From ace15234f05e72f0c284351627346e06f6c1b8b6 Mon Sep 17 00:00:00 2001
From: Callum Styan <callumstyan@gmail.com>
Date: Wed, 26 Nov 2025 14:53:16 -0800
Subject: [PATCH] fix: pass context with authorization to agentapi (#20959)

The agentapi context needs to be a context with some amount of
authorization attached to it via the context so that the cache refresh
routine can fetch the workspace from the db via GetWorkspaceForAgentID.

---------

Signed-off-by: Callum Styan <callumstyan@gmail.com>
---
 coderd/agentapi/api.go           |  4 ++--
 coderd/agentapi/metadata_test.go | 18 +++++++++---------
 coderd/workspaceagentsrpc.go     |  2 +-
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/coderd/agentapi/api.go b/coderd/agentapi/api.go
index 8c8b1a00ae064..252e6b5c08449 100644
--- a/coderd/agentapi/api.go
+++ b/coderd/agentapi/api.go
@@ -69,7 +69,7 @@ type Options struct {
 	WorkspaceID    uuid.UUID
 	OrganizationID uuid.UUID
 
-	Ctx                               context.Context
+	AuthenticatedCtx                  context.Context
 	Log                               slog.Logger
 	Clock                             quartz.Clock
 	Database                          database.Store
@@ -220,7 +220,7 @@ func New(opts Options, workspace database.Workspace) *API {
 
 	// Start background cache refresh loop to handle workspace changes
 	// like prebuild claims where owner_id and other fields may be modified in the DB.
-	go api.startCacheRefreshLoop(opts.Ctx)
+	go api.startCacheRefreshLoop(opts.AuthenticatedCtx)
 
 	return api
 }
diff --git a/coderd/agentapi/metadata_test.go b/coderd/agentapi/metadata_test.go
index 23a6c4df4ad4a..1ba02d037fef5 100644
--- a/coderd/agentapi/metadata_test.go
+++ b/coderd/agentapi/metadata_test.go
@@ -671,15 +671,15 @@ func TestBatchUpdateMetadata(t *testing.T) {
 
 		// Create full API with cached workspace fields (initial state)
 		api := agentapi.New(agentapi.Options{
-			Ctx:            ctxWithActor,
-			AgentID:        agentID,
-			WorkspaceID:    workspaceID,
-			OwnerID:        ownerID,
-			OrganizationID: orgID,
-			Database:       dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
-			Log:            testutil.Logger(t),
-			Clock:          mClock,
-			Pubsub:         pub,
+			AuthenticatedCtx: ctxWithActor,
+			AgentID:          agentID,
+			WorkspaceID:      workspaceID,
+			OwnerID:          ownerID,
+			OrganizationID:   orgID,
+			Database:         dbauthz.New(dbM, auth, testutil.Logger(t), accessControlStore),
+			Log:              testutil.Logger(t),
+			Clock:            mClock,
+			Pubsub:           pub,
 		}, initialWorkspace) // Cache is initialized with 9am schedule and "my-workspace" name
 
 		// Wait for ticker to be set up and release it so it can fire
diff --git a/coderd/workspaceagentsrpc.go b/coderd/workspaceagentsrpc.go
index d5757786e474e..50a14768c1b7d 100644
--- a/coderd/workspaceagentsrpc.go
+++ b/coderd/workspaceagentsrpc.go
@@ -132,7 +132,7 @@ func (api *API) workspaceAgentRPC(rw http.ResponseWriter, r *http.Request) {
 		WorkspaceID:    workspace.ID,
 		OrganizationID: workspace.OrganizationID,
 
-		Ctx:                               api.ctx,
+		AuthenticatedCtx:                  ctx,
 		Log:                               logger,
 		Clock:                             api.Clock,
 		Database:                          api.Database,