refactor: move Twingate backend config into config package#358
Conversation
9d6a548 to
cc7da4d
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #358 +/- ##
==========================================
+ Coverage 86.07% 86.19% +0.12%
==========================================
Files 40 40
Lines 2830 2833 +3
==========================================
+ Hits 2436 2442 +6
+ Misses 269 265 -4
- Partials 125 126 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
cc7da4d to
94bc480
Compare
There was a problem hiding this comment.
Pull request overview
Refactors Twingate backend–specific JWT/JWKS configuration into the config package, so internal/token becomes a generic JWT validation component configured by explicit Issuer/Audience/JWKSURL values.
Changes:
- Move trusted-domain → issuer mapping and JWKS URL construction into
internal/config(TwingateConfig.Issuer()/TwingateConfig.JWKSURL()), and reuse it inResolveTwingateHost. - Change
token.ParserConfigto acceptIssuer,Audience, andJWKSURL(removingNetwork/Host) sointernal/tokenno longer depends oninternal/config. - Add
sec.opstg.comto the trusted-domain allowlist.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/token/parser.go | Switch parser configuration to explicit Issuer/Audience/JWKSURL inputs and remove domain→issuer logic from token layer. |
| internal/token/parser_test.go | Update token parser tests for the new ParserConfig fields; remove getIssuer tests. |
| internal/connect/listener.go | Update token parser construction to use twingateConfig.Issuer() and twingateConfig.JWKSURL(). |
| internal/connect/connect_test.go | Update connect tests to use Issuer/Audience ParserConfig fields. |
| internal/config/config.go | Add issuer mapping + Issuer()/JWKSURL() helpers and reuse JWKSURL in host resolution. |
| internal/config/config_test.go | Add unit tests for TwingateConfig.Issuer(). |
Comments suppressed due to low confidence (1)
internal/token/parser.go:46
- NewParser implicitly requires JWKSURL when Keyfunc is nil, but it currently passes an empty string through to keyfunc.NewDefault, which can fail with a low-signal error. Consider validating cfg.JWKSURL up front and returning a clear configuration error.
func NewParser(config ParserConfig) (*Parser, error) {
if config.Keyfunc == nil {
jwks, err := keyfunc.NewDefault([]string{config.JWKSURL})
if err != nil {
return nil, fmt.Errorf("failed to create JWKS store: %w", err)
}
config.Keyfunc = jwks.Keyfunc
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // JWKSURL returns the controller endpoint for fetching GAT signing keys. | ||
| func (t TwingateConfig) JWKSURL() string { | ||
| return fmt.Sprintf("https://%s.%s/api/v1/jwk/ec", t.Network, t.Host) | ||
| } |
config package
94bc480 to
409edde
Compare
…token parser - Relocate the issuer-by-domain map and JWKS URL into config as TwingateConfig.Issuer/JWKSURL. - token.ParserConfig takes Issuer/Audience/JWKSURL; token no longer imports config. - Add sec.opstg.com to the trusted domains.
409edde to
5bd5661
Compare
Related Tickets & Documents
twingate.hostandtwingate.networkagainst trusted domains #359 (stacked on this).Changes
configasTwingateConfig.Issuer()andTwingateConfig.JWKSURL().token.ParserConfignow takesIssuer,Audience,JWKSURLinstead ofNetwork/Host.ResolveTwingateHostreusesJWKSURL()so the JWKS URL is built in one place.sec.opstg.comto the trusted domains.Notes
configowns Twingate-backend specifics,tokenis generic JWT validation. The host/network trust-anchor validation lands in the follow-up PR stacked on this one.