feat: Support HTTP web app

[clement0010]

Related Tickets & Documents

• Issue: Support HTTP Web App #309

Changes

• Add new webapphandler package to handle HTTP web application
  • Add web app configuration and validation
  • Add template utility to parse and evaluate prefix {{twingate.<key>}} suffix template
• Supporting running one HTTP proxy per resource type and update connect package's channel-based routing by ResourceType instead of TransportProtocol type
• Add resourceType label to roundtripper and http middleware metrics

Notes

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 95.71429% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.35%. Comparing base (518c321) to head (289c6cf).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
internal/proxy/proxy.go	79.54%	7 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #310      +/-   ##
==========================================
+ Coverage   85.71%   86.35%   +0.63%     
==========================================
  Files          37       40       +3     
  Lines        2716     2828     +112     
==========================================
+ Hits         2328     2442     +114     
+ Misses        264      262       -2     
  Partials      124      124              

Flag	Coverage Δ
integration	52.88% <52.38%> (-1.25%)	⬇️
unit	78.53% <90.95%> (+0.29%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/config/config.go	89.29% <100.00%> (+0.49%)	⬆️
internal/connect/conn.go	83.63% <100.00%> (+3.08%)	⬆️
internal/connect/connect.go	97.43% <100.00%> (+0.03%)	⬆️
internal/connect/listener.go	88.17% <100.00%> (+2.15%)	⬆️
internal/httpproxy/proxy.go	100.00% <100.00%> (ø)
internal/kuberneteshandler/kubernetes.go	94.02% <ø> (ø)
internal/metrics/http_middleware.go	98.83% <100.00%> (+0.10%)	⬆️
internal/metrics/round_tripper.go	100.00% <100.00%> (ø)
internal/token/gat_claims.go	100.00% <100.00%> (ø)
internal/webapphandler/config.go	100.00% <100.00%> (ø)
... and 3 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds support for HTTP web app resources alongside the existing Kubernetes and SSH handlers. The HTTP proxy now dispatches requests to handlers by GAT resource.type, a new webapphandler package implements a reverse proxy that propagates identity to upstream via configurable header templates, and the second TLS upgrade is skipped for WEB_APP.

Changes:

• Introduce internal/webapphandler (reverse proxy + header template config) and a generic internal/utils/parser for {{twingate.var}} placeholders.
• Refactor httpproxy to a resource-type-keyed handler map and wire web app + Kubernetes through it; proxy.NewProxy builds the map.
• Extend token.GATClaims with WEB_APP resource type and Device.Location.GeoIP; extend ProxyConn with raw bearer Token, GetToken(), and ShouldUpgradeTLS() (skips inner TLS for web app); add WebAppConfig to gateway YAML config.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
internal/webapphandler/web_app.go	New reverse proxy that targets http://<address> and applies configured header templates.
internal/webapphandler/web_app_test.go	Tests rewrite header substitution and geo handling.
internal/webapphandler/web_app_config.go	Parses raw header templates and restricts them to an allowlist of variables.
internal/webapphandler/web_app_config_test.go	Tests config parsing, unsupported variable, and invalid syntax cases.
internal/utils/parser/parser.go	New {{twingate.var}} single-variable template parser/evaluator.
internal/utils/parser/parser_test.go	Covers parser and evaluator behavior including error paths.
internal/token/gat_claims.go	Adds GeoIP/DeviceLocation types and ResourceTypeWebApp.
internal/token/gat_claims_test.go	Extends fixture with device location data.
internal/proxy/proxy.go	Builds handler map; unconditionally registers round-tripper metrics; wires WebApp handler.
internal/proxy/proxy_test.go	Updates test for new Handlers map field.
internal/metrics/round_tripper.go	Adds resourceType label and a resourceType arg to InstrumentRoundTripper.
internal/metrics/round_tripper_test.go	Updates expected labels and exercises multiple resource types.
internal/metrics/http_middleware.go	Adds labelResourceType constant.
internal/kuberneteshandler/kubernetes.go	Passes "kubernetes" to instrumented round tripper.
internal/httpproxy/proxy.go	Switches Config.Handler → Handlers map; introduces newResourceRouter.
internal/httpproxy/proxy_test.go	Tests resource dispatch and unknown-resource 404.
internal/connect/listener.go	Uses ShouldUpgradeTLS() instead of inline tp != TransportSSH check.
internal/connect/listener_test.go	Extends mock with GetToken and ShouldUpgradeTLS.
internal/connect/connect.go	Returns bearer Token in Info.
internal/connect/connect_test.go	Asserts connectInfo.Token is populated/empty appropriately.
internal/connect/conn.go	Stores token on ProxyConn, exposes GetToken/ShouldUpgradeTLS, logs resource type.
internal/connect/conn_test.go	Adds ShouldUpgradeTLS matrix test.
internal/config/config.go	Adds WebAppConfig and includes WebApp in the "at least one protocol" validation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[clement0010]

When we have 3+ HTTP resource types, I think we should refactor the config to register the handler + metrics more nicely and avoid this check... It's out of the scope of this PR for now

[minhtule]

Would it be simpler if each resource type has its own HTTP server + proxy handler instead of all them sharing the same HTTP server? In that case, I think the HTTP proxy could still stay generic and doesn't have to know about the resource type.

[clement0010]

I updated the code to support each resource type to own its HTTP server. e7ceee9. This should simplify the setup quite a bit

[clement0010]

I didn't use Go's text/template package because it doesn't support the {{namespace.key}} syntax — it requires a leading dot (e.g., {{ .twingate.key}}).

[minhtule]

I think this parser should be in webapphandler than here. Also it doesn't need to be under /utils/parser path. I would put it in internal/webapphandler/template.go

[clement0010]

My thinking is that this parser could also be shared with other protocols (e.g. MCP) that support header rewrite or other applications that need to parse a template.

We can move this under webapphandler for now, but I think we might still need to make this a shared utility package eventually 🤔

[clement0010]

We can extend this to support more namespaces like internal and external in the future, but I don't think we need to do it for now 🤔

[clement0010]

FYI, This won't allow header templates with multiple variables like X-Header: {{twingate.username}} {{twingate.groups}}. Not sure there's a real use case for it 🤔

We could support it with some additional changes, but I'd rather not add complexity to the parser unless we need to. We can follow-up PR if a use case comes up.

[clement0010]

We also need to update the grafana-dashboard.json file to support this new label, i'll follow up with a separate PR instead

[minhtule]

This is okayish for now but I think eventually this logic should be on the GAT's resource. It knows whether the inner connection should be not encrypted or TLS/SSH.

[clement0010]

After updating the code to HTTP proxy per resource type, I think it's simpler to have this check on the GAT claims. Also, we could remove the TransportProtocol type to simplify the check.

[minhtule]

I think when header rewriting fails, it's safer to fail the request.

[minhtule]

Would it be simpler if each resource type has its own HTTP server + proxy handler instead of all them sharing the same HTTP server? In that case, I think the HTTP proxy could still stay generic and doesn't have to know about the resource type.