Skip to content

Fix desktop Cloudflare Access remote connections#86

Closed
wizzoapp[bot] wants to merge 1 commit into
mainfrom
codex/desktop-cfaccess-fix
Closed

Fix desktop Cloudflare Access remote connections#86
wizzoapp[bot] wants to merge 1 commit into
mainfrom
codex/desktop-cfaccess-fix

Conversation

@wizzoapp

@wizzoapp wizzoapp Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary

  • keep desktop Cloudflare Access interactive sign-in alive when Electron reports redirect-class loadURL interruptions while navigating to the Access login page
  • preserve Cloudflare Access JWT/service-token fields from pairing URL fragments and manual Add Environment fields
  • pass saved Cloudflare Access credentials through the existing shared transport credential layer for pairing, HTTP auth, WebSocket ticketing, and socket headers

Proof

  • Focused tests: apps/desktop/src/ipc/methods/cloudflareAccess.test.ts, packages/shared/src/remote.test.ts, packages/client-runtime/src/connection/onboarding.test.ts, apps/web/src/components/settings/ConnectionsSettings.logic.test.ts
  • Static checks: vp fmt --check, vp check, vp run typecheck
  • Real build: node scripts/build-desktop-artifact.ts --platform linux --target dir --arch x64 --skip-build --keep-stage against a built desktop artifact
  • Packaged launch: xvfb-run -a node scripts/desktop-launch-smoke.mjs --command /home/adam/tmp/t3code-desktop-build/t3code-desktop-linux-stage-PcCDvh/app/dist/linux-unpacked/t3code --timeout-ms 120000 --stability-ms 2000
  • Cloudflare Access redirect proof: launched the packaged app under Xvfb, invoked window.desktopBridge.authenticateCloudflareAccess({ host: "https://oc.agriffiths.dev/" }), observed renderer source https://agriffiths.cloudflareaccess.com/cdn-cgi/access/login/..., and asserted IPC state stayed pending instead of rejecting

Notes

  • vp check still reports 12 pre-existing mobile unused-symbol warnings outside this diff.
  • vp run typecheck still reports two pre-existing Effect suggestions outside this diff.

@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 11:19
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 11:29
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 11:53

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0c013e35f4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +2759 to +2762
<div className="space-y-2">
<span className="block text-xs font-medium text-foreground">
Cloudflare Access service token
</span>

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Hide service-token fields until WebSocket headers are supported

In the web/desktop settings panel, any user who fills these new Cloudflare Access service-token fields (or pastes a pairing URL that populates them) will always be rejected before pairing completes: preparePairingRegistration calls validateCloudflareAccessRuntime, which rejects service-token auth unless canPassWebSocketHeaderOptions() is true, while apps/web/src/lib/runtime.ts provides the unmarked browser/Electron Socket.layerWebSocketConstructorGlobal (only mobile wraps the constructor as header-capable). This makes the newly exposed desktop UI path unusable unless the desktop runtime is made header-capable or the fields are hidden/disabled there.

Useful? React with 👍 / 👎.

Comment on lines +68 to +70
...(target.cloudflareAccessToken
? { cloudflareAccessToken: target.cloudflareAccessToken }
: {}),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Install pasted Access JWTs before saving them

When a pasted pairing URL carries cf_access_token, these lines now save that JWT and pairing can complete over HTTP, but the saved connection still opens its WebSocket from the web/desktop runtime where Socket.layerWebSocketConstructorGlobal is not header-capable. Unlike the desktop cookie sign-in path, no CF_Authorization cookie is installed for this JWT, so a Cloudflare Access-protected backend will reject the later WebSocket handshake even though the environment was saved successfully.

Useful? React with 👍 / 👎.

@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 14:21
@wizzoapp wizzoapp Bot force-pushed the codex/desktop-cfaccess-fix branch from 0c013e3 to ecd5110 Compare July 6, 2026 14:21
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 14:21

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ecd511059d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

);
const handleSavedBackendHostChange = useCallback((value: string) => {
setSavedBackendCloudflareAccess(null);
setSavedBackendCloudflareAccessToken("");

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Clear stale service tokens when the host changes

When a user has populated the Cloudflare Access service-token fields (for example by pasting a pairing URL) and then edits the host to a different bare/manual host, this handler clears the saved cookie/JWT state but leaves savedBackendCloudflareAccessClientId and savedBackendCloudflareAccessClientSecret intact in the non-URL branch. The next Add Environment attempt will therefore send the old cf-access-client-secret to the newly typed host. Clear the service-token state on host changes unless the newly parsed URL repopulates it.

Useful? React with 👍 / 👎.

@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 14:40
@wizzoapp wizzoapp Bot force-pushed the codex/desktop-cfaccess-fix branch from ecd5110 to 1ce9f43 Compare July 6, 2026 14:40
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 14:40
@wizzoapp

wizzoapp Bot commented Jul 6, 2026

Copy link
Copy Markdown
Author

Superseded by a fresh PR from the same branch because Codex review stopped attaching to fresh pushes on this PR after multiple review cycles. Replacement PR follows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants