WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

[web] Self-hosted deployment: UI doesn't reflect server-side config + auth token exposure risk #594

New issue
New issue
Open
Open
[web] Self-hosted deployment: UI doesn't reflect server-side config + auth token exposure risk#594
@gomesdigital

Description

@gomesdigital
gomesdigital
opened on Dec 10, 2025

Context

I want to deploy @workflow/web to Vercel as a standalone observability dashboard that connects to workflows running in other projects. Environment variables are set in the Vercel project settings, and the UI should reflect this configuration without requiring URL params.

Problem

1. UI doesn't reflect server-side configuration

The client is unaware of server-side env vars, causing it to default to "Connected to: Local" even when WORKFLOW_TARGET_WORLD=vercel is set:

Connected to Local indicator

2. Documentation leads to a security pitfall

The README explains to set WORKFLOW_TARGET_WORLD=vercel for deployments on Vercel:

workflow/packages/web/README.md

Lines 13 to 14 in 30c0274

If you're deploying this to Vercel, setting `WORKFLOW_TARGET_WORLD` to `vercel` is enough
to infer your other project details. Note that observability will be scoped to the project

However, this is not sufficient which leads users to open the settings form and fill in the configuration (including auth token). Those values are then exposed in URL query params—visible in browser history, server logs, and referer headers.

Current Behavior

version: 4.0.1-beta.15

  • ✅ Server actions correctly read env vars (API calls work)
  • ❌ UI shows "Connected to: Local" regardless of env vars
  • ❌ Settings form exposes auth token in URL when submitted

Workaround:

  • Access via /?backend=vercel—but this is undocumented.
  • Set Backend to vercel via the UI WITHOUT filling in any other fields—but this is undocumented.

Proposed Solution

  1. Update docs to clarify set up and warn users to not submit sensitive credentials when self-hosting.
  2. Pass server config to client with merge priority:
    • URL query params (highest—for CLI compatibility)
    • Env vars (for self-hosted deployments)
    • Default values (fallback)
      ---> This way the backend is configured on initial load.
  3. Conditionally disable auth token input for remote backends
    • When backend=vercel: disable the token field and display a note indicating auth must be configured via WORKFLOW_API_TOKEN env var
    • When backend=local: keep the field enabled (local development doesn't carry the same URL exposure risk)
    • Alternatively, if the field must remain for edge cases, display a prominent warning.

I would be happy to help with 2. and 3. if this approach aligns with the project's direction.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions