Fix: Endpoint configuration not passed to terminal server

[kennethkalmer]

Summary

Fixes the breaking change introduced in PR #129 (commit d454d36) where endpoint configuration was removed from createAuthPayload() with the claim that it would be included in the signed config, but those fields were never actually added.

This PR restores endpoint configuration functionality while maintaining the cleaner API surface (no additionalEnvVars parameter).

Problem

PR #129 removed the additionalEnvVars parameter from createAuthPayload() but:

1. Never added endpoint and controlAPIHost to the signed config
2. Never extracted these fields in createAuthPayload()
3. Result: endpoint configuration completely lost, breaking custom endpoint usage

Solution

Phase 1: Add endpoint fields to signed config

• Updated SignRequest interface to accept optional endpoint and controlAPIHost
• Modified signCredentials() to include these in the config when provided
• Updated API endpoints and middleware to accept and pass through endpoint params

Phase 2: Extract endpoint config in createAuthPayload()

• Modified createAuthPayload() to extract endpoint fields from signed config
• Adds ABLY_ENDPOINT and ABLY_CONTROL_API_HOST to environment variables
• Terminal server receives endpoint config via auth payload

Phase 3: Update example implementation

• Demonstrates how to pass endpoint configuration (via env vars in example)
• Documents that implementations can source these values from various places

Phase 4: Comprehensive test coverage (19 tests)

• Unit tests for createAuthPayload() endpoint extraction (6 tests)
• Unit tests for signCredentials() endpoint inclusion (7 tests)
• Integration tests for end-to-end flow (6 tests)

Phase 5: CI integration

• Updated pre-push validation to run package and example tests
• Ensures all endpoint configuration tests run in CI

Key Features

✅ Backward Compatible: Works with or without endpoint configuration
✅ Secure: Endpoint values are signed and validated via HMAC
✅ Clean API: No additionalEnvVars parameter needed
✅ Flexible: Implementations can source endpoint values from env vars, config files, user input, etc.

Testing

All tests passing:

• ✅ Main CLI: 99 test files, 941 tests (7 skipped)
• ✅ React Web CLI: 6 test files, 69 tests (6 skipped)
• ✅ Web CLI Example: 1 test file, 7 tests
• ✅ Lint: 0 errors
• ✅ Build: Successful

Files Changed

Core Implementation:

• examples/web-cli/server/sign-handler.ts - Add endpoint fields to signed config
• examples/web-cli/api/sign.ts - Accept endpoint params in API
• examples/web-cli/vite.config.ts - Accept endpoint params in middleware
• packages/react-web-cli/src/terminal-shared.ts - Extract endpoint to env vars

Example:

• examples/web-cli/src/App.tsx - Demonstrate endpoint configuration

Tests:

• packages/react-web-cli/src/terminal-shared.test.ts - Unit tests
• packages/react-web-cli/src/__tests__/integration/endpoint-config.test.ts - Integration tests
• examples/web-cli/server/__tests__/sign-handler.test.ts - Sign handler tests

CI:

• scripts/pre-push-validation.sh - Run package tests in CI

Related

• Fixes: #INF-6536
• Related PR: feat: implement signedConfig and signature support for HMAC auth #129 (commit d454d36)

---

Note

Restores endpoint configuration by carrying it through the signing flow and exposing it to the terminal server via auth payload.

• Core: signCredentials() now accepts endpoint and controlAPIHost and includes them in signedConfig; createAuthPayload() reads these fields and sets ABLY_ENDPOINT/ABLY_CONTROL_API_HOST env vars
• Example app: /api/sign handler and Vite middleware accept/pass endpoint params; App.tsx forwards optional values from env to signing request
• Tests: New unit tests for signCredentials() and createAuthPayload(), plus integration tests validating end-to-end propagation and signature integrity; added Vitest config and script in example
• CI/Dev: Pre-push script now runs react-web-cli package tests and example tests

^{Written by Cursor Bugbot for commit 908bcd5. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• New Features

  • Extended signing API to support optional endpoint and controlAPIHost configuration fields, conditionally included when provided.
  • Added environment variable propagation for endpoint and control API host configuration throughout authentication flow.

• Tests

  • Added comprehensive test coverage for endpoint and control API host field handling, signature generation, and environment variable mapping.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Jan 21, 2026 2:15pm

[coderabbitai]

Walkthrough

The changes extend the signing and authentication flow across web CLI and React web CLI packages to support optional endpoint and controlAPIHost configuration fields. These parameters are threaded through request parsing, credential signing, auth payload creation, and test coverage, with vitest integration for the example package.

Changes

Cohort / File(s)	Summary
API Request & Response Handling examples/web-cli/api/sign.ts, examples/web-cli/vite.config.ts	Request body parsing extended to extract and forward endpoint and controlAPIHost alongside existing apiKey and bypassRateLimit fields to signing logic.
Credential Signing examples/web-cli/server/sign-handler.ts	SignRequest interface gains two optional fields: endpoint?: string and controlAPIHost?: string; signCredentials conditionally includes these in the signed config via spread properties.
Frontend Authentication examples/web-cli/src/App.tsx	Auth request payload now conditionally appends endpoint and controlAPIHost sourced from environment variables (VITE_ABLY_ENDPOINT, VITE_ABLY_CONTROL_HOST).
Environment & Config Setup examples/web-cli/package.json, examples/web-cli/vitest.config.ts	Added vitest dev dependency, "test" npm script, and new vitest configuration file with globals, node environment, and 10s timeout.
Sign Handler Tests examples/web-cli/server/__tests__/sign-handler.test.ts	New test suite verifying endpoint and controlAPIHost are conditionally included in signed config, signature validity, and deterministic differences based on presence/absence of endpoint.
Auth Payload Creation & Tests packages/react-web-cli/src/terminal-shared.ts, packages/react-web-cli/src/terminal-shared.test.ts	Core implementation now extracts endpoint and controlAPIHost from signed config and stores them as ABLY_ENDPOINT and ABLY_CONTROL_API_HOST in environment variables; comprehensive unit tests validate extraction, backward compatibility, and presence of standard env vars.
Integration Tests packages/react-web-cli/src/__tests__/integration/endpoint-config.test.ts	New integration test suite covering signing with/without endpoint fields, auth payload creation, signature integrity, backward compatibility, and environment variable propagation.
Pre-Push Validation scripts/pre-push-validation.sh	Added Step 3b and Step 3c to run react-web-cli and example package tests; updated summary note to reflect extended test pipeline (unit, package, integration, basic E2E).

Sequence Diagram

sequenceDiagram
    participant Client as App.tsx
    participant SignAPI as Sign API Handler
    participant SignFn as signCredentials()
    participant AuthPayload as createAuthPayload()
    participant EnvVars as Environment Variables

    Client->>SignAPI: POST /sign with endpoint, controlAPIHost
    SignAPI->>SignAPI: Parse endpoint, controlAPIHost from body
    SignAPI->>SignFn: Call with extracted fields
    SignFn->>SignFn: Build signedConfig with endpoint, controlAPIHost
    SignFn->>SignAPI: Return signed config + signature
    SignAPI->>Client: Return { signature, signedConfig }
    Client->>AuthPayload: Call with signedConfig, signature, sessionId
    AuthPayload->>AuthPayload: Extract endpoint, controlAPIHost from config
    AuthPayload->>EnvVars: Set ABLY_ENDPOINT, ABLY_CONTROL_API_HOST
    AuthPayload->>Client: Return auth payload with environmentVariables

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A rabbit hops through endpoints fine,
Configuration in design,
With tests to chase and paths to trace,
The auth flow finds its proper place. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: restoring endpoint configuration support that was previously removed, ensuring it reaches the terminal server.
Linked Issues check	✅ Passed	The PR addresses INF-6536 by implementing comprehensive support for endpoint and controlAPIHost parameters throughout the auth flow, including signing, payload creation, and environment variable propagation.
Out of Scope Changes check	✅ Passed	All changes directly support restoring endpoint configuration: SignRequest interface updates, signCredentials modifications, auth payload extraction, environment variable propagation, comprehensive tests, and CI pipeline updates.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch INF-6536-patch-endpoint

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kennethkalmer]

This is the crux of the fix, everything else is in support of this.

[kennethkalmer]

Turns out this was only required because we were running and older version of the terminal server 😅