chore: dev with http2

[hyoban]

Important

1. Make sure you have read our contribution guidelines
2. Ensure there is an associated issue and you have been assigned to it
3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

Screenshots

Before	After
...	...

Checklist

• This change requires a documentation update, included: Dify Document
• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.
• I ran make lint and make type-check (backend) and cd web && npx lint-staged (frontend) to appease the lint gods

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the local development experience by introducing full HTTPS support for the frontend proxy. This change ensures that developers can work in an environment that more closely resembles production, addressing potential issues related to secure cookie handling and modern browser security policies early in the development cycle. It streamlines the process of testing features that require secure contexts, such as certain APIs or cookie attributes, without complex manual configurations.

Highlights

• HTTPS Support for Local Development Proxy: Enabled the local development proxy to run over HTTPS, allowing for a more realistic development environment that mirrors production setups and supports modern web features like HTTP/2.
• Enhanced Secure Cookie Handling: Updated the cookie rewriting logic within the development proxy to correctly handle secure and partitioned cookies when operating under HTTPS, ensuring proper session management and security attributes are maintained.
• Vite Integration for SSL: Integrated the @vitejs/plugin-basic-ssl plugin to automatically generate and manage SSL certificates for the Vite development server, simplifying the setup for HTTPS-enabled local development.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• web/.env.example
  • Updated comments to clarify how to enable HTTPS for the Hono proxy targets.
• web/package.json
  • Added @vitejs/plugin-basic-ssl as a development dependency.
• web/plugins/dev-proxy/cookies.ts
  • Modified toLocalCookieName and rewriteSetCookieValueForLocal functions to accept an options object, allowing conditional handling of secure and partitioned cookie attributes based on whether the local proxy is secure.
  • Introduced LocalCookieRewriteOptions type to define options for cookie rewriting.
• web/plugins/dev-proxy/protocol.ts
  • Added a new file to provide utility functions for determining if HTTPS should be used for the dev proxy based on environment variables.
• web/plugins/dev-proxy/server.spec.ts
  • Added new test cases to verify the shouldUseHttpsForDevProxy function's behavior.
  • Included a test to ensure secure cookie attributes are preserved when the local proxy is HTTPS.
  • Updated isAllowedDevOrigin test to include HTTPS origins.
• web/plugins/dev-proxy/server.ts
  • Imported shouldUseHttpsForDevProxy from the new protocol module.
  • Extended DevProxyEnv type to include NEXT_PUBLIC_API_PREFIX and NEXT_PUBLIC_PUBLIC_API_PREFIX environment variables.
  • Modified createUpstreamResponseHeaders to pass the localSecure flag to cookie rewriting functions.
• web/pnpm-lock.yaml
  • Updated the pnpm lockfile to include the new @vitejs/plugin-basic-ssl dependency and its resolved versions.
• web/scripts/dev-hono-proxy.ts
  • Imported createSecureServer from node:http2 and getCertificate from @vitejs/plugin-basic-ssl.
  • Implemented conditional logic to start an HTTPS server using createSecureServer if shouldUseHttpsForDevProxy returns true, otherwise starts an HTTP server.
  • Updated the console log message to reflect whether the server is running on HTTP or HTTPS.
• web/vite.config.ts
  • Imported basicSsl, loadEnv, and shouldUseHttpsForDevProxy.
  • Conditionally added the basicSsl() plugin to the Vite configuration if HTTPS is determined to be in use for the development server.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for running the local development environment with HTTPS/HTTP2. The changes are comprehensive, touching the Vite configuration, the development proxy server, cookie handling logic, and environment variable examples. A new dependency @vitejs/plugin-basic-ssl is added to generate self-signed certificates. The logic to conditionally enable HTTPS based on environment variables is well-implemented, and the cookie rewriting logic is correctly updated to handle secure attributes when the proxy is running over HTTPS. I've added a couple of minor suggestions to improve code style and maintainability.

[gemini-code-assist]

For better readability and to follow a common convention in TypeScript, it's best to define types before they are used. The LocalCookieRewriteOptions type should be defined before the toLocalCookieName function that uses it.

Suggested change

	const toLocalCookieName = (cookieName: string, options: LocalCookieRewriteOptions) => {
	if (options.localSecure)
	return cookieName
	return cookieName.replace(SECURE_COOKIE_PREFIX_PATTERN, '')
	}
	type LocalCookieRewriteOptions = {
	localSecure: boolean
	}
	type LocalCookieRewriteOptions = {
	localSecure: boolean
	}
	const toLocalCookieName = (cookieName: string, options: LocalCookieRewriteOptions) => {
	if (options.localSecure)
	return cookieName
	return cookieName.replace(SECURE_COOKIE_PREFIX_PATTERN, '')
	}

[gemini-code-assist]

The DevProxyEnv type can be simplified. Instead of using a complex intersection of Partial<Record<...>> and Record<...>, you can combine all optional properties into a single Partial<Record<...>>. This makes the type easier to read and understand.

type DevProxyEnv = Partial<Record<
  | 'HONO_CONSOLE_API_PROXY_TARGET'
  | 'HONO_PUBLIC_API_PROXY_TARGET'
  | 'NEXT_PUBLIC_API_PREFIX'
  | 'NEXT_PUBLIC_PUBLIC_API_PREFIX',
  string
>>

[Copilot]

Pull request overview

This PR adds conditional HTTPS support for the web dev environment (Vite dev server + local Hono dev proxy) when the configured API prefixes use https://..., and updates cookie rewriting so Secure/Partitioned cookies can be preserved when the local proxy is running over HTTPS.

Changes:

• Enable Vite dev-server HTTPS via @vitejs/plugin-basic-ssl when API prefixes are HTTPS.
• Add HTTPS mode to dev-hono-proxy and make cookie rewriting aware of whether the local proxy is secure.
• Add protocol detection helper + tests for HTTPS switching and secure-cookie preservation.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
web/vite.config.ts	Conditionally enables basicSsl() based on env-driven HTTPS detection.
web/scripts/dev-hono-proxy.ts	Starts the Hono proxy as HTTPS when API prefixes indicate HTTPS, otherwise uses HTTP.
web/plugins/dev-proxy/protocol.ts	Adds env parsing helper to decide whether the dev proxy should use HTTPS.
web/plugins/dev-proxy/server.ts	Plumbs localSecure into Set-Cookie rewriting and re-exports HTTPS helper.
web/plugins/dev-proxy/cookies.ts	Preserves Secure/SameSite=None/Partitioned + __Host- naming when local proxy is HTTPS.
web/plugins/dev-proxy/server.spec.ts	Adds tests for HTTPS switching, HTTPS origin allowance, and secure cookie preservation.
web/package.json	Adds @vitejs/plugin-basic-ssl dependency.
web/pnpm-lock.yaml	Locks @vitejs/plugin-basic-ssl@2.2.0.
web/.env.example	Documents how to enable HTTPS mode for the dev proxy via API prefixes.

Files not reviewed (1)

• web/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.