💥 TLS enabled if API key is provided (#1847)

THardy98 · web-flow · commit 47fb852e3b9d · 2025-12-02T16:21:20.000-08:00
diff --git a/packages/client/src/connection.ts b/packages/client/src/connection.ts
@@ -210,7 +210,7 @@ function normalizeGRPCConfig(options: ConnectionOptions): ConnectionOptions {
   if (rest.address) {
     rest.address = normalizeGrpcEndpointAddress(rest.address, DEFAULT_TEMPORAL_GRPC_PORT);
   }
-  const tls = normalizeTlsConfig(tlsFromConfig);
+  const tls = normalizeTlsConfig(tlsFromConfig, options.apiKey);
   if (tls) {
     if (credentials) {
       throw new TypeError('Both `tls` and `credentials` ConnectionOptions were provided');
diff --git a/packages/cloud/src/cloud-operations-client.ts b/packages/cloud/src/cloud-operations-client.ts
@@ -229,7 +229,7 @@ function normalizeGRPCConfig(options: CloudOperationsConnectionOptions): Resolve
   } = options;
 
   const address = addressFromConfig ? normalizeGrpcEndpointAddress(addressFromConfig, 443) : 'saas-api.tmprl.cloud:443';
-  const tls = normalizeTlsConfig(tlsFromConfig) ?? {};
+  const tls = normalizeTlsConfig(tlsFromConfig, options.apiKey) ?? {};
 
   return {
     address,
diff --git a/packages/common/src/internal-non-workflow/tls-config.ts b/packages/common/src/internal-non-workflow/tls-config.ts
@@ -32,6 +32,10 @@ export type TLSConfigOption = TLSConfig | boolean | undefined | null;
 /**
  * Normalize {@link TLSConfigOption} by turning false and null to undefined and true to and empty object
  */
-export function normalizeTlsConfig(tls: TLSConfigOption): TLSConfig | undefined {
+export function normalizeTlsConfig(
+  tls: TLSConfigOption,
+  apiKey?: string | (() => string) | undefined
+): TLSConfig | undefined {
+  tls = tls ?? (apiKey !== undefined ? true : undefined);
   return typeof tls === 'object' ? (tls === null ? undefined : tls) : tls ? {} : undefined;
 }
diff --git a/packages/test/src/test-client-connection.ts b/packages/test/src/test-client-connection.ts
@@ -114,6 +114,7 @@ test('withMetadata / withDeadline / withAbortSignal set the CallContext for RPC
     address: `127.0.0.1:${port}`,
     metadata: { staticKey: 'set', 'staticKey-bin': Buffer.from([0x00]) },
     apiKey: 'test-token',
+    tls: false,
   });
   await conn.withMetadata({ test: 'true' }, () =>
     conn.withMetadata({ otherKey: 'set', 'otherKey-bin': Buffer.from([0x01]) }, () =>
@@ -164,6 +165,7 @@ test('apiKey sets temporal-namespace header appropriately', async (t) => {
     address: `127.0.0.1:${port}`,
     metadata: { staticKey: 'set' },
     apiKey: 'test-token',
+    tls: false,
   });
 
   await conn.workflowService.startWorkflowExecution({ namespace: 'test-namespace' });
@@ -610,3 +612,17 @@ async function withHttp2Server(
     });
   });
 }
+
+test('Client Connection: TLS is enabled by default when apiKey is provided and tls is not configured', async (t) => {
+  const conn = Connection.lazy({ apiKey: 'test-api-key' });
+  // When TLS is enabled, credentials should NOT be insecure
+  const isInsecure = conn.options.credentials._isSecure !== undefined && !conn.options.credentials._isSecure();
+  t.false(isInsecure, 'Connection should use secure credentials when apiKey is provided');
+});
+
+test('Client Connection: TLS can be explicitly disabled even when apiKey is provided', async (t) => {
+  const conn = Connection.lazy({ apiKey: 'test-api-key', tls: false });
+  // When TLS is explicitly disabled, credentials should be insecure
+  const isInsecure = conn.options.credentials._isSecure !== undefined && !conn.options.credentials._isSecure();
+  t.true(isInsecure, 'Connection should use insecure credentials when tls: false');
+});
diff --git a/packages/test/src/test-native-connection-headers.ts b/packages/test/src/test-native-connection-headers.ts
@@ -84,6 +84,7 @@ test('NativeConnection passes headers provided in options', async (t) => {
     address: `127.0.0.1:${port}`,
     metadata: { initial: 'true' },
     apiKey: 'enchi_cat',
+    tls: false,
   });
   t.true(gotInitialHeader);
   t.true(gotApiKey);
@@ -130,6 +131,7 @@ test('apiKey sets temporal-namespace header appropriately', async (t) => {
     address: `127.0.0.1:${port}`,
     metadata: { staticKey: 'set' },
     apiKey: 'test-token',
+    tls: false,
   });
 
   await conn.workflowService.startWorkflowExecution({ namespace: 'test-namespace' });
diff --git a/packages/test/src/test-native-connection.ts b/packages/test/src/test-native-connection.ts
@@ -8,6 +8,7 @@ import * as protoLoader from '@grpc/proto-loader';
 import { Client, NamespaceNotFoundError, WorkflowNotFoundError } from '@temporalio/client';
 import { InternalConnectionOptions, InternalConnectionOptionsSymbol } from '@temporalio/client/lib/connection';
 import { IllegalStateError, NativeConnection, NativeConnectionOptions, TransportError } from '@temporalio/worker';
+import { toNativeClientOptions } from '@temporalio/worker/lib/connection-options';
 import { temporal } from '@temporalio/proto';
 import { TestWorkflowEnvironment } from '@temporalio/testing';
 import { RUN_INTEGRATION_TESTS, Worker } from './helpers';
@@ -475,3 +476,18 @@ test('setMetadata accepts binary headers', async (t) => {
   await connection.close();
   server.forceShutdown();
 });
+
+test('NativeConnection: TLS is enabled by default when apiKey is provided and tls is not configured', (t) => {
+  // Use toNativeClientOptions to inspect the resulting config without actually connecting
+  const options = toNativeClientOptions({ apiKey: 'test-api-key' });
+  // When TLS is enabled, targetUrl should use https://
+  t.true(options.targetUrl.startsWith('https://'), 'targetUrl should use https when apiKey is provided');
+  t.not(options.tls, null, 'TLS config should not be null when apiKey is provided');
+});
+
+test('NativeConnection: TLS can be explicitly disabled even when apiKey is provided', (t) => {
+  const options = toNativeClientOptions({ apiKey: 'test-api-key', tls: false });
+  // When TLS is explicitly disabled, targetUrl should use http://
+  t.true(options.targetUrl.startsWith('http://'), 'targetUrl should use http when tls: false');
+  t.is(options.tls, null, 'TLS config should be null when tls: false');
+});
diff --git a/packages/worker/src/connection-options.ts b/packages/worker/src/connection-options.ts
@@ -79,7 +79,7 @@ export interface NativeConnectionOptions {
 export function toNativeClientOptions(options: NativeConnectionOptions): native.ClientOptions {
   const address = normalizeGrpcEndpointAddress(options.address ?? 'localhost:7233', DEFAULT_TEMPORAL_GRPC_PORT);
 
-  const tlsInput = normalizeTlsConfig(options.tls);
+  const tlsInput = normalizeTlsConfig(options.tls, options.apiKey);
   const tls: native.TLSConfig | null = tlsInput
     ? {
         domain: tlsInput.serverNameOverride ?? null,

Original file line number	Diff line number	Diff line change
`@@ -210,7 +210,7 @@ function normalizeGRPCConfig(options: ConnectionOptions): ConnectionOptions {`
`210`	`210`	`if (rest.address) {`
`211`	`211`	`rest.address = normalizeGrpcEndpointAddress(rest.address, DEFAULT_TEMPORAL_GRPC_PORT);`
`212`	`212`	`}`
`213`		`- const tls = normalizeTlsConfig(tlsFromConfig);`
	`213`	`+ const tls = normalizeTlsConfig(tlsFromConfig, options.apiKey);`
`214`	`214`	`if (tls) {`
`215`	`215`	`if (credentials) {`
`216`	`216`	throw new TypeError('Both `tls` and `credentials` ConnectionOptions were provided');