Skip to content

Validate config before writing .env in CLI server install#1663

Merged
aliasaria merged 2 commits intomainfrom
fix/cli-config-validation
Mar 27, 2026
Merged

Validate config before writing .env in CLI server install#1663
aliasaria merged 2 commits intomainfrom
fix/cli-config-validation

Conversation

@aliasaria
Copy link
Copy Markdown
Member

@aliasaria aliasaria commented Mar 27, 2026

Summary

  • Adds _validate_config() that checks the collected env vars for common misconfigurations before writing to disk
  • Catches: Azure storage without credentials, SMTP with placeholder server or missing from-address, OIDC without discovery URL, OAuth providers without client ID/secret
  • Displays warnings and prompts the user to confirm or abort — defaults to aborting so misconfigured values don't silently persist

Test plan

  • All 69 CLI tests pass (cd cli && python -m pytest tests/ -v)
  • Ruff check and format clean
  • Manual: run tfl server install, select Azure storage, press Enter through empty defaults → expect warning
  • Manual: configure SMTP, leave server as smtp.example.com → expect warning
  • Manual: enable OIDC, leave discovery URL empty → expect warning
  • Manual: enable Google/GitHub OAuth, leave client ID empty → expect warning
  • Manual: provide all valid values → expect no warnings, config written normally

@aliasaria
Add config validation before writing .env file
857e6c3 
Adds _validate_config() that checks for common misconfigurations
before writing: Azure storage without credentials, SMTP with
placeholder server, OIDC without discovery URL, and OAuth providers
without client ID/secret. Shows warnings and prompts the user to
confirm or abort.
@paragon-review
Copy link
Copy Markdown

paragon-review bot commented Mar 27, 2026

Paragon Summary

This pull request review identified 1 issue across 1 category in 1 file. The review analyzed code changes, potential bugs, security vulnerabilities, performance issues, and code quality concerns using automated analysis tools.

This PR adds pre-write validation to the CLI server install flow so common configuration mistakes are caught before .env is saved. It warns on likely misconfigurations like missing cloud/email/OIDC/OAuth settings and defaults to aborting unless the user confirms, reducing the chance of persisting broken config.

Key changes:

  • Added config validation before writing the CLI server .env
  • Detects common misconfigs: Azure storage creds, SMTP setup, OIDC discovery URL, OAuth client ID/secret
  • Shows warnings and asks for confirmation; defaults to aborting on invalid config
  • Keeps valid configs writing normally after passing validation

Confidence score: 3/5

  • This PR has moderate risk due to 1 high-priority issue that should be addressed
  • Score reflects significant bugs, performance issues, or architectural concerns
  • Review high-priority findings carefully before merging

1 file reviewed, 1 comment

Severity breakdown: High: 1

Tip: @paragon-run <instructions> to chat with our agent or push fixes!

Dashboard

paragon-review[bot]
paragon-review bot reviewed Mar 27, 2026
View reviewed changes
cli/src/transformerlab_cli/commands/server.py
if not from_addr:
warnings.append("SMTP is enabled but no 'From' address is configured.")

# OIDC: discovery URL is required when enabled
Copy link
Copy Markdown

@paragon-review paragon-review bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: OIDC checks only a client ID

OIDC checks only a client ID. Broken SSO configs can still be saved. Require the rest of the OIDC fields before continuing.

View Details

Location: cli/src/transformerlab_cli/commands/server.py (lines 317)

Analysis

OIDC checks only a client ID. Broken SSO configs can still be saved
What fails The validation gate misses incomplete OIDC setups unless a client ID is present, so invalid SSO configuration can be persisted.
Result The config is accepted and written even though OIDC is incomplete.
Expected OIDC should be rejected unless all required fields for an enabled provider are present.
Impact Users can save a configuration that looks accepted but fails at login time, breaking SSO setup in production.
How to reproduce 
Run the CLI server install flow, enable OIDC, fill only OIDC_0_CLIENT_ID, and continue past the warning prompt.
Patch Details 
-    if env_vars.get("OIDC_0_CLIENT_ID"):
-        discovery = env_vars.get("OIDC_0_DISCOVERY_URL", "").strip()
-        if not discovery:
-            warnings.append("OIDC is enabled but the discovery URL is empty.")
+    if env_vars.get("OIDC_0_CLIENT_ID") or env_vars.get("OIDC_0_DISCOVERY_URL"):
+        discovery = env_vars.get("OIDC_0_DISCOVERY_URL", "").strip()
+        if not discovery:
+            warnings.append("OIDC is enabled but the discovery URL is empty.")
AI Fix Prompt 
Fix this issue: OIDC checks only a client ID. Broken SSO configs can still be saved. Require the rest of the OIDC fields before continuing.

Location: cli/src/transformerlab_cli/commands/server.py (lines 317)
Problem: The validation gate misses incomplete OIDC setups unless a client ID is present, so invalid SSO configuration can be persisted.
Current behavior: The config is accepted and written even though OIDC is incomplete.
Expected: OIDC should be rejected unless all required fields for an enabled provider are present.
Steps to reproduce: Run the CLI server install flow, enable OIDC, fill only OIDC_0_CLIENT_ID, and continue past the warning prompt.

Provide a code fix.

Tip: Reply with @paragon-run to automatically fix this issue

@aliasaria aliasaria merged commit 1101578 into main Mar 27, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paragon-review paragon-review[bot] paragon-review[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aliasaria