feat: direct TCP URI with SSL toggle and optional password auth#635
Merged
feat: direct TCP URI with SSL toggle and optional password auth#635
Conversation
boudra
force-pushed
the
direct-tcp-uri-and-password-auth/phase-1-refactor
branch
2 times, most recently
from
f128be0 to
63c1c09
Compare
Replaces the heuristic-driven direct-connection model with a user-controlled one. The Add Host dialog now exposes structured Host, Port, "Use SSL", and masked Password fields that compose the canonical `tcp://host:port?ssl=true&password=xxx` URI used as the storage form. The daemon gains optional shared-secret auth: `Authorization: Bearer <pw>` on HTTP and `Sec-WebSocket-Protocol: paseo.bearer.<pw>` on the WS upgrade (browser WebSocket can't set custom headers). Configured via config.json `auth.password` or `PASEO_PASSWORD` env. Off by default — old clients keep working unchanged. The `port === 443` heuristic for ws/wss is gone; the explicit `useTls` flag drives scheme selection at every call site.
boudra
force-pushed
the
direct-tcp-uri-and-password-auth/phase-1-refactor
branch
from
63c1c09 to
e3e5f73
Compare
brackbk
added a commit
to hubtool/hubcode
that referenced
this pull request
May 1, 2026
…d auth Adds two new daemon access modes alongside the existing relay path: 1. Direct TCP with optional TLS — connect via `tcp://host:port?ssl=true`, useful for self-hosted daemons behind reverse proxies (Caddy, nginx, Cloudflare Tunnel) without going through the hosted relay. 2. Bearer-token password auth — daemon stores a bcrypt-hashed password in `daemon-config.json`. Clients send it via `Authorization: Bearer <pwd>` (native) or the `hubcode.bearer.<pwd>` WebSocket subprotocol (web). Failed auth closes with WS code 4401. New CLI command: `hubcode daemon set-password` writes the hashed value to the persisted config. UI: add-host-modal gets host/port fields, an SSL toggle, password field, and an Advanced URI mode. Existing direct/relay flows unchanged. All paseo identifiers renamed: `paseo.bearer.*` → `hubcode.bearer.*`, `PASEO_PASSWORD` → `HUBCODE_PASSWORD`, `relay.paseo.sh:443` → `relay.hubcode.ai:443`, etc. Skipped from upstream PR: nix package hash bump, e2e Playwright fixture (uses paseo.test hostname; needs separate port), tangential session.ts refactor unrelated to auth. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tcp://host:port?ssl=true&password=xxxURI used as storage. Single-line Advanced URI input is preserved.Authorization: Bearer; WebSocket connections use thepaseo.bearer.<token>subprotocol and close with readable auth failures (Password required/Incorrect password). Configured viaauth.passwordin~/.paseo/config.json,paseo daemon set-password, orPASEO_PASSWORD. Off by default — old clients keep working unchanged.port === 443heuristic. ws/wss is now driven by the explicituseTlsflag at every call site (app probe, host runtime, downloads, CLI, relay).Related issues
Test plan
tcp://host:port?ssl=true— should producewss://.auth.passwordon the daemon. Connect without a password → expectPassword required, not a generic transport timeout.Incorrect password.useTls, nopassword) → still loads withuseTls: false,password: undefined, connects.paseo --host 'tcp://host:6767?ssl=true&password=xxx' ls -a— works against a password-protected daemon.Sec-WebSocket-Protocolvalues (redaction list extended).