[CLC-2032] Fix Classic PAYG sunset bypass via websocket API #21108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

roboquat merged 1 commit into main from fix/classic-payg-sunset-websocket-bypass

Oct 17, 2025

Merged

[CLC-2032] Fix Classic PAYG sunset bypass via websocket API #21108

roboquat merged 1 commit into main from fix/classic-payg-sunset-websocket-bypass

Oct 17, 2025

Conversation

@corneliusludmann

Copy link

Contributor

@corneliusludmann corneliusludmann commented Oct 17, 2025 •

edited

Loading

Problem

The Classic PAYG sunset implementation in #21100 only added blocking checks to the new gRPC API (WorkspaceServiceAPI - gitpod.v1.WorkspaceService) but missed the legacy websocket API (GitpodServerImpl). This created multiple bypass routes that allowed blocked users to continue creating and starting workspaces.

Architecture Overview

There are THREE separate workspace APIs in Gitpod:

Websocket API (OLD) - GitpodServerImpl in components/server
- Protocol: JSON-RPC over WebSocket
- Metrics: gitpod_server_api_calls_total{method="startWorkspace"}
- Sunset Check: ❌ NO (on main)
New gRPC API - WorkspaceServiceAPI in components/server
- Service: gitpod.v1.WorkspaceService
- Protocol: gRPC/Connect
- Metrics: grpc_server_handled_total{grpc_service="gitpod.v1.WorkspaceService"}
- Sunset Check: ✅ YES (already deployed in [CLC-2032] Block login and workspace operations for Classic PAYG sunset #21100 )
Experimental API - public-api-server (separate Go service)
- Service: gitpod.experimental.v1.WorkspacesService
- Protocol: gRPC/Connect → proxies to Websocket API (API 1)
- Metrics: connect_server_handled_seconds{package="gitpod.experimental.v1.WorkspacesService"}
- Sunset Check: ❌ NO (proxies to API 1 which has no check)

Bypass Routes Identified

Users can bypass the sunset blocking through:

Gitpod CLI (gitpod workspace create/start)
- Uses gitpod.experimental.v1.WorkspacesService (API 3)
- Routes through: CLI → public-api-server → websocket → GitpodServerImpl
- Primary user of experimental/v1 API
Gitpod Local App (Desktop application)
- Same as CLI, uses experimental/v1 API
- Routes through: Local App → public-api-server → websocket → GitpodServerImpl
JetBrains Gateway
- Connects directly to websocket API (API 1)
- Routes through: Gateway → websocket → GitpodServerImpl
External integrations with Personal Access Tokens
- Can use experimental/v1 API
- Routes through: External client → public-api-server → websocket → GitpodServerImpl
Dashboard fallback
- When dashboard_public_api_workspace_enabled feature flag is disabled
- Routes through: Dashboard → websocket → GitpodServerImpl

All these routes ultimately call GitpodServerImpl.startWorkspace() or GitpodServerImpl.createWorkspace() which had no sunset checks.

Solution

Added the sunset check to both methods in GitpodServerImpl:

startWorkspace() - Checks before starting existing workspace
createWorkspace() - Checks before creating and starting new workspace

Uses the same isWorkspaceStartBlockedBySunset() function already implemented for the gRPC API, ensuring consistent behavior across all entry points.

Why This Works

The fix is applied at the websocket API layer (GitpodServerImpl), which is the common backend for:

Direct websocket connections (JetBrains, Dashboard fallback)
Proxied connections from public-api-server (CLI, Local App, external clients)

This ensures ALL workspace creation/start requests are blocked, regardless of which API surface they use.

Testing

✅ Code compiles successfully
✅ Follows exact same pattern as workspace-service-api.ts
✅ Handles both organizationId sources (workspace object and request options)

Recommended Testing

Enable sunset feature flag in ConfigCat
Test CLI: gitpod workspace create <url> should be blocked
Test Local App: Creating workspace should be blocked
Test JetBrains Gateway: Creating workspace should be blocked
Verify exempted orgs still work
Verify dedicated installations are not affected

Expected Metrics After Deployment

For blocked users, you should see:

# Websocket API (backend)
gitpod_server_api_calls_total{method="startWorkspace", statusCode="403"}
gitpod_server_api_calls_total{method="createWorkspace", statusCode="403"}
# Experimental API (CLI/Local App)
connect_server_handled_seconds{package="gitpod.experimental.v1.WorkspacesService", code="permission_denied"}

Security Impact

This closes a critical security hole that allowed users to bypass the Classic PAYG sunset restrictions. Without this fix, the sunset blocking is ineffective for:

All CLI users (gitpod workspace create/start)
All Local App users
JetBrains Gateway users
External integrations using Personal Access Tokens
Dashboard users when the new gRPC API is disabled

The fix ensures sunset blocking works consistently across all API surfaces.

@corneliusludmann @ona-agent


 [ CLC-2032 ] Fix Classic PAYG sunset bypass via websocket API

2db8f39

The original sunset implementation only added checks to the new gRPC API
(WorkspaceServiceAPI) but missed the legacy websocket API (GitpodServerImpl).
This allowed users to bypass the sunset blocking through:
- Gitpod CLI/Local App (uses experimental/v1 API)
- JetBrains Gateway (uses websocket API directly)
- Public API with Personal Access Tokens
- Dashboard when feature flag is disabled
This fix adds the sunset check to both startWorkspace() and createWorkspace()
methods in GitpodServerImpl, using the same isWorkspaceStartBlockedBySunset()
function that's already used in WorkspaceServiceAPI.
The check:
- Blocks installation-owned users (no organizationId)
- Blocks users in non-exempted organizations
- Exempts dedicated installations
- Exempts organizations in the exemptedOrganizations list
Co-authored-by: Ona <no-reply@ona.com>