Skip to content

refactor: move Twingate backend config into config package#358

Open
minhtule wants to merge 1 commit into
masterfrom
feat/mt/parser-config-helpers
Open

refactor: move Twingate backend config into config package#358
minhtule wants to merge 1 commit into
masterfrom
feat/mt/parser-config-helpers

Conversation

@minhtule

@minhtule minhtule commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

Changes

  • Move the trusted domain → issuer map and JWKS URL construction into config as TwingateConfig.Issuer() and TwingateConfig.JWKSURL().
  • token.ParserConfig now takes Issuer, Audience, JWKSURL instead of Network/Host.
  • ResolveTwingateHost reuses JWKSURL() so the JWKS URL is built in one place.
  • Add sec.opstg.com to the trusted domains.

Notes

  • Separates concerns: config owns Twingate-backend specifics, token is generic JWT validation. The host/network trust-anchor validation lands in the follow-up PR stacked on this one.

@minhtule minhtule force-pushed the feat/mt/parser-config-helpers branch from 9d6a548 to cc7da4d Compare June 30, 2026 06:35
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.19%. Comparing base (ae1a656) to head (5bd5661).
⚠️ Report is 3 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #358      +/-   ##
==========================================
+ Coverage   86.07%   86.19%   +0.12%     
==========================================
  Files          40       40              
  Lines        2830     2833       +3     
==========================================
+ Hits         2436     2442       +6     
+ Misses        269      265       -4     
- Partials      125      126       +1     
Flag Coverage Δ
integration 55.05% <87.50%> (+0.19%) ⬆️
unit 78.57% <75.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/config/config.go 89.13% <100.00%> (+0.33%) ⬆️
internal/connect/listener.go 86.17% <100.00%> (+0.14%) ⬆️
internal/token/parser.go 91.66% <100.00%> (-1.67%) ⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors Twingate backend–specific JWT/JWKS configuration into the config package, so internal/token becomes a generic JWT validation component configured by explicit Issuer/Audience/JWKSURL values.

Changes:

  • Move trusted-domain → issuer mapping and JWKS URL construction into internal/config (TwingateConfig.Issuer() / TwingateConfig.JWKSURL()), and reuse it in ResolveTwingateHost.
  • Change token.ParserConfig to accept Issuer, Audience, and JWKSURL (removing Network/Host) so internal/token no longer depends on internal/config.
  • Add sec.opstg.com to the trusted-domain allowlist.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/token/parser.go Switch parser configuration to explicit Issuer/Audience/JWKSURL inputs and remove domain→issuer logic from token layer.
internal/token/parser_test.go Update token parser tests for the new ParserConfig fields; remove getIssuer tests.
internal/connect/listener.go Update token parser construction to use twingateConfig.Issuer() and twingateConfig.JWKSURL().
internal/connect/connect_test.go Update connect tests to use Issuer/Audience ParserConfig fields.
internal/config/config.go Add issuer mapping + Issuer()/JWKSURL() helpers and reuse JWKSURL in host resolution.
internal/config/config_test.go Add unit tests for TwingateConfig.Issuer().
Comments suppressed due to low confidence (1)

internal/token/parser.go:46

  • NewParser implicitly requires JWKSURL when Keyfunc is nil, but it currently passes an empty string through to keyfunc.NewDefault, which can fail with a low-signal error. Consider validating cfg.JWKSURL up front and returning a clear configuration error.
func NewParser(config ParserConfig) (*Parser, error) {
	if config.Keyfunc == nil {
		jwks, err := keyfunc.NewDefault([]string{config.JWKSURL})
		if err != nil {
			return nil, fmt.Errorf("failed to create JWKS store: %w", err)
		}

		config.Keyfunc = jwks.Keyfunc
	}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/config/config.go
Comment thread internal/config/config.go
Comment on lines +64 to +67
// JWKSURL returns the controller endpoint for fetching GAT signing keys.
func (t TwingateConfig) JWKSURL() string {
return fmt.Sprintf("https://%s.%s/api/v1/jwk/ec", t.Network, t.Host)
}
@minhtule minhtule marked this pull request as ready for review June 30, 2026 15:05
@minhtule minhtule requested a review from clement0010 June 30, 2026 15:05
@minhtule minhtule changed the title refactor: move Twingate backend config into config package refactor: move Twingate backend config into config package Jun 30, 2026
@minhtule minhtule force-pushed the feat/mt/parser-config-helpers branch from 94bc480 to 409edde Compare June 30, 2026 15:07
…token parser

- Relocate the issuer-by-domain map and JWKS URL into config as TwingateConfig.Issuer/JWKSURL.
- token.ParserConfig takes Issuer/Audience/JWKSURL; token no longer imports config.
- Add sec.opstg.com to the trusted domains.
@minhtule minhtule force-pushed the feat/mt/parser-config-helpers branch from 409edde to 5bd5661 Compare June 30, 2026 15:17

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻

@minhtule minhtule requested a review from sghiocel July 3, 2026 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants