feat(ui-server): add forward of static headers from env

i.r.shamsutdinov · i.r.shamsutdinov · commit 73bcb3082620 · 2026-01-14T14:26:42.000+03:00
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ Once you have the prerequisites going, run the following:
 pnpm install
 ```
 
-Running `pnpm install` will attempt to download and install the most recent version of [Temporal CLI][] into `./bin/cli/temporal`. The development server will attempt to use use this version of this Temporal when starting up.
+Running `pnpm install` will attempt to download and install the most recent version of [Temporal CLI][] into `./bin/cli/temporal`. The development server will attempt to use this version of this Temporal when starting up.
 
 - If that port is already in use, the UI will fallback to trying to talk to whatever process is running on that port.
 - If you do not have a version of Temporal CLI at `./bin/cli/temporal`, the development server will look for a version of Temporal CLI in your path.
diff --git a/server/cmd/server/main.go b/server/cmd/server/main.go
@@ -93,11 +93,17 @@ func buildCLI() *cli.App {
 					return cli.Exit(err, 1)
 				}
 
+				middlewares := []api.Middleware{
+					headers.WithForwardHeaders(cfg.ForwardHeaders),
+				}
+
+				if len(cfg.StaticHeaders) > 0 {
+					middlewares = append(middlewares, headers.WithStaticHeaders(cfg.StaticHeaders))
+				}
+
 				opts := []server_options.ServerOption{
 					server_options.WithConfigProvider(cfgProvider),
-					server_options.WithAPIMiddleware([]api.Middleware{
-						headers.WithForwardHeaders(cfg.ForwardHeaders),
-					}),
+					server_options.WithAPIMiddleware(middlewares),
 				}
 
 				s := server.NewServer(opts...)
diff --git a/server/config/development.yaml b/server/config/development.yaml
@@ -61,3 +61,5 @@ codec:
   defaultErrorLink:
 forwardHeaders: # can be used to pass additional HTTP headers from HTTP requests to Temporal gRPC backend
   - X-Forwarded-For
+staticHeaders: # can be used to always pass static headers to Temporal gRPC frontend
+  # authorization: some-tkn
diff --git a/server/config/docker.yaml b/server/config/docker.yaml
@@ -79,4 +79,12 @@ forwardHeaders:
 {{- end }}
 {{- end }}
 
+staticHeaders:
+{{- if env "TEMPORAL_SERVER_STATIC_HEADERS" }}
+{{- range $pair := env "TEMPORAL_SERVER_STATIC_HEADERS" | split "," }}
+{{- $kv := $pair | split "=" }}
+  {{$kv._0}}: {{$kv._1}}
+{{- end }}
+{{- end }}
+
 hideLogs: {{ env "TEMPORAL_HIDE_LOGS" | default "false" }}
diff --git a/server/server/config/config.go b/server/server/config/config.go
@@ -70,7 +70,9 @@ type (
 		ActivityCommandsDisabled bool `yaml:"activityCommandsDisabled"`
 		// Forward specified HTTP headers from HTTP API requests to Temporal gRPC backend
 		ForwardHeaders []string `yaml:"forwardHeaders"`
-		HideLogs       bool     `yaml:"hideLogs"`
+		// Static headers to always forward to Temporal gRPC backend
+		StaticHeaders map[string]string `yaml:"staticHeaders"`
+		HideLogs      bool              `yaml:"hideLogs"`
 		// TLS configuration options to start UI Server in TLS mode
 		UIServerTLS UIServerTLS `yaml:"uiServerTLS"`
 	}
diff --git a/server/server/headers/headers.go b/server/server/headers/headers.go
@@ -40,6 +40,12 @@ func WithForwardHeaders(headers []string) api.Middleware {
 	}
 }
 
+func WithStaticHeaders(headers map[string]string) api.Middleware {
+	return func(c echo.Context) runtime.ServeMuxOption {
+		return runtime.WithMetadata(handleStaticHeaders(headers))
+	}
+}
+
 func handleForwardHeaders(c echo.Context, headers []string) func(context.Context, *http.Request) metadata.MD {
 	return func(ctx context.Context, req *http.Request) metadata.MD {
 		md := metadata.MD{}
@@ -61,6 +67,26 @@ func handleForwardHeaders(c echo.Context, headers []string) func(context.Context
 	}
 }
 
+func handleStaticHeaders(headers map[string]string) func(context.Context, *http.Request) metadata.MD {
+	return func(ctx context.Context, req *http.Request) metadata.MD {
+		md := metadata.MD{}
+		for header, value := range headers {
+			if value != "" {
+				if len(header) > 4 && header[len(header)-4:] == "-bin" {
+					decoded, err := base64DecodeWithOrWithoutPadding(value)
+					if err == nil {
+						md.Set(header, string(decoded))
+					}
+				} else {
+					md.Append(header, value)
+				}
+			}
+		}
+
+		return md
+	}
+}
+
 func base64DecodeWithOrWithoutPadding(s string) ([]byte, error) {
 	s = strings.TrimRight(s, "=")
 	return base64.RawStdEncoding.DecodeString(s)
diff --git a/server/server/headers/headers_test.go b/server/server/headers/headers_test.go
@@ -165,3 +165,83 @@ func TestHandleForwardHeaders(t *testing.T) {
 		})
 	}
 }
+
+func TestHandleStaticHeaders(t *testing.T) {
+	tests := []struct {
+		name             string
+		headers          map[string]string
+		expectedMetadata map[string][]string
+	}{
+		{
+			name: "static regular headers",
+			headers: map[string]string{
+				"authorization":   "Bearer static-token",
+				"x-custom-header": "static-value",
+			},
+			expectedMetadata: map[string][]string{
+				"authorization":   {"Bearer static-token"},
+				"x-custom-header": {"static-value"},
+			},
+		},
+		{
+			name: "static binary header in base64 encoding with padding",
+			headers: map[string]string{
+				"x-binary-header-bin": "YmluYXJ5IGRhdGE=",
+			},
+			expectedMetadata: map[string][]string{
+				"x-binary-header-bin": {"binary data"},
+			},
+		},
+		{
+			name: "static binary header in base64 encoding without padding",
+			headers: map[string]string{
+				"x-data-bin": "YmluYXJ5IGRhdGE",
+			},
+			expectedMetadata: map[string][]string{
+				"x-data-bin": {"binary data"},
+			},
+		},
+		{
+			name: "mixed regular and binary static headers",
+			headers: map[string]string{
+				"x-regular":    "regular-value",
+				"x-binary-bin": "YmluYXJ5LXZhbHVl",
+			},
+			expectedMetadata: map[string][]string{
+				"x-regular":    {"regular-value"},
+				"x-binary-bin": {"binary-value"},
+			},
+		},
+		{
+			name: "skip empty static headers",
+			headers: map[string]string{
+				"authorization":  "Bearer static-token",
+				"x-empty-header": "",
+			},
+			expectedMetadata: map[string][]string{
+				"authorization": {"Bearer static-token"},
+			},
+		},
+		{
+			name: "skip invalid base64 in static binary header",
+			headers: map[string]string{
+				"x-invalid-bin": "not-valid-base64!!!",
+			},
+			expectedMetadata: map[string][]string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			handle := handleStaticHeaders(tt.headers)
+			var actualMetadata metadata.MD = handle(nil, nil)
+
+			assert.Equal(t, len(tt.expectedMetadata), len(actualMetadata), "metadata length mismatch")
+
+			for expectedKey, expectedValues := range tt.expectedMetadata {
+				values := actualMetadata.Get(expectedKey)
+				assert.Equal(t, expectedValues, values, "metadata mismatch for key %s", expectedKey)
+			}
+		})
+	}
+}
