Skip to content

fix(cli): --insecure also skips TLS certificate verification#38531

Merged
GareArc merged 3 commits into
mainfrom
fix/difyctl-insecure-tls-skip
Jul 8, 2026
Merged

fix(cli): --insecure also skips TLS certificate verification#38531
GareArc merged 3 commits into
mainfrom
fix/difyctl-insecure-tls-skip

Conversation

@GareArc

@GareArc GareArc commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Resolves ENG-708

Summary

difyctl auth login --insecure only allowed http:// hosts. Against a self-signed https:// host (e.g. an internal Dify instance) it still failed with self signed certificate. --insecure now also skips TLS certificate verification, so it covers both "no TLS" and "untrusted cert" as one blanket flag — consistent with how --insecure/-k works in most CLIs.

  • http/proxy.ts: builds an undici Agent/EnvHttpProxyAgent with rejectUnauthorized: false when insecure is set
  • Persisted per-host (insecure_tls, same pattern as the existing scheme field) so authenticated commands after login don't need --insecure again — and a later secure login to the same host clears it
  • Threaded through login, logout, authed commands, and the version/compat probe via a shared activeHostInfo() helper

Test plan

  • pnpm type-check, pnpm lint:fix, pnpm test (1217 passed, 0 failed)
  • Manual smoke test against a real self-signed HTTPS server: rejected without --insecure, accepted with it

@dosubot dosubot Bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Jul 8, 2026
--insecure previously only allowed http:// hosts, so a self-signed
https:// host (e.g. an internal Dify instance) still failed login with
"self signed certificate". Extend the flag to also disable TLS
verification for the session, routed through an undici Agent/
EnvHttpProxyAgent with rejectUnauthorized: false.

The choice is persisted per-host (mirroring the existing scheme field)
so authenticated commands after login keep working without needing
--insecure again, and is cleared automatically by a subsequent secure
login to the same host.
@GareArc GareArc force-pushed the fix/difyctl-insecure-tls-skip branch from 67597c6 to 2ad1962 Compare July 8, 2026 04:00
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jul 8, 2026
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 70.73171% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.39%. Comparing base (6c0aa3e) to head (af4f11e).
⚠️ Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
cli/src/commands/_shared/authed-command.ts 0.00% 5 Missing ⚠️
cli/src/version/enforce.ts 20.00% 4 Missing ⚠️
cli/src/commands/auth/logout/index.ts 0.00% 2 Missing ⚠️
cli/src/commands/auth/login/index.ts 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #38531      +/-   ##
==========================================
+ Coverage   85.34%   85.39%   +0.05%     
==========================================
  Files        5012     5169     +157     
  Lines      265733   270146    +4413     
  Branches    50513    51596    +1083     
==========================================
+ Hits       226779   230684    +3905     
- Misses      34506    35014     +508     
  Partials     4448     4448              
Flag Coverage Δ
cli 88.48% <70.73%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@GareArc GareArc enabled auto-merge July 8, 2026 04:15
The insecure TLS-skip only worked under Node's fetch (used by tests),
not Bun's native fetch — what the compiled difyctl binary actually
runs on. Bun ignores undici's `dispatcher` option entirely, so
--insecure against a self-signed host still failed with "self signed
certificate" in the real binary despite passing tests.

Set Bun's own `tls: { rejectUnauthorized: false }` fetch option
alongside the existing dispatcher; each runtime ignores the option it
doesn't understand. Verified against a real self-signed server both
under Vitest and in an actual compiled Bun binary.
@GareArc GareArc requested review from lin-snow and wylswz July 8, 2026 04:25
Comment thread cli/test/fixtures/tls/self-signed-key.pem Outdated
Committed key/cert pairs have unverifiable provenance; generate a
throwaway self-signed pair via openssl in beforeAll instead.
@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 8, 2026
@GareArc GareArc added this pull request to the merge queue Jul 8, 2026
Merged via the queue into main with commit ae1e180 Jul 8, 2026
33 of 34 checks passed
@GareArc GareArc deleted the fix/difyctl-insecure-tls-skip branch July 8, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants