From 8dfb14f1e7f952bee92cad29703dba55fb156f0c Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Fri, 15 May 2026 13:16:49 -0400
Subject: [PATCH] feat(tunnel): require explicit target schemes

---
 README.md                |  6 +++---
 cmd/tunnel.go            |  2 +-
 config/config.go         |  2 +-
 e2e_test.go              | 10 ++++-----
 tunnel/forwarder.go      | 29 ++++++++++++++++++--------
 tunnel/forwarder_test.go | 45 ++++++++++++++++++++++++++++++++++++++++
 web/web.go               |  3 +++
 7 files changed, 78 insertions(+), 19 deletions(-)
 create mode 100644 tunnel/forwarder_test.go

diff --git a/README.md b/README.md
index 02a788f..e43512b 100644
--- a/README.md
+++ b/README.md
@@ -85,10 +85,10 @@ conduit tunnel \
   --server https://conduit.example.com \
   --api_key your-secret-key \
   --name my-service \
-  --target localhost:5432
+  --target tcp://localhost:5432
 ```
 
-The local tunnel monitor is available at `http://localhost:8181` for HTTP tunnels.
+Targets must include an explicit `tcp://`, `http://`, or `https://` scheme. The local tunnel monitor is available at `http://localhost:8181` for HTTP tunnels.
 
 ## Configuration
 
@@ -111,7 +111,7 @@ All options can be set via CLI flags or environment variables (`CONDUIT_` prefix
 | `--server` | `CONDUIT_SERVER` | `http://localhost:8080` | Conduit server address |
 | `--api_key` | `CONDUIT_API_KEY` | — | API key (required) |
 | `--name` | `CONDUIT_NAME` | (auto-generated) | Tunnel subdomain name |
-| `--target` | `CONDUIT_TARGET` | — | Local target address (required) |
+| `--target` | `CONDUIT_TARGET` | — | Local target address with `tcp://`, `http://`, or `https://` scheme (required) |
 | `--log_level` | `CONDUIT_LOG_LEVEL` | `info` | Log level |
 | `--log_format` | `CONDUIT_LOG_FORMAT` | `text` | Log format (`text` or `json`) |
 
diff --git a/cmd/tunnel.go b/cmd/tunnel.go
index 8806fc1..b2ac46d 100644
--- a/cmd/tunnel.go
+++ b/cmd/tunnel.go
@@ -16,7 +16,7 @@ import (
 )
 
 var tunnelCmd = &cobra.Command{
-	Use:   "tunnel <name> <host:port>",
+	Use:   "tunnel --target <scheme://host:port>",
 	Short: "Create a conduit tunnel",
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get Client Config
diff --git a/config/config.go b/config/config.go
index 572c1a3..343831c 100644
--- a/config/config.go
+++ b/config/config.go
@@ -53,7 +53,7 @@ type ServerConfig struct {
 type ClientConfig struct {
 	BaseConfig
 	TunnelName   string `json:"name" description:"Tunnel name"`
-	TunnelTarget string `json:"target" description:"Tunnel target address"`
+	TunnelTarget string `json:"target" description:"Tunnel target address (tcp://, http://, or https://)"`
 }
 
 func (c *ClientConfig) Validate() error {
diff --git a/e2e_test.go b/e2e_test.go
index 9f705cc..90233f3 100644
--- a/e2e_test.go
+++ b/e2e_test.go
@@ -216,7 +216,7 @@ func sendHTTPViaTunnel(t *testing.T, serverAddr, tunnelName, method, path, body
 	req.Host = fmt.Sprintf("%s.%s", tunnelName, serverAddr)
 
 	client := &http.Client{
-		Timeout: 10 * time.Second,
+		Timeout:   10 * time.Second,
 		Transport: &http.Transport{DisableKeepAlives: true},
 	}
 	resp, err := client.Do(req)
@@ -666,8 +666,8 @@ func TestTCPTunnelEcho(t *testing.T) {
 	serverAddr, stopServer := startConduitServer(t, apiKey)
 	defer stopServer()
 
-	// Connect TCP Tunnel (bare host:port — the realistic way users would specify it)
-	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-test", apiKey)
+	// Connect TCP Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("tcp://%s", tcpAddr), "tcp-test", apiKey)
 	defer stopTunnel()
 
 	// Send Raw HTTP Request Through Tunnel to TCP Echo
@@ -709,8 +709,8 @@ func TestTCPTunnelLargePayload(t *testing.T) {
 	serverAddr, stopServer := startConduitServer(t, apiKey)
 	defer stopServer()
 
-	// Connect TCP Tunnel (bare host:port)
-	stopTunnel := connectTunnel(t, serverAddr, tcpAddr, "tcp-large", apiKey)
+	// Connect TCP Tunnel
+	stopTunnel := connectTunnel(t, serverAddr, fmt.Sprintf("tcp://%s", tcpAddr), "tcp-large", apiKey)
 	defer stopTunnel()
 
 	// Connect and Send Large Payload
diff --git a/tunnel/forwarder.go b/tunnel/forwarder.go
index ce8bbf6..332bb14 100644
--- a/tunnel/forwarder.go
+++ b/tunnel/forwarder.go
@@ -2,7 +2,9 @@ package tunnel
 
 import (
 	"context"
+	"fmt"
 	"net/url"
+	"strings"
 
 	"reichard.io/conduit/store"
 )
@@ -21,15 +23,24 @@ type Forwarder interface {
 }
 
 func NewForwarder(target string, tunnelStore store.TunnelStore) (Forwarder, error) {
-	// Only parse as URL for HTTP targets. Bare host:port (e.g., "127.0.0.1:5432")
-	// is not a valid URL and should be treated as a raw TCP target.
-	targetURL, err := url.Parse(target)
-	if err == nil {
-		switch targetURL.Scheme {
-		case "http", "https":
-			return newHTTPForwarder(targetURL, tunnelStore)
-		}
+	if !strings.Contains(target, "://") {
+		return nil, fmt.Errorf("target must include a scheme: tcp://, http://, or https://")
 	}
 
-	return newTCPForwarder(target, tunnelStore), nil
+	targetURL, err := url.Parse(target)
+	if err != nil {
+		return nil, fmt.Errorf("target is invalid: %w", err)
+	}
+	if targetURL.Host == "" {
+		return nil, fmt.Errorf("target must include a host")
+	}
+
+	switch targetURL.Scheme {
+	case "http", "https":
+		return newHTTPForwarder(targetURL, tunnelStore)
+	case "tcp":
+		return newTCPForwarder(targetURL.Host, tunnelStore), nil
+	default:
+		return nil, fmt.Errorf("unsupported target scheme %q: use tcp://, http://, or https://", targetURL.Scheme)
+	}
 }
diff --git a/tunnel/forwarder_test.go b/tunnel/forwarder_test.go
new file mode 100644
index 0000000..2e93693
--- /dev/null
+++ b/tunnel/forwarder_test.go
@@ -0,0 +1,45 @@
+package tunnel
+
+import (
+	"testing"
+
+	"reichard.io/conduit/store"
+)
+
+func TestNewForwarderRequiresExplicitScheme(t *testing.T) {
+	_, err := NewForwarder("localhost:8282", store.NewTunnelStore(1))
+	if err == nil {
+		t.Fatal("expected error for target without scheme")
+	}
+}
+
+func TestNewForwarderSupportsExplicitSchemes(t *testing.T) {
+	tests := []struct {
+		name          string
+		target        string
+		forwarderType ForwarderType
+	}{
+		{name: "http", target: "http://localhost:8282", forwarderType: ForwarderHTTP},
+		{name: "https", target: "https://localhost:8282", forwarderType: ForwarderHTTP},
+		{name: "tcp", target: "tcp://localhost:8282", forwarderType: ForwarderTCP},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			forwarder, err := NewForwarder(tt.target, store.NewTunnelStore(1))
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if forwarder.Type() != tt.forwarderType {
+				t.Fatalf("expected forwarder type %v, got %v", tt.forwarderType, forwarder.Type())
+			}
+		})
+	}
+}
+
+func TestNewForwarderRejectsUnsupportedScheme(t *testing.T) {
+	_, err := NewForwarder("udp://localhost:8282", store.NewTunnelStore(1))
+	if err == nil {
+		t.Fatal("expected error for unsupported scheme")
+	}
+}
diff --git a/web/web.go b/web/web.go
index b8dc096..5c4268d 100644
--- a/web/web.go
+++ b/web/web.go
@@ -70,6 +70,9 @@ func (s *WebServer) handleStream(w http.ResponseWriter, r *http.Request) {
 	ch := s.store.Subscribe()
 	done := r.Context().Done()
 
+	_, _ = fmt.Fprint(w, ": connected\n\n")
+	flusher.Flush()
+
 	for {
 		select {
 		case record, ok := <-ch: