Skip to content

Restore app-server websocket listener with auth guard#22404

Merged
etraut-openai merged 3 commits into
mainfrom
etraut/revert-app-server-ws-auth
May 13, 2026
Merged

Restore app-server websocket listener with auth guard#22404
etraut-openai merged 3 commits into
mainfrom
etraut/revert-app-server-ws-auth

Conversation

@etraut-openai
Copy link
Copy Markdown
Collaborator

@etraut-openai etraut-openai commented May 13, 2026
edited
Loading

Why

PR #21843 removed the TCP websocket app-server listener, but that also removed functionality that still needs to exist. Restoring it as-is would reopen the old remote exposure problem, so this keeps the restored listener while making remote and non-loopback usage require explicit auth.

What Changed

  • Mostly reverts app-server: remove TCP websocket listener #21843 and reapplies the small merge-conflict resolutions needed on top of current main.
  • Restores ws://IP:PORT parsing, the app-server TCP websocket acceptor, websocket auth CLI flags, and the associated tests.
  • The only intentional behavior change from the restored code is that non-loopback websocket listeners now fail startup unless --ws-auth capability-token or --ws-auth signed-bearer-token is configured. Loopback listeners remain available for local and SSH-forwarding workflows.

Reviewer Focus

Please focus review on the small auth-enforcement delta layered on top of the revert:

  • codex-rs/app-server-transport/src/transport/websocket.rs: start_websocket_acceptor now rejects unauthenticated non-loopback websocket binds before accepting connections.
  • codex-rs/app-server-transport/src/transport/auth.rs: helper logic classifies unauthenticated non-loopback listeners.
  • codex-rs/app-server/tests/suite/v2/connection_handling_websocket.rs: tests cover unauthenticated ws://0.0.0.0 startup rejection and authenticated non-loopback capability-token startup.

Everything else is intended to be revert/merge-conflict restoration rather than new product behavior.

Verification

  • Manually verified that TUI remoting is restored and that auth is enforced for non-localhost urls.

@etraut-openai etraut-openai marked this pull request as ready for review May 13, 2026 01:06
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26ab0676c5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/Cargo.toml
@etraut-openai
Copy link
Copy Markdown
Collaborator Author

etraut-openai commented May 13, 2026

@codex review

@etraut-openai etraut-openai changed the title [codex] Restore app-server websocket listener with auth guard Restore app-server websocket listener with auth guard May 13, 2026
@etraut-openai etraut-openai merged commit 51bfb5f into main May 13, 2026
30 checks passed
@etraut-openai etraut-openai deleted the etraut/revert-app-server-ws-auth branch May 13, 2026 01:40
@github-actions github-actions Bot locked and limited conversation to collaborators May 13, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@euroelessar euroelessar euroelessar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@etraut-openai @euroelessar