feat(agentapi): use wildcard alllowed hosts (#320)

Since https://github.com/coder/agentapi/pull/49 was merged, agentapi by default only accepts requests with the `Host` header set to localhost, 127.0.0.1, or [::1]. In Coder, agentapi is served behind a reverse proxy as a workspace app, so we need to use a wildcard `AGENTAPI_ALLOWED_HOSTS` for agentapi-based modules to continue working. This PR updates the claude code and agentapi modules, and a subsequent PR will update modules that are based on the agentapi module.
2025-08-11 16:23:01 +02:00 · 2025-08-11 16:23:01 +02:00 · 507b73a07e
commit 507b73a07e
parent 814f765313
8 changed files with 45 additions and 4 deletions
--- a/registry/coder/modules/agentapi/README.md
+++ b/registry/coder/modules/agentapi/README.md
@ -16,7 +16,7 @@ The AgentAPI module is a building block for modules that need to run an AgentAPI
 ```tf
 module "agentapi" {
  source  = "registry.coder.com/coder/agentapi/coder"
-  version = "1.1.0"
+  version = "1.1.1"

  agent_id             = var.agent_id
  web_app_slug         = local.app_slug
--- a/registry/coder/modules/agentapi/main.test.ts
+++ b/registry/coder/modules/agentapi/main.test.ts
@ -236,4 +236,17 @@ describe("agentapi", async () => {
      }
    }
  });
+
+  test("agentapi-allowed-hosts", async () => {
+    // verify that the agentapi binary has access to the AGENTAPI_ALLOWED_HOSTS environment variable
+    // set in main.sh
+    const { id } = await setup();
+    await execModuleScript(id);
+    await expectAgentAPIStarted(id);
+    const agentApiStartLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
+  });
 });
--- a/registry/coder/modules/agentapi/scripts/main.sh
+++ b/registry/coder/modules/agentapi/scripts/main.sh
@ -95,5 +95,7 @@ export LC_ALL=en_US.UTF-8
 cd "${WORKDIR}"

 export AGENTAPI_CHAT_BASE_PATH="${AGENTAPI_CHAT_BASE_PATH:-}"
+# Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
+export AGENTAPI_ALLOWED_HOSTS="*"
 nohup "$module_path/scripts/agentapi-start.sh" true "${AGENTAPI_PORT}" &>"$module_path/agentapi-start.log" &
 "$module_path/scripts/agentapi-wait-for-start.sh" "${AGENTAPI_PORT}"
--- a/registry/coder/modules/agentapi/testdata/agentapi-mock.js
+++ b/registry/coder/modules/agentapi/testdata/agentapi-mock.js
@ -1,11 +1,13 @@
 #!/usr/bin/env node

 const http = require("http");
+const fs = require("fs");
 const args = process.argv.slice(2);
 const portIdx = args.findIndex((arg) => arg === "--port") + 1;
 const port = portIdx ? args[portIdx] : 3284;

 console.log(`starting server on port ${port}`);
+fs.writeFileSync("/home/coder/agentapi-mock.log", `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`);

 http
  .createServer(function (_request, response) {
--- a/registry/coder/modules/claude-code/README.md
+++ b/registry/coder/modules/claude-code/README.md
@ -13,7 +13,7 @@ Run the [Claude Code](https://docs.anthropic.com/en/docs/agents-and-tools/claude
 ```tf
 module "claude-code" {
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
  agent_id            = coder_agent.example.id
  folder              = "/home/coder"
  install_claude_code = true
@ -84,7 +84,7 @@ resource "coder_agent" "main" {
 module "claude-code" {
  count               = data.coder_workspace.me.start_count
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
  agent_id            = coder_agent.example.id
  folder              = "/home/coder"
  install_claude_code = true
@ -102,7 +102,7 @@ Run Claude Code as a standalone app in your workspace. This will install Claude
 ```tf
 module "claude-code" {
  source              = "registry.coder.com/coder/claude-code/coder"
-  version             = "2.0.6"
+  version             = "2.0.7"
  agent_id            = coder_agent.example.id
  folder              = "/home/coder"
  install_claude_code = true
--- a/registry/coder/modules/claude-code/main.test.ts
+++ b/registry/coder/modules/claude-code/main.test.ts
@ -10,6 +10,7 @@ import path from "path";
 import {
  execContainer,
  findResourceInstance,
+  readFileContainer,
  removeContainer,
  runContainer,
  runTerraformApply,
@ -319,4 +320,21 @@ describe("claude-code", async () => {
      agentApiUrl: "http://localhost:3284",
    });
  });
+
+  // verify that the agentapi binary has access to the AGENTAPI_ALLOWED_HOSTS environment variable
+  // set in main.tf
+  test("agentapi-allowed-hosts", async () => {
+    const { id } = await setup();
+
+    const respModuleScript = await execModuleScript(id);
+    expect(respModuleScript.exitCode).toBe(0);
+
+    await expectAgentAPIStarted(id);
+
+    const agentApiStartLog = await readFileContainer(
+      id,
+      "/home/coder/agentapi-mock.log",
+    );
+    expect(agentApiStartLog).toContain("AGENTAPI_ALLOWED_HOSTS: *");
+  });
 });
--- a/registry/coder/modules/claude-code/main.tf
+++ b/registry/coder/modules/claude-code/main.tf
@ -241,6 +241,10 @@ resource "coder_script" "claude_code" {
    export LC_ALL=en_US.UTF-8

    cd "${local.workdir}"
+
+    # Disable host header check since AgentAPI is proxied by Coder (which does its own validation)
+    export AGENTAPI_ALLOWED_HOSTS="*"
+
    nohup "$module_path/scripts/agentapi-start.sh" use_prompt &> "$module_path/agentapi-start.log" &
    "$module_path/scripts/agentapi-wait-for-start.sh"
    EOT
--- a/registry/coder/modules/claude-code/testdata/agentapi-mock.js
+++ b/registry/coder/modules/claude-code/testdata/agentapi-mock.js
@ -20,6 +20,8 @@ if (
  process.exit(1);
 }

+fs.writeFileSync("/home/coder/agentapi-mock.log", `AGENTAPI_ALLOWED_HOSTS: ${process.env.AGENTAPI_ALLOWED_HOSTS}`);
+
 console.log(`starting server on port ${port}`);

 http