From 612d5a5ef6ec40f08110e0a8443b1960941a820a Mon Sep 17 00:00:00 2001
From: Corentin THOMASSET <corentin.thomasset74@gmail.com>
Date: Thu, 19 Dec 2024 21:44:43 +0100
Subject: [PATCH] feat(node): add support for native HTTPS configuration (#376)

---
 packages/app-server/src/index.node.ts         | 11 +++--
 .../src/modules/app/config/config.ts          | 43 +++++++++++++++++++
 .../docs/src/self-hosting/configuration.md    | 18 ++++++++
 3 files changed, 69 insertions(+), 3 deletions(-)

diff --git a/packages/app-server/src/index.node.ts b/packages/app-server/src/index.node.ts
index 5c2fb7de..96e81cb7 100644
--- a/packages/app-server/src/index.node.ts
+++ b/packages/app-server/src/index.node.ts
@@ -1,4 +1,5 @@
 import { readFile } from 'node:fs/promises';
+import { createServer as createHttpsServer } from 'node:https';
 import process, { env } from 'node:process';
 import { safelySync } from '@corentinth/chisels';
 import { serve } from '@hono/node-server';
@@ -69,10 +70,14 @@ const server = serve(
   {
     fetch: app.fetch,
     port: config.server.port,
+    ...(config.server.useHttps
+      ? {
+          createServer: createHttpsServer,
+          serverOptions: config.server.https,
+        }
+      : {}),
   },
-  ({ port }) => {
-    logger.info({ port }, 'Server started');
-  },
+  ({ port }) => logger.info({ port }, 'Server started'),
 );
 
 process.on('SIGINT', async () => {
diff --git a/packages/app-server/src/modules/app/config/config.ts b/packages/app-server/src/modules/app/config/config.ts
index 8c43bed0..28706947 100644
--- a/packages/app-server/src/modules/app/config/config.ts
+++ b/packages/app-server/src/modules/app/config/config.ts
@@ -31,6 +31,49 @@ export const configDefinition = {
       default: [],
       env: 'SERVER_CORS_ORIGINS',
     },
+    useHttps: {
+      doc: 'Whether to enable HTTPS for the server (only in node env)',
+      schema: z
+        .string()
+        .trim()
+        .toLowerCase()
+        .transform(x => x === 'true')
+        .pipe(z.boolean()),
+      default: 'false',
+      env: 'SERVER_USE_HTTPS',
+    },
+    https: {
+      key: {
+        doc: 'The key for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_KEY',
+      },
+      cert: {
+        doc: 'The cert for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_CERT',
+      },
+      ca: {
+        doc: 'The CA for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_CA',
+      },
+      pfx: {
+        doc: 'The pfx for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_PFX',
+      },
+      passphrase: {
+        doc: 'The passphrase of the PFX cert (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_PASSPHRASE',
+      },
+    },
   },
   notes: {
     maxEncryptedPayloadLength: {
diff --git a/packages/docs/src/self-hosting/configuration.md b/packages/docs/src/self-hosting/configuration.md
index 00d7fd33..d4c71285 100644
--- a/packages/docs/src/self-hosting/configuration.md
+++ b/packages/docs/src/self-hosting/configuration.md
@@ -12,6 +12,24 @@ Enclosed is configured primarily through environment variables. Below is a list
 
 <div v-html="data" />
 
+## Optional: Native HTTPS Configuration
+
+If you want to use HTTPS without a reverse proxy, you can set the `SERVER_USE_HTTPS` environment variable to `true` and provide the necessary certificate and key files.
+
+You can either use a single PFX file or separate key and certificate files. If you use separate files, you can provide the `SERVER_HTTPS_KEY`, `SERVER_HTTPS_CERT`, and `SERVER_HTTPS_CA` environment variables. If you use a PFX file, you can provide the `SERVER_HTTPS_PFX` and `SERVER_HTTPS_PASSPHRASE` environment variables.
+
+To generate the necessary key and certificate files, you can use the following command:
+
+```bash
+openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -keyout private-key.pem -out certificate.pem
+```
+
+And if you want to generate a PFX file, you can use the following command:
+
+```bash
+openssl pkcs12 -certpbe AES-256-CBC -export -out test_cert.pfx -inkey private-key.pem -in certificate.pem -passout pass:sample
+```
+
 ## Applying Configuration Changes
 
 To apply your configuration changes, ensure that you have exported the environment variables in your shell or included them in your environment configuration file. Then, restart your Enclosed instance to apply the changes.