Skip to content

feat(server): support optional HTTPS via TLS cert/key env vars#165

Merged
appleboy merged 2 commits intomainfrom
worktree-tls
Apr 18, 2026
Merged

feat(server): support optional HTTPS via TLS cert/key env vars#165
appleboy merged 2 commits intomainfrom
worktree-tls

Conversation

@appleboy
Copy link
Copy Markdown
Member

@appleboy appleboy commented Apr 18, 2026

Summary

  • Add optional HTTPS serving: set TLS_CERT_FILE and TLS_KEY_FILE and AuthGate listens on SERVER_ADDR with TLS; otherwise plain HTTP as before.
  • Reject partial TLS config (only one of cert/key set) in Config.Validate() — mirrors the existing JWT-key validation pattern — to prevent silent HTTP fallback.
  • Updated .env.example and added a TLS / HTTPS subsection in docs/CONFIGURATION.md with rationale (full chain, BASE_URL scheme update, no hot reload) and a self-signed quick-test snippet.

Implementation notes

  • addServerRunningJob now branches on cfg.TLSEnabled() and calls srv.ListenAndServeTLS / srv.ListenAndServe. Graceful shutdown is unchanged — srv.Shutdown() handles both identically.
  • TLS cipher suites / versions use Go's crypto/tls defaults (TLS 1.2+, modern ciphers). No manual tuning.
  • No hot-reload: rotate certs via reverse proxy (nginx/Caddy/Cloudflare) or restart AuthGate.

Test plan

  • TestTLSEnabled — covers all four cert/key combinations
  • TestValidate_TLSPartialConfig — covers four cases incl. error paths
  • make fmt, make lint (0 issues), go test ./internal/config/... ./internal/bootstrap/...
  • Manual: generate a self-signed cert, start with TLS_CERT_FILE / TLS_KEY_FILE, confirm curl -k https://localhost:8080/health returns 200
  • Manual: unset both env vars, confirm plain HTTP still works (log says "Starting HTTP server on :8080")
  • Manual: set only one var, confirm startup aborts with the new Validate() error

🤖 Generated with Claude Code

@appleboy @claude
feat(server): support optional HTTPS via TLS cert/key env vars
cb1e286 
- Add TLS_CERT_FILE and TLS_KEY_FILE config options
- Serve HTTPS via ListenAndServeTLS when both are set
- Reject partial TLS config in Validate to avoid silent HTTP fallback
- Document the new env vars in .env.example and CONFIGURATION.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 18, 2026 09:52
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 38.09524% with 13 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/bootstrap/server.go 0.00% 12 Missing ⚠️
internal/bootstrap/bootstrap.go 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds first-class support for serving AuthGate over HTTPS directly (optional), controlled by TLS cert/key environment variables, while keeping the default HTTP behavior unchanged.

Changes:

  • Introduces TLS_CERT_FILE / TLS_KEY_FILE config fields, Config.TLSEnabled(), and validation to reject partial TLS configuration.
  • Updates server startup to call ListenAndServeTLS when TLS is enabled and improve startup logging.
  • Adds config tests and documents the new TLS configuration in .env.example and docs/CONFIGURATION.md.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
internal/config/config.go Adds TLS cert/key fields, TLSEnabled(), env loading, and validation for partial TLS config.
internal/bootstrap/server.go Switches server run loop between HTTP and HTTPS based on config.
internal/bootstrap/bootstrap.go Updates call site to pass config into addServerRunningJob.
internal/config/config_test.go Adds tests for TLSEnabled() and validation behavior for partial TLS config.
docs/CONFIGURATION.md Documents TLS/HTTPS configuration and local self-signed testing steps.
.env.example Provides example TLS env vars and notes for enabling HTTPS.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/CONFIGURATION.md Outdated
Comment thread docs/CONFIGURATION.md Outdated
Comment thread internal/config/config.go
Comment thread internal/bootstrap/server.go
@appleboy @claude
docs(tls): clarify partial-config behavior and cache TLSEnabled locally
e735808 
- Update TLS/HTTPS docs to state that partial cert/key config is rejected by Validate, not silently downgraded to HTTP
- Store cfg.TLSEnabled() in a local bool in addServerRunningJob to avoid calling twice

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@appleboy appleboy requested a review from Copilot April 18, 2026 09:58
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@appleboy appleboy merged commit a4e763c into main Apr 18, 2026
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@appleboy