File shutdown enabled with allow-shutdown configuation, adding File > Exit menu option

patches/series

@@ -20,3 +20,4 @@ getting-started.diff
 keepalive.diff
 clipboard.diff
 display-language.diff
+shutdown.diff

patches/shutdown.diff

@@ -0,0 +1,114 @@
+Add a File > Exit menu item and a command to shutdown the server.
+
+Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
++++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+@@ -316,7 +316,8 @@ export class WebClientServer {
+ 			codeServerVersion: this._productService.codeServerVersion,
+ 			rootEndpoint: base,
+ 			updateEndpoint: !this._environmentService.args['disable-update-check'] ? base + '/update/check' : undefined,
+-			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" ? base + '/logout' : undefined,
++			logoutEndpoint: this._environmentService.args['auth'] && this._environmentService.args['auth'] !== "none" && this._environmentService.args['auth'] !== "http-basic"  ? base + '/logout' : undefined,
++			shutdownEndpoint: this._environmentService.args['allow-shutdown'] ? base + '/shutdown' : undefined,
+ 			proxyEndpointTemplate: process.env.VSCODE_PROXY_URI ?? base + '/proxy/{{port}}/',
+ 			serviceWorker: {
+ 				scope: vscodeBase + '/',
+Index: code-server/lib/vscode/src/vs/base/common/product.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/base/common/product.ts
++++ code-server/lib/vscode/src/vs/base/common/product.ts
+@@ -59,6 +59,7 @@ export interface IProductConfiguration {
+ 	readonly rootEndpoint?: string
+ 	readonly updateEndpoint?: string
+ 	readonly logoutEndpoint?: string
++	readonly shutdownEndpoint?: string
+ 	readonly proxyEndpointTemplate?: string
+ 	readonly serviceWorker?: {
+ 		readonly path: string;
+Index: code-server/lib/vscode/src/vs/workbench/browser/client.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/workbench/browser/client.ts
++++ code-server/lib/vscode/src/vs/workbench/browser/client.ts
+@@ -9,6 +9,7 @@ import { IStorageService, StorageScope,
+
+ export class CodeServerClient extends Disposable {
+ 	static LOGOUT_COMMAND_ID = 'code-server.logout';
++	static SHUTDOWN_COMMAND_ID = 'code-server.shutdown';
+
+ 	constructor (
+ 		@ILogService private logService: ILogService,
+@@ -90,6 +91,10 @@ export class CodeServerClient extends Di
+ 			this.addLogoutCommand(this.productService.logoutEndpoint);
+ 		}
+
++		if (this.productService.shutdownEndpoint) {
++			this.addShutdownCommand(this.productService.shutdownEndpoint);
++		}
++
+ 		if (this.productService.serviceWorker) {
+ 			await this.registerServiceWorker(this.productService.serviceWorker);
+ 		}
+@@ -164,6 +169,22 @@ export class CodeServerClient extends Di
+ 				},
+ 			});
+ 		}
++	}
++
++	private addShutdownCommand(shutdownEndpoint: string) {
++		CommandsRegistry.registerCommand(CodeServerClient.SHUTDOWN_COMMAND_ID, () => {
++			const shutdownUrl = new URL(shutdownEndpoint, window.location.href);
++			window.location.assign(shutdownUrl);
++		});
++
++		for (const menuId of [MenuId.CommandPalette, MenuId.MenubarHomeMenu]) {
++			MenuRegistry.appendMenuItem(menuId, {
++				command: {
++					id: CodeServerClient.SHUTDOWN_COMMAND_ID,
++					title: localize('exit', "Exit"),
++				},
++			});
++		}
+ 	}
+
+ 	private async registerServiceWorker(serviceWorker: { path: string; scope: string }) {
+Index: code-server/src/node/routes/index.ts
+===================================================================
+--- code-server.orig/src/node/routes/index.ts
++++ code-server/src/node/routes/index.ts
+@@ -170,6 +170,15 @@ export const register = async (app: App,
+     app.router.all("/logout", (req, res) => redirect(req, res, "/", {}))
+   }
+
++  if (args["allow-shutdown"] ) {
++    app.router.use("/shutdown", async (req, res) => {
++      res.send("Shutting down...")
++      process.exit(0)
++    })
++  } else {
++    app.router.use("/shutdown", (req, res) => redirect(req, res, "/", {}))
++  }
++
+   app.router.use("/update", update.router)
+
+   // Note that the root route is replaced in Coder Enterprise by the plugin API.
+Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
++++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
+@@ -16,6 +16,8 @@ export const serverOptions: OptionDescri
+ 	/* ----- code-server ----- */
+ 	'disable-update-check': { type: 'boolean' },
+ 	'auth': { type: 'string' },
++	'allow-shutdown': { type: 'boolean' },
+ 	'disable-file-downloads': { type: 'boolean' },
+ 	'disable-file-uploads': { type: 'boolean' },
+ 	'disable-getting-started-override': { type: 'boolean' },
+@@ -103,6 +105,8 @@ export interface ServerParsedArgs {
+ 	/* ----- code-server ----- */
+ 	'disable-update-check'?: boolean;
+ 	'auth'?: string;
++	'allow-shutdown'?: boolean;
+ 	'disable-file-downloads'?: boolean;
+ 	'disable-file-uploads'?: boolean;
+ 	'disable-getting-started-override'?: boolean,

src/node/cli.ts

@@ -12,6 +12,7 @@ export enum Feature {
 
 export enum AuthType {
   Password = "password",
+  HttpBasic = "http-basic",
   None = "none",
 }
 
@@ -34,6 +35,7 @@ export class OptionalString extends Optional<string> {}
  */
 export interface UserProvidedCodeArgs {
   "disable-telemetry"?: boolean
+  "allow-shutdown"?: boolean
   force?: boolean
   "user-data-dir"?: string
   "enable-proposed-api"?: string[]
@@ -65,6 +67,7 @@ export interface UserProvidedCodeArgs {
 export interface UserProvidedArgs extends UserProvidedCodeArgs {
   config?: string
   auth?: AuthType
+  "auth-user"?: string
   password?: string
   "hashed-password"?: string
   cert?: OptionalString
@@ -137,6 +140,10 @@ export type Options<T> = {
 
 export const options: Options<Required<UserProvidedArgs>> = {
   auth: { type: AuthType, description: "The type of authentication to use." },
+  "auth-user": {
+    type: "string",
+    description: "The username for http-basic authentication.",
+  },
   password: {
     type: "string",
     description: "The password for password authentication (can only be passed in via $PASSWORD or the config file).",
@@ -158,6 +165,10 @@ export const options: Options<Required<UserProvidedArgs>> = {
   },
   "cert-key": { type: "string", path: true, description: "Path to certificate key when using non-generated cert." },
   "disable-telemetry": { type: "boolean", description: "Disable telemetry." },
+  "allow-shutdown": {
+    type: "boolean",
+    description: "Allow the server to be shut down remotely.",
+  },
   "disable-update-check": {
     type: "boolean",
     description:
@@ -480,6 +491,7 @@ export interface DefaultedArgs extends ConfigArgs {
   "proxy-domain": string[]
   verbose: boolean
   usingEnvPassword: boolean
+  usingEnvAuthUser: boolean
   usingEnvHashedPassword: boolean
   "extensions-dir": string
   "user-data-dir": string
@@ -570,6 +582,14 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
     args.password = process.env.PASSWORD
   }
 
+  const usingEnvAuthUser = !!process.env.AUTH_USER
+  if (process.env.AUTH_USER) {
+    args["auth"] = AuthType.HttpBasic
+    args["auth-user"] = process.env.AUTH_USER
+  } else if (args["auth-user"]) {
+    args["auth"] = AuthType.HttpBasic
+  }
+
   if (process.env.CS_DISABLE_FILE_DOWNLOADS?.match(/^(1|true)$/)) {
     args["disable-file-downloads"] = true
   }
@@ -621,6 +641,7 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
   return {
     ...args,
     usingEnvPassword,
+    usingEnvAuthUser,
     usingEnvHashedPassword,
   } as DefaultedArgs // TODO: Technically no guarantee this is fulfilled.
 }

src/node/http.ts

@@ -4,6 +4,7 @@ import * as expressCore from "express-serve-static-core"
 import * as http from "http"
 import * as net from "net"
 import * as qs from "qs"
+import safeCompare from "safe-compare"
 import { Disposable } from "../common/emitter"
 import { CookieKeys, HttpCode, HttpError } from "../common/http"
 import { normalize } from "../common/util"
@@ -20,6 +21,7 @@ import {
   escapeHtml,
   escapeJSON,
   splitOnFirstEquals,
+  isHashMatch,
 } from "./util"
 
 /**
@@ -111,6 +113,35 @@ export const ensureAuthenticated = async (
   }
 }
 
+/**
+ * Validate basic auth credentials.
+ */
+const validateBasicAuth = async (
+  authHeader: string | undefined,
+  authUser: string | undefined,
+  authPassword: string | undefined,
+  hashedPassword: string | undefined,
+): Promise<boolean> => {
+  if (!authHeader?.startsWith("Basic ")) {
+    return false
+  }
+
+  try {
+    const base64Credentials = authHeader.split(" ")[1]
+    const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8")
+    const [username, password] = credentials.split(":")
+    if (username !== authUser) return false
+    if (hashedPassword) {
+      return await isHashMatch(password, hashedPassword)
+    } else {
+      return safeCompare(password, authPassword || "")
+    }
+  } catch (error) {
+    logger.error("Error validating basic auth:" + error)
+    return false
+  }
+}
+
 /**
  * Return true if authenticated via cookies.
  */
@@ -132,6 +163,14 @@ export const authenticated = async (req: express.Request): Promise<boolean> => {
 
       return await isCookieValid(isCookieValidArgs)
     }
+    case AuthType.HttpBasic: {
+      return await validateBasicAuth(
+        req.headers.authorization,
+        req.args["auth-user"],
+        req.args.password,
+        req.args["hashed-password"],
+      )
+    }
     default: {
       throw new Error(`Unsupported auth type ${req.args.auth}`)
     }

src/node/main.ts

@@ -133,7 +133,7 @@ export const runCodeServer = async (
 
   logger.info(`Using config file ${args.config}`)
   logger.info(`${protocol.toUpperCase()} server listening on ${serverAddress.toString()}`)
-  if (args.auth === AuthType.Password) {
+  if (args.auth === AuthType.Password || args.auth === AuthType.HttpBasic) {
     logger.info("  - Authentication is enabled")
     if (args.usingEnvPassword) {
       logger.info("    - Using password from $PASSWORD")
@@ -142,6 +142,13 @@ export const runCodeServer = async (
     } else {
       logger.info(`    - Using password from ${args.config}`)
     }
+    if (args.auth === AuthType.HttpBasic) {
+      if (args.usingEnvAuthUser) {
+        logger.info("    - Using user from $AUTH_USER")
+      } else {
+        logger.info(`    - With user ${args["auth-user"]}`)
+      }
+    }
   } else {
     logger.info("  - Authentication is disabled")
   }

src/node/routes/domainProxy.ts

@@ -1,5 +1,6 @@
 import { Request, Router } from "express"
 import { HttpCode, HttpError } from "../../common/http"
+import { AuthType } from "../cli"
 import { getHost, ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy } from "../proxy"
 import { Router as WsRouter } from "../wsRouter"
@@ -78,6 +79,10 @@ router.all(/.*/, async (req, res, next) => {
       if (/\/login\/?/.test(req.path)) {
         return next()
       }
+      // If auth is HttpBasic, return a 401.
+      if (req.args.auth === AuthType.HttpBasic) {
+        throw new HttpError("Unauthorized", HttpCode.Unauthorized)
+      }
       // Redirect all other pages to the login.
       const to = self(req)
       return redirect(req, res, "login", {

src/node/routes/index.ts

@@ -17,6 +17,7 @@ import { PluginAPI } from "../plugin"
 import { CoderSettings, SettingsProvider } from "../settings"
 import { UpdateProvider } from "../update"
 import { getMediaMime, paths } from "../util"
+import { wrapper } from "../wrapper"
 import * as apps from "./apps"
 import * as domainProxy from "./domainProxy"
 import { errorHandler, wsErrorHandler } from "./errors"
@@ -170,6 +171,16 @@ export const register = async (app: App, args: DefaultedArgs): Promise<Disposabl
     app.router.all("/logout", (req, res) => redirect(req, res, "/", {}))
   }
 
+  if (args["allow-shutdown"] ) {
+    app.router.use("/shutdown", async (req, res) => {
+      redirect(req, res, "/", {})
+      logger.warn("Shutting down due to /shutdown")
+      setTimeout(() => wrapper.exit(0), 10)
+    })
+  } else {
+    app.router.use("/shutdown", (req, res) => redirect(req, res, "/", {}))
+  }
+
   app.router.use("/update", update.router)
 
   // Note that the root route is replaced in Coder Enterprise by the plugin API.

src/node/routes/pathProxy.ts

@@ -4,6 +4,7 @@ import * as pluginapi from "../../../typings/pluginapi"
 import { HttpCode, HttpError } from "../../common/http"
 import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy as _proxy } from "../proxy"
+import { AuthType } from "../cli"
 
 const getProxyTarget = (
   req: Request,
@@ -28,7 +29,7 @@ export async function proxy(
 
   if (!(await authenticated(req))) {
     // If visiting the root (/:port only) redirect to the login page.
-    if (!req.params.path || req.params.path === "/") {
+    if ((!req.params.path || req.params.path === "/") && req.args.auth !== AuthType.HttpBasic) {
       const to = self(req)
       return redirect(req, res, "login", {
         to: to !== "/" ? to : undefined,

src/node/routes/vscode.ts

@@ -6,8 +6,9 @@ import * as http from "http"
 import * as net from "net"
 import * as path from "path"
 import { WebsocketRequest } from "../../../typings/pluginapi"
+import { HttpCode, HttpError } from "../../common/http"
 import { logError } from "../../common/util"
-import { CodeArgs, toCodeArgs } from "../cli"
+import { AuthType, CodeArgs, toCodeArgs } from "../cli"
 import { isDevMode, vsRootPath } from "../constants"
 import { authenticated, ensureAuthenticated, ensureOrigin, redirect, replaceTemplates, self } from "../http"
 import { SocketProxyProvider } from "../socket"
@@ -118,6 +119,11 @@ router.get("/", ensureVSCodeLoaded, async (req, res, next) => {
   const FOLDER_OR_WORKSPACE_WAS_CLOSED = req.query.ew
 
   if (!isAuthenticated) {
+    // If auth is HttpBasic, return a 401.
+    if (req.args.auth === AuthType.HttpBasic) {
+      res.setHeader("WWW-Authenticate", `Basic realm="${req.args["app-name"] || "code-server"}"`)
+      throw new HttpError("Unauthorized", HttpCode.Unauthorized)
+    }
     const to = self(req)
     return redirect(req, res, "login", {
       to: to !== "/" ? to : undefined,