feat: add WORKER_PUBLIC_ORIGIN for WSS terminal connections

- Introduced WORKER_PUBLIC_ORIGIN constant for browser WSS terminal URL.
- Updated resolveTerminalConnection to utilize WORKER_PUBLIC_ORIGIN for production environments.
- Enhanced type definitions to include WORKER_PUBLIC_ORIGIN in global app context.
- Adjusted local development handling for terminal connections.

Author: acoyfellow

alchemy.run.ts

@@ -13,6 +13,13 @@ import { deployEnv } from './alchemy.env';
 const projectName = 'cloudshell';
 const workerName = `${projectName}-worker`;
 
+/** Browser WSS terminal URL (must match worker HTTPS custom domain). */
+const WORKER_PUBLIC_ORIGIN = 'https://cloudshell-api.coey.dev';
+
+const isLocalDevHostname =
+  deployEnv.portForwardBaseDomain === 'localhost' ||
+  deployEnv.portForwardBaseDomain === '127.0.0.1';
+
 const project = await alchemy(projectName, {
   password: deployEnv.password,
 });
@@ -62,6 +69,11 @@ export const WORKER = await Worker(workerName, {
     PORT_FORWARD_BASE_DOMAIN: deployEnv.portForwardBaseDomain,
   },
   url: false,
+  ...(isLocalDevHostname
+    ? {}
+    : {
+        domains: [new URL(WORKER_PUBLIC_ORIGIN).hostname],
+      }),
 });
 
 export const APP = await SvelteKit(`${projectName}-app`, {
@@ -79,6 +91,7 @@ export const APP = await SvelteKit(`${projectName}-app`, {
     BETTER_AUTH_TRUSTED_ORIGINS: ['http://localhost:5173', deployEnv.betterAuthUrl].join(','),
     TERMINAL_TICKET_SECRET: deployEnv.terminalSecret,
     WORKER_DEV_ORIGIN: WORKER.url || 'http://localhost:1337',
+    WORKER_PUBLIC_ORIGIN,
   },
 });
 

src/app.d.ts

@@ -18,6 +18,8 @@ declare global {
 				BETTER_AUTH_TRUSTED_ORIGINS?: string;
 				TERMINAL_TICKET_SECRET?: string;
 				WORKER_DEV_ORIGIN?: string;
+				/** Base URL for WSS terminal (worker custom domain), e.g. https://api.example.com */
+				WORKER_PUBLIC_ORIGIN?: string;
 			};
 		}
 	}

src/lib/server/worker.ts

@@ -100,14 +100,6 @@ export async function resolveTerminalConnection(
   sessionId: string,
   tabId: string
 ): Promise<{ url: string; mode: 'proxy' | 'direct' }> {
-  if (!dev) {
-    const url = new URL('/ws/terminal', event.url.origin);
-    url.protocol = url.protocol === 'https:' ? 'wss:' : 'ws:';
-    url.searchParams.set('sessionId', sessionId);
-    url.searchParams.set('tabId', tabId);
-    return { url: url.toString(), mode: 'proxy' };
-  }
-
   const identity = getAuthenticatedIdentity(event);
   const secret =
     event.platform?.env?.TERMINAL_TICKET_SECRET || event.platform?.env?.BETTER_AUTH_SECRET;
@@ -127,8 +119,20 @@ export async function resolveTerminalConnection(
     secret
   );
 
-  const url = new URL('/ws/terminal', getWorkerOrigin(event));
-  url.protocol = url.protocol === 'https:' ? 'wss:' : 'ws:';
+  if (dev) {
+    const url = new URL('/ws/terminal', getWorkerOrigin(event));
+    url.protocol = url.protocol === 'https:' ? 'wss:' : 'ws:';
+    url.searchParams.set('ticket', ticket);
+    return { url: url.toString(), mode: 'direct' };
+  }
+
+  const publicOrigin = event.platform?.env?.WORKER_PUBLIC_ORIGIN?.replace(/\/$/, '');
+  if (!publicOrigin) {
+    throw error(500, 'WORKER_PUBLIC_ORIGIN is not configured');
+  }
+
+  const url = new URL('/ws/terminal', publicOrigin);
+  url.protocol = 'wss:';
   url.searchParams.set('ticket', ticket);
 
   return { url: url.toString(), mode: 'direct' };