fix: parse part in path proxy (#7337)

Seems 20.04 has been removed.

.github/workflows/publish.yaml

@@ -33,7 +33,7 @@ jobs:
           node-version-file: .node-version
 
       - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.11
+        uses: robinraju/release-downloader@v1.12
         with:
           repository: "coder/code-server"
           tag: ${{ github.event.inputs.version || github.ref_name }}
@@ -145,7 +145,7 @@ jobs:
           gh pr create --repo coder/code-server-aur --title "chore: bump version to ${{ env.VERSION }}" --body "PR opened by @$GITHUB_ACTOR" --assignee $GITHUB_ACTOR
 
   docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code-server
         uses: actions/checkout@v4
@@ -176,7 +176,7 @@ jobs:
           echo "VERSION=${TAG#v}" >> $GITHUB_ENV
 
       - name: Download deb artifacts
-        uses: robinraju/release-downloader@v1.11
+        uses: robinraju/release-downloader@v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}
@@ -184,7 +184,7 @@ jobs:
           out-file-path: "release-packages"
 
       - name: Download rpm artifacts
-        uses: robinraju/release-downloader@v1.11
+        uses: robinraju/release-downloader@v1.12
         with:
           repository: "coder/code-server"
           tag: v${{ env.VERSION }}

.github/workflows/security.yaml

@@ -51,7 +51,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
           scan-type: "fs"
           scan-ref: "."

.github/workflows/trivy-docker.yaml

@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
         with:
           image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true

CHANGELOG.md

@@ -22,6 +22,51 @@ Code v99.99.999
 
 ## Unreleased
 
+## [4.99.3](https://github.com/coder/code-server/releases/tag/v4.99.3) - 2025-04-17
+
+Code v1.99.3
+
+### Added
+
+- Added `--skip-auth-preflight` flag to let preflight requests through the
+  proxy.
+
+### Changed
+
+- Update to Code 1.99.3.
+
+## [4.99.2](https://github.com/coder/code-server/releases/tag/v4.99.2) - 2025-04-10
+
+Code v1.99.2
+
+### Changed
+
+- Update to Code 1.99.2.
+
+## [4.99.1](https://github.com/coder/code-server/releases/tag/v4.99.1) - 2025-04-08
+
+Code v1.99.1
+
+### Changed
+
+- Update to Code 1.99.1.
+
+## [4.99.0](https://github.com/coder/code-server/releases/tag/v4.99.0) - 2025-04-07
+
+Code v1.99.0
+
+### Changed
+
+- Update to Code 1.99.0.
+
+## [4.98.0](https://github.com/coder/code-server/releases/tag/v4.98.0) - 2025-03-07
+
+Code v1.98.0
+
+### Changed
+
+- Update to Code 1.98.0.
+
 ## [4.97.2](https://github.com/coder/code-server/releases/tag/v4.96.4) - 2025-02-18
 
 Code v1.97.2

ci/helm-chart/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.25.3
+version: 3.26.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.96.4
+appVersion: 4.99.3

ci/helm-chart/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: codercom/code-server
-  tag: '4.96.4'
+  tag: '4.99.3'
   pullPolicy: Always
 
 # Specifies one or more secrets to be used when pulling images from a

docs/guide.md

@@ -21,6 +21,7 @@
   - [Proxying to an Angular app](#proxying-to-an-angular-app)
   - [Proxying to a Svelte app](#proxying-to-a-svelte-app)
   - [Prefixing `/absproxy/<port>` with a path](#prefixing-absproxyport-with-a-path)
+  - [Preflight requests](#preflight-requests)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 <!-- prettier-ignore-end -->
@@ -119,22 +120,22 @@ access code-server on an iPad or do not want to use SSH port forwarding.
 
 1. This option requires that the remote machine be exposed to the internet. Make sure that your instance allows HTTP/HTTPS traffic.
 
-1. You'll need a domain name (if you don't have one, you can purchase one from
+2. You'll need a domain name (if you don't have one, you can purchase one from
    [Google Domains](https://domains.google.com) or the domain service of your
-   choice)). Once you have a domain name, add an A record to your domain that contains your
+   choice). Once you have a domain name, add an A record to your domain that contains your
    instance's IP address.
 
-1. Install [Caddy](https://caddyserver.com/docs/download#debian-ubuntu-raspbian):
+3. Install [Caddy](https://caddyserver.com/docs/download#debian-ubuntu-raspbian):
 
-```console
-sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
-sudo apt update
-sudo apt install caddy
-```
+   ```console
+   sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+   sudo apt update
+   sudo apt install caddy
+   ```
 
-1. Replace `/etc/caddy/Caddyfile` using `sudo` so that the file looks like this:
+4. Replace `/etc/caddy/Caddyfile` using `sudo` so that the file looks like this:
 
    ```text
    mydomain.com {
@@ -153,7 +154,7 @@ sudo apt install caddy
 
    Remember to replace `mydomain.com` with your domain name!
 
-1. Reload Caddy:
+5. Reload Caddy:
 
    ```console
    sudo systemctl reload caddy
@@ -164,21 +165,22 @@ At this point, you should be able to access code-server via
 
 ### Using Let's Encrypt with NGINX
 
-1. This option requires that the remote machine be exposed to the internet. Make sure that your instance allows HTTP/HTTPS traffic.
+1. This option requires that the remote machine be exposed to the internet. Make
+   sure that your instance allows HTTP/HTTPS traffic.
 
-1. You'll need a domain name (if you don't have one, you can purchase one from
+2. You'll need a domain name (if you don't have one, you can purchase one from
    [Google Domains](https://domains.google.com) or the domain service of your
-   choice)). Once you have a domain name, add an A record to your domain that contains your
+   choice). Once you have a domain name, add an A record to your domain that contains your
    instance's IP address.
 
-1. Install NGINX:
+3. Install NGINX:
 
    ```bash
    sudo apt update
    sudo apt install -y nginx certbot python3-certbot-nginx
    ```
 
-1. Update `/etc/nginx/sites-available/code-server` using sudo with the following
+4. Update `/etc/nginx/sites-available/code-server` using sudo with the following
    configuration:
 
    ```text
@@ -199,13 +201,11 @@ At this point, you should be able to access code-server via
 
    Be sure to replace `mydomain.com` with your domain name!
 
-1. Enable the config:
-
+5. Enable the config:
    ```console
    sudo ln -s ../sites-available/code-server /etc/nginx/sites-enabled/code-server
    sudo certbot --non-interactive --redirect --agree-tos --nginx -d mydomain.com -m me@example.com
    ```
-
    Be sure to replace `me@example.com` with your actual email.
 
 At this point, you should be able to access code-server via
@@ -292,7 +292,9 @@ redirect all HTTP requests to HTTPS.
 > You can use [Let's Encrypt](https://letsencrypt.org/) to get a TLS certificate
 > for free.
 
-Note: if you set `proxy_set_header Host $host;` in your reverse proxy config, it will change the address displayed in the green section of code-server in the bottom left to show the correct address.
+Note: if you set `proxy_set_header Host $host;` in your reverse proxy config, it
+will change the address displayed in the green section of code-server in the
+bottom left to show the correct address.
 
 ## Accessing web services
 
@@ -378,14 +380,16 @@ PUBLIC_URL=/absproxy/3000 \
   BROWSER=none yarn start
 ```
 
-You should then be able to visit `https://my-code-server-address.io/absproxy/3000` to see your app exposed through
-code-server!
+You should then be able to visit
+`https://my-code-server-address.io/absproxy/3000` to see your app exposed
+through code-server.
 
 > We highly recommend using the subdomain approach instead to avoid this class of issue.
 
 ### Proxying to a Vue app
 
-Similar to the situation with React apps, you have to make a few modifications to proxy a Vue app.
+Similar to the situation with React apps, you have to make a few modifications
+to proxy a Vue app.
 
 1. add `vue.config.js`
 2. update the values to match this (you can use any free port):
@@ -406,7 +410,8 @@ Read more about `publicPath` in the [Vue.js docs](https://cli.vuejs.org/config/#
 
 ### Proxying to an Angular app
 
-In order to use code-server's built-in proxy with Angular, you need to make the following changes in your app:
+In order to use code-server's built-in proxy with Angular, you need to make the
+following changes in your app:
 
 1. use `<base href="./.">` in `src/index.html`
 2. add `--serve-path /absproxy/4200` to `ng serve` in your `package.json`
@@ -415,7 +420,8 @@ For additional context, see [this GitHub Discussion](https://github.com/coder/co
 
 ### Proxying to a Svelte app
 
-In order to use code-server's built-in proxy with Svelte, you need to make the following changes in your app:
+In order to use code-server's built-in proxy with Svelte, you need to make the
+following changes in your app:
 
 1. Add `svelte.config.js` if you don't already have one
 2. Update the values to match this (you can use any free port):
@@ -436,9 +442,19 @@ For additional context, see [this Github Issue](https://github.com/sveltejs/kit/
 
 ### Prefixing `/absproxy/<port>` with a path
 
-This is a case where you need to serve an application via `absproxy` as explained above while serving `codeserver` itself from a path other than the root in your domain.
+This is a case where you need to serve an application via `absproxy` as
+explained above while serving code-server itself from a path other than the root
+in your domain.
 
-For example: `http://my-code-server.com/user/123/workspace/my-app`. To achieve this result:
+For example: `http://my-code-server.com/user/123/workspace/my-app`. To achieve
+this result:
 
-1. Start code server with the switch `--abs-proxy-base-path=/user/123/workspace`
+1. Start code-server with the switch `--abs-proxy-base-path=/user/123/workspace`
 2. Follow one of the instructions above for your framework.
+
+### Preflight requests
+
+By default, if you have auth enabled, code-server will authenticate all proxied
+requests including preflight requests. This can cause issues because preflight
+requests do not typically include credentials. To allow all preflight requests
+through the proxy without authentication, use `--skip-auth-preflight`.

src/node/cli.ts

@@ -84,6 +84,7 @@ export interface UserProvidedArgs extends UserProvidedCodeArgs {
   "trusted-origins"?: string[]
   version?: boolean
   "proxy-domain"?: string[]
+  "skip-auth-preflight"?: boolean
   "reuse-window"?: boolean
   "new-window"?: boolean
   "ignore-last-opened"?: boolean
@@ -252,6 +253,10 @@ export const options: Options<Required<UserProvidedArgs>> = {
     description: "GitHub authentication token (can only be passed in via $GITHUB_TOKEN or the config file).",
   },
   "proxy-domain": { type: "string[]", description: "Domain used for proxying ports." },
+  "skip-auth-preflight": {
+    type: "boolean",
+    description: "Allows preflight requests through proxy without authentication.",
+  },
   "ignore-last-opened": {
     type: "boolean",
     short: "e",

src/node/main.ts

@@ -163,6 +163,9 @@ export const runCodeServer = async (
     logger.info(`  - ${plural(args["proxy-domain"].length, "Proxying the following domain")}:`)
     args["proxy-domain"].forEach((domain) => logger.info(`    - ${domain}`))
   }
+  if (args["skip-auth-preflight"]) {
+    logger.info("  - Skipping authentication for preflight requests")
+  }
   if (process.env.VSCODE_PROXY_URI) {
     logger.info(`Using proxy URI in PORTS tab: ${process.env.VSCODE_PROXY_URI}`)
   }

src/node/routes/domainProxy.ts

@@ -61,6 +61,11 @@ router.all(/.*/, async (req, res, next) => {
 
   ensureProxyEnabled(req)
 
+  if (req.method === "OPTIONS" && req.args["skip-auth-preflight"]) {
+    // Allow preflight requests with `skip-auth-preflight` flag
+    return next()
+  }
+
   // Must be authenticated to use the proxy.
   const isAuthenticated = await authenticated(req)
   if (!isAuthenticated) {

src/node/routes/pathProxy.ts

@@ -13,7 +13,13 @@ const getProxyTarget = (
 ): string => {
   // If there is a base path, strip it out.
   const base = (req as any).base || ""
-  return `http://0.0.0.0:${req.params.port}${opts?.proxyBasePath || ""}/${req.originalUrl.slice(base.length)}`
+  let port: number
+  try {
+    port = parseInt(req.params.port, 10)
+  } catch (err) {
+    throw new HttpError("Invalid port", HttpCode.BadRequest)
+  }
+  return `http://0.0.0.0:${port}${opts?.proxyBasePath || ""}/${req.originalUrl.slice(base.length)}`
 }
 
 export async function proxy(
@@ -26,7 +32,9 @@ export async function proxy(
 ): Promise<void> {
   ensureProxyEnabled(req)
 
-  if (!(await authenticated(req))) {
+  if (req.method === "OPTIONS" && req.args["skip-auth-preflight"]) {
+    // Allow preflight requests with `skip-auth-preflight` flag
+  } else if (!(await authenticated(req))) {
     // If visiting the root (/:port only) redirect to the login page.
     if (!req.params.path || req.params.path === "/") {
       const to = self(req)

test/unit/node/cli.test.ts

@@ -108,6 +108,8 @@ describe("parser", () => {
 
           ["--abs-proxy-base-path", "/codeserver/app1"],
 
+          "--skip-auth-preflight",
+
           ["--session-socket", "/tmp/override-code-server-ipc-socket"],
 
           ["--host", "0.0.0.0"],
@@ -146,6 +148,7 @@ describe("parser", () => {
       "bind-addr": "192.169.0.1:8080",
       "session-socket": "/tmp/override-code-server-ipc-socket",
       "abs-proxy-base-path": "/codeserver/app1",
+      "skip-auth-preflight": true,
     })
   })
 

test/unit/node/proxy.test.ts

@@ -268,6 +268,21 @@ describe("proxy", () => {
     const text = await resp.text()
     expect(text).toBe("app being served behind a prefixed path")
   })
+
+  it("should not allow OPTIONS without authentication by default", async () => {
+    process.env.PASSWORD = "test"
+    codeServer = await integration.setup(["--auth=password"])
+    const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
+    expect(resp.status).toBe(401)
+  })
+
+  it("should allow OPTIONS with `skip-auth-preflight` flag", async () => {
+    process.env.PASSWORD = "test"
+    codeServer = await integration.setup(["--auth=password", "--skip-auth-preflight"])
+    e.post("/wsup", (req, res) => {})
+    const resp = await codeServer.fetch(proxyPath, { method: "OPTIONS" })
+    expect(resp.status).toBe(200)
+  })
 })
 
 // NOTE@jsjoeio