coder · ThomasK33 · Jun 27, 2025 · Emyrk · Jul 1, 2025
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -214,6 +214,31 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 			return nil, nil, false
 		}
 
+		// Add WWW-Authenticate header for 401/403 responses (RFC 6750)
+		if code == http.StatusUnauthorized || code == http.StatusForbidden {
+			var wwwAuth string
+
+			switch code {
+			case http.StatusUnauthorized:
+				// Map 401 to invalid_token with specific error descriptions
+				switch {
+				case strings.Contains(response.Message, "expired") || strings.Contains(response.Detail, "expired"):
+					wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token has expired"`
+				case strings.Contains(response.Message, "audience") || strings.Contains(response.Message, "mismatch"):
+					wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token audience does not match this resource"`
+				default:
+					wwwAuth = `Bearer realm="coder", error="invalid_token", error_description="The access token is invalid"`
+				}
+			case http.StatusForbidden:
+				// Map 403 to insufficient_scope per RFC 6750
+				wwwAuth = `Bearer realm="coder", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token"`
+			default:
+				wwwAuth = `Bearer realm="coder"`
+			}
+
+			rw.Header().Set("WWW-Authenticate", wwwAuth)
+		}
+
 		httpapi.Write(ctx, rw, code, response)
 		return nil, nil, false
 	}
@@ -700,9 +725,14 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
 // 1: The cookie
 // 2. The coder_session_token query parameter
 // 3. The custom auth header
+// 4. RFC 6750 Authorization: Bearer header
+// 5. RFC 6750 access_token query parameter
 //
 // API tokens for apps are read from workspaceapps/cookies.go.
 func APITokenFromRequest(r *http.Request) string {
+	// Prioritize existing Coder custom authentication methods first
+	// to maintain backward compatibility and existing behavior
+
 	cookie, err := r.Cookie(codersdk.SessionTokenCookie)
 	if err == nil && cookie.Value != "" {
 		return cookie.Value
@@ -718,7 +748,18 @@ func APITokenFromRequest(r *http.Request) string {
 		return headerValue
 	}
 
-	// TODO(ThomasK33): Implement RFC 6750
+	// RFC 6750 Bearer Token support (added as fallback methods)
+	// Check Authorization: Bearer <token> header (case-insensitive per RFC 6750)
+	authHeader := r.Header.Get("Authorization")
+	if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
+		return authHeader[7:] // Skip "Bearer " (7 characters)
+	}
+
+	// Check access_token query parameter
+	accessToken := r.URL.Query().Get("access_token")
+	if accessToken != "" {
+		return accessToken
+	}
 
 	return ""
 }

diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
@@ -102,6 +102,12 @@ func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Hand
 				return true
 			}
 
+			// RFC 6750 Bearer Token authentication is exempt from CSRF
+			// as it uses custom headers that cannot be set by malicious sites
+			if authHeader := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
+				return true
+			}
+
 			// If the X-CSRF-TOKEN header is set, we can exempt the func if it's valid.
 			// This is the CSRF check.
 			sent := r.Header.Get("X-CSRF-TOKEN")