Skip to content

fix: refactor gateway, add unconnected app response, centralize env vars#170

Merged
guyb1 merged 1 commit intomainfrom
fix/gateway-refactor-and-unconnected-app-response
Apr 8, 2026
Merged

fix: refactor gateway, add unconnected app response, centralize env vars#170
guyb1 merged 1 commit intomainfrom
fix/gateway-refactor-and-unconnected-app-response

Conversation

@guyb1
Copy link
Copy Markdown
Contributor

@guyb1 guyb1 commented Apr 8, 2026

Summary

  • Gateway refactor: Split gateway.rs (1012 lines) into sub-modules: forward.rs (request forwarding), mitm.rs (TLS interception), tunnel.rs (TCP tunnel), response.rs (error responses)
  • Unconnected app response: When no credentials are injected and upstream returns 401/403 for a known app host, the gateway returns an actionable JSON error with the provider name, display name, and connect URL instead of passing through a generic auth error
  • Path-aware provider lookup: Shared hosts like www.googleapis.com are disambiguated by request path prefix (Gmail vs Calendar vs Drive)
  • Centralized env vars: All process.env reads moved to lib/env.ts — single source of truth for defaults and naming
  • Docker Compose: Added NEXT_PUBLIC_APP_URL and APP_URL derived from ONECLI_BIND_HOST
  • Cache invalidation fixes: Added missing gateway cache invalidation on app connect (API key), disconnect, and OAuth connect (client-side via postMessage)

Test plan

  • pnpm check passes (lint + types + format)
  • cargo test — all 154 gateway tests pass
  • Connect an app via OAuth → gateway cache invalidated immediately
  • Disconnect an app → gateway cache invalidated immediately
  • curl through proxy to unconnected app → get app_not_connected JSON response
  • curl through proxy to connected app → get real API response
  • curl to www.googleapis.com/calendar/... without Calendar connected → says "Google Calendar" not "Gmail"

@guyb1
fix: refactor gateway, add unconnected app response, centralize env vars
0dd89b0 
Gateway:
- Split gateway.rs into sub-modules (forward, mitm, tunnel, response)
- Add unconnected app response: when no credentials are injected and
  upstream returns 401/403 for a known app, return actionable JSON
  error with provider name and connect URL
- Force MITM for known app hosts even without credentials so the
  interception can detect auth failures
- Add display_name to app provider registry with path-aware lookup
  for shared hosts (www.googleapis.com disambiguates by path prefix)

Environment:
- Centralize all process.env reads into lib/env.ts
- Add NEXT_PUBLIC_APP_URL and APP_URL to docker-compose derived from
  ONECLI_BIND_HOST
- Gateway reads APP_URL for full dashboard URL in connect_url

Cache invalidation:
- Add gateway cache invalidation on app connect (API key) and
  disconnect (CLI routes)
- Add client-side cache invalidation on OAuth connect and disconnect
  via useInvalidateGatewayCache in apps-tab and app-detail
- Remove broken invalidation from OAuth callback (cross-origin
  redirect has no auth cookie)
@guyb1 guyb1 merged commit 2290c50 into main Apr 8, 2026
1 check passed
@guyb1 guyb1 deleted the fix/gateway-refactor-and-unconnected-app-response branch April 8, 2026 13:59
@guyb1 guyb1 mentioned this pull request Apr 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guyb1