to node from $PATH because yarn shims a script to ensure
-  # we use the same version it's using so we instead run a script with yarn that
-  # will print the path to node.
+  # We cannot get the path to Node from $PATH (for example via `which node`)
+  # because Yarn shims a script called `node` and we would end up just copying
+  # that script.  Instead we run Node and have it print its actual path.
   local node_path
-  node_path="$(yarn -s node <<< 'console.info(process.execPath)')"
+  node_path="$(node <<< 'console.info(process.execPath)')"
 
   mkdir -p "$RELEASE_PATH/bin"
   mkdir -p "$RELEASE_PATH/lib"

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.12.1
+version: 3.13.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.16.1
+appVersion: 4.17.0

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.16.1'
+  tag: '4.17.0'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

docs/install.md

@@ -279,6 +279,7 @@ brew services start code-server
 # outside the container.
 mkdir -p ~/.config
 docker run -it --name code-server -p 127.0.0.1:8080:8080 \
+  -v "$HOME/.local:/home/coder/.local" \
   -v "$HOME/.config:/home/coder/.config" \
   -v "$PWD:/home/coder/project" \
   -u "$(id -u):$(id -g)" \

patches/base-path.diff

@@ -265,15 +265,35 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  	}
  
  	private startListening(): void {
-@@ -569,7 +570,7 @@ function readCookie(name: string): strin
+@@ -550,17 +551,6 @@ class WorkspaceProvider implements IWork
+ 	}
+ }
+ 
+-function readCookie(name: string): string | undefined {
+-	const cookies = document.cookie.split('; ');
+-	for (const cookie of cookies) {
+-		if (cookie.startsWith(name + '=')) {
+-			return cookie.substring(name.length + 1);
+-		}
+-	}
+-
+-	return undefined;
+-}
+-
+ (function () {
+ 
+ 	// Find config by checking for DOM
+@@ -569,8 +559,8 @@ function readCookie(name: string): strin
  	if (!configElement || !configElementAttribute) {
  		throw new Error('Missing web configuration element');
  	}
 -	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = JSON.parse(configElementAttribute);
+-	const secretStorageKeyPath = readCookie('vscode-secret-key-path');
 +	const config: IWorkbenchConstructionOptions & { folderUri?: UriComponents; workspaceUri?: UriComponents; callbackRoute: string } = { ...JSON.parse(configElementAttribute), remoteAuthority: location.host }
- 	const secretStorageKeyPath = readCookie('vscode-secret-key-path');
++	const secretStorageKeyPath = (window.location.pathname + "/mint-key").replace(/\/\/+/g, "/");
  	const secretStorageCrypto = secretStorageKeyPath && ServerKeyedAESCrypto.supported()
  		? new ServerKeyedAESCrypto(secretStorageKeyPath) : new TransparentCrypto();
+ 
 Index: code-server/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/platform/extensionResourceLoader/common/extensionResourceLoader.ts

patches/dependencies.diff

@@ -1,62 +0,0 @@
-Modify VS Code dependencies
-
-1. Kerberos: this is not building in our cross-compile step.  It does not look
-   like something code-server uses right now anyway.
-
-Index: code-server/lib/vscode/remote/package.json
-===================================================================
---- code-server.orig/lib/vscode/remote/package.json
-+++ code-server/lib/vscode/remote/package.json
-@@ -18,7 +18,6 @@
-     "http-proxy-agent": "^2.1.0",
-     "https-proxy-agent": "^2.2.3",
-     "jschardet": "3.0.0",
--    "kerberos": "^2.0.1",
-     "keytar": "7.9.0",
-     "minimist": "^1.2.6",
-     "native-watchdog": "^1.4.1",
-Index: code-server/lib/vscode/remote/yarn.lock
-===================================================================
---- code-server.orig/lib/vscode/remote/yarn.lock
-+++ code-server/lib/vscode/remote/yarn.lock
-@@ -454,15 +454,6 @@ jschardet@3.0.0:
-   resolved "https://registry.yarnpkg.com/jschardet/-/jschardet-3.0.0.tgz#898d2332e45ebabbdb6bf2feece9feea9a99e882"
-   integrity sha512-lJH6tJ77V8Nzd5QWRkFYCLc13a3vADkh3r/Fi8HupZGWk2OVVDfnZP8V/VgQgZ+lzW0kG2UGb5hFgt3V3ndotQ==
- 
--kerberos@^2.0.1:
--  version "2.0.1"
--  resolved "https://registry.yarnpkg.com/kerberos/-/kerberos-2.0.1.tgz#663b0b46883b4da84495f60f2e9e399a43a33ef5"
--  integrity sha512-O/jIgbdGK566eUhFwIcgalbqirYU/r76MW7/UFw06Fd9x5bSwgyZWL/Vm26aAmezQww/G9KYkmmJBkEkPk5HLw==
--  dependencies:
--    bindings "^1.5.0"
--    node-addon-api "^4.3.0"
--    prebuild-install "7.1.1"
--
- keytar@7.9.0:
-   version "7.9.0"
-   resolved "https://registry.yarnpkg.com/keytar/-/keytar-7.9.0.tgz#4c6225708f51b50cbf77c5aae81721964c2918cb"
-@@ -604,24 +595,6 @@ picomatch@^2.3.1:
-   resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-2.3.1.tgz#3ba3833733646d9d3e4995946c1365a67fb07a42"
-   integrity sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==
- 
--prebuild-install@7.1.1:
--  version "7.1.1"
--  resolved "https://registry.yarnpkg.com/prebuild-install/-/prebuild-install-7.1.1.tgz#de97d5b34a70a0c81334fd24641f2a1702352e45"
--  integrity sha512-jAXscXWMcCK8GgCoHOfIr0ODh5ai8mj63L2nWrjuAgXE6tDyYGnx4/8o/rCgU+B4JSyZBKbeZqzhtwtC3ovxjw==
--  dependencies:
--    detect-libc "^2.0.0"
--    expand-template "^2.0.3"
--    github-from-package "0.0.0"
--    minimist "^1.2.3"
--    mkdirp-classic "^0.5.3"
--    napi-build-utils "^1.0.1"
--    node-abi "^3.3.0"
--    pump "^3.0.0"
--    rc "^1.2.7"
--    simple-get "^4.0.0"
--    tar-fs "^2.0.0"
--    tunnel-agent "^0.6.0"
--
- prebuild-install@^7.0.1:
-   version "7.0.1"
-   resolved "https://registry.yarnpkg.com/prebuild-install/-/prebuild-install-7.0.1.tgz#c10075727c318efe72412f333e0ef625beaf3870"

patches/github-auth.diff

@@ -1,106 +0,0 @@
-Add the ability to provide a GitHub token
-
-To test install the GitHub PR extension and start code-server with GITHUB_TOKEN
-or set github-auth in the config file.  The extension should be authenticated.
-
-Index: code-server/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
-===================================================================
---- code-server.orig/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
-+++ code-server/lib/vscode/src/vs/platform/credentials/node/credentialsMainService.ts
-@@ -5,9 +5,18 @@
- 
- import { InMemoryCredentialsProvider } from 'vs/platform/credentials/common/credentials';
- import { ILogService } from 'vs/platform/log/common/log';
--import { INativeEnvironmentService } from 'vs/platform/environment/common/environment';
-+import { IServerEnvironmentService } from 'vs/server/node/serverEnvironmentService';
- import { IProductService } from 'vs/platform/product/common/productService';
- import { BaseCredentialsMainService, KeytarModule } from 'vs/platform/credentials/common/credentialsMainService';
-+import { generateUuid } from 'vs/base/common/uuid';
-+import { equals as arrayEquals } from 'vs/base/common/arrays';
-+
-+interface IToken {
-+	accessToken: string
-+	account?: { label: string }
-+	id: string
-+	scopes: string[]
-+}
- 
- export class CredentialsWebMainService extends BaseCredentialsMainService {
- 	// Since we fallback to the in-memory credentials provider, we do not need to surface any Keytar load errors
-@@ -16,10 +25,15 @@ export class CredentialsWebMainService e
- 
- 	constructor(
- 		@ILogService logService: ILogService,
--		@INativeEnvironmentService private readonly environmentMainService: INativeEnvironmentService,
-+		@IServerEnvironmentService private readonly environmentMainService: IServerEnvironmentService,
- 		@IProductService private readonly productService: IProductService,
- 	) {
- 		super(logService);
-+		if (this.environmentMainService.args["github-auth"]) {
-+			this.storeGitHubToken(this.environmentMainService.args["github-auth"]).catch((error) => {
-+				this.logService.error('Failed to store provided GitHub token', error)
-+			})
-+		}
- 	}
- 
- 	// If the credentials service is running on the server, we add a suffix -server to differentiate from the location that the
-@@ -48,4 +62,59 @@ export class CredentialsWebMainService e
- 		}
- 		return this._keytarCache;
- 	}
-+
-+	private async storeGitHubToken(githubToken: string): Promise<void> {
-+		const extensionId = 'vscode.github-authentication';
-+		const service = `${await this.getSecretStoragePrefix()}${extensionId}`;
-+		const account = 'github.auth';
-+		const scopes = [['read:user', 'user:email', 'repo']]
-+
-+		// Oddly the scopes need to match exactly so we cannot just have one token
-+		// with all the scopes, instead we have to duplicate the token for each
-+		// expected set of scopes.
-+		const tokens: IToken[] = scopes.map((scopes) => ({
-+			id: generateUuid(),
-+			scopes: scopes.sort(), // Sort for comparing later.
-+			accessToken: githubToken,
-+		}));
-+
-+		const raw = await this.getPassword(service, account)
-+
-+		let existing: {
-+			content: IToken[]
-+		} | undefined;
-+
-+		if (raw) {
-+			try {
-+				const json = JSON.parse(raw);
-+				json.content = JSON.parse(json.content);
-+				existing = json;
-+			} catch (error) {
-+				this.logService.error('Failed to parse existing GitHub credentials', error)
-+			}
-+		}
-+
-+		// Keep tokens for account and scope combinations we do not have in case
-+		// there is an extension that uses scopes we have not accounted for (in
-+		// these cases the user will need to manually authenticate the extension
-+		// through the UI) or the user has tokens for other accounts.
-+		if (existing?.content) {
-+			existing.content = existing.content.filter((existingToken) => {
-+				const scopes = existingToken.scopes.sort();
-+				return !(tokens.find((token) => {
-+					return arrayEquals(scopes, token.scopes)
-+						&& token.account?.label === existingToken.account?.label;
-+				}))
-+			})
-+		}
-+
-+		return this.setPassword(service, account, JSON.stringify({
-+			extensionId,
-+			...(existing || {}),
-+			content: JSON.stringify([
-+				...tokens,
-+				...(existing?.content || []),
-+			])
-+		}));
-+	}
- }

patches/proxy-uri.diff

@@ -104,7 +104,7 @@ Index: code-server/lib/vscode/src/vs/code/browser/workbench/workbench.ts
  import type { IURLCallbackProvider } from 'vs/workbench/services/url/browser/urlService';
  import { create } from 'vs/workbench/workbench.web.main';
  
-@@ -582,6 +583,39 @@ function readCookie(name: string): strin
+@@ -571,6 +572,39 @@ class WorkspaceProvider implements IWork
  		settingsSyncOptions: config.settingsSyncOptions ? { enabled: config.settingsSyncOptions.enabled, } : undefined,
  		workspaceProvider: WorkspaceProvider.create(config),
  		urlCallbackProvider: new LocalStorageURLCallbackProvider(config.callbackRoute),

patches/series

@@ -9,7 +9,6 @@ update-check.diff
 logout.diff
 store-socket.diff
 proxy-uri.diff
-github-auth.diff
 unique-db.diff
 local-storage.diff
 service-worker.diff

src/node/i18n/index.ts

@@ -2,7 +2,9 @@ import i18next, { init } from "i18next"
 import * as en from "./locales/en.json"
 import * as ja from "./locales/ja.json"
 import * as th from "./locales/th.json"
+import * as ur from "./locales/ur.json"
 import * as zhCn from "./locales/zh-cn.json"
+
 init({
   lng: "en",
   fallbackLng: "en", // language to use if translations in user language are not available.
@@ -22,6 +24,9 @@ init({
     ja: {
       translation: ja,
     },
+    ur: {
+      translation: ur,
+    },
   },
 })
 

src/node/i18n/locales/ur.json

@@ -0,0 +1,13 @@
+{
+  "LOGIN_TITLE": "{{app}} لاگ ان کریں",
+  "LOGIN_BELOW": "براہ کرم نیچے لاگ ان کریں۔",
+  "WELCOME": "میں خوش آمدید {{app}}",
+  "LOGIN_PASSWORD": "پاس ورڈ کے لیے {{configFile}} پر کنفگ فائل چیک کریں۔",
+  "LOGIN_USING_ENV_PASSWORD": "پاس ورڈ $PASSWORD سے سیٹ کیا گیا تھا۔",
+  "LOGIN_USING_HASHED_PASSWORD": "پاس ورڈ $HASHED_PASSWORD سے سیٹ کیا گیا تھا۔",
+  "SUBMIT": "جمع کرائیں",
+  "PASSWORD_PLACEHOLDER": "پاس ورڈ",
+  "LOGIN_RATE_LIMIT": "لاگ ان کی شرح محدود!",
+  "MISS_PASSWORD": "پاس ورڈ غائب ہے۔",
+  "INCORRECT_PASSWORD": "غلط پاس ورڈ"
+}

src/node/routes/vscode.ts

@@ -1,5 +1,7 @@
 import { logger } from "@coder/logger"
+import * as crypto from "crypto"
 import * as express from "express"
+import { promises as fs } from "fs"
 import * as http from "http"
 import * as net from "net"
 import * as path from "path"
@@ -32,6 +34,7 @@ export class CodeServerRouteWrapper {
   private _wsRouterWrapper = WsRouter()
   private _socketProxyProvider = new SocketProxyProvider()
   public router = express.Router()
+  private mintKeyPromise: Promise<Buffer> | undefined
 
   public get wsRouter() {
     return this._wsRouterWrapper.router
@@ -66,6 +69,33 @@ export class CodeServerRouteWrapper {
     )
   }
 
+  private mintKey: express.Handler = async (req, res, next) => {
+    if (!this.mintKeyPromise) {
+      this.mintKeyPromise = new Promise(async (resolve) => {
+        const keyPath = path.join(req.args["user-data-dir"], "serve-web-key-half")
+        logger.debug(`Reading server web key half from ${keyPath}`)
+        try {
+          resolve(await fs.readFile(keyPath))
+          return
+        } catch (error: any) {
+          if (error.code !== "ENOENT") {
+            logError(logger, `read ${keyPath}`, error)
+          }
+        }
+        // VS Code wants 256 bits.
+        const key = crypto.randomBytes(32)
+        try {
+          await fs.writeFile(keyPath, key)
+        } catch (error: any) {
+          logError(logger, `write ${keyPath}`, error)
+        }
+        resolve(key)
+      })
+    }
+    const key = await this.mintKeyPromise
+    res.end(key)
+  }
+
   private $root: express.Handler = async (req, res, next) => {
     const isAuthenticated = await authenticated(req)
     const NO_FOLDER_OR_WORKSPACE_QUERY = !req.query.folder && !req.query.workspace
@@ -173,6 +203,7 @@ export class CodeServerRouteWrapper {
   constructor() {
     this.router.get("/", this.ensureCodeServerLoaded, this.$root)
     this.router.get("/manifest.json", this.manifest)
+    this.router.post("/mint-key", this.mintKey)
     this.router.all("*", ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyRequest)
     this._wsRouterWrapper.ws("*", ensureOrigin, ensureAuthenticated, this.ensureCodeServerLoaded, this.$proxyWebsocket)
   }