refactor(examples): streamline HTTPS dev cert workflow (#8759)

* feat(examples): add HTTPS dev cert workflow

* fix(certificates): rename devHttpsConfig to httpsConfig for consistency

Author: kpal81xd

examples/README.md

@@ -38,16 +38,20 @@ Or directly from the source:
 ENGINE_PATH=../src/index.js npm run dev
 ```
 
+The dev server binds to `0.0.0.0:5555` by default. Use `EXAMPLES_HOST` or
+`EXAMPLES_PORT` to override those values.
+
 ## HTTPS dev for mobile / XR device testing
 
-`npm run develop` serves the examples browser over plain HTTP on `localhost`,
+`npm run dev` serves the examples browser over plain HTTP on `localhost`,
 which is enough for everyday work — browsers treat `localhost` as a secure
 context, so WebGPU and WebXR features that require one still work.
 
 For testing on a phone, tablet, Quest, or Apple Vision Pro you need to reach
 the dev server over the LAN, and the device will require HTTPS for WebXR (and
-exposes WebGPU only in a secure context). This is what `npm run develop:https`
-is for. Certs are generated locally with [mkcert](https://github.com/FiloSottile/mkcert);
+exposes WebGPU only in a secure context). This is what `npm run dev:https` is
+for. Use `npm run develop:https` when automatic reloads should be disabled.
+Certs are generated locally with [mkcert](https://github.com/FiloSottile/mkcert);
 none are committed to the repo.
 
 ### One-time setup
@@ -68,13 +72,13 @@ none are committed to the repo.
    ```
    npm run cert
    ```
-   Output: `examples/.cert/dev-cert.pem` and `dev-key.pem`. The script prints
+   Output: `examples/.cert/cert.pem` and `key.pem`. The script prints
    the LAN URL to open.
 
 ### Day-to-day
 
 ```
-npm run develop:https
+npm run dev:https
 ```
 
 Opens on:
@@ -133,9 +137,6 @@ These are added on top of the defaults (`localhost`, `127.0.0.1`, `::1`,
 `<hostname>.local`). Already-trusted devices stay trusted — the leaf cert is
 re-signed by the same root CA, no re-install needed.
 
-`EXAMPLES_CERT_HOSTS=<comma-separated>` is also accepted as a fallback if
-you'd rather set an env var.
-
 ### What's expensive vs cheap to lose
 
 - **Root CA** (in `$(mkcert -CAROOT)`) — expensive. Re-creating it means

examples/build.mjs

@@ -2,28 +2,31 @@ import fs from 'node:fs';
 import { parseArgs } from 'node:util';
 
 import { buildProd } from './utils/build-prod.mjs';
+import { generateCertificates } from './utils/certificates.mjs';
 import { buildMetadata } from './utils/metadata.mjs';
 import { buildThumbnails } from './utils/thumbnails.mjs';
 
 const USAGE = `Usage: node build.mjs [options]
 
 Options:
+  --cert          Generate local HTTPS dev certificates
   --metadata      Generate cache/metadata.mjs
   --thumbnails    Generate thumbnails
   --clean         Remove dist and cache
   --debug         Enable thumbnail debug logging
   --help, -h      Show help`;
 
-const { values } = parseArgs({
+const { values, positionals } = parseArgs({
     args: process.argv.slice(2),
     options: {
+        cert: { type: 'boolean' },
         metadata: { type: 'boolean' },
         thumbnails: { type: 'boolean' },
         clean: { type: 'boolean' },
         debug: { type: 'boolean' },
         help: { type: 'boolean', short: 'h' }
     },
-    allowPositionals: false
+    allowPositionals: true
 });
 
 /**
@@ -45,6 +48,17 @@ const main = async () => {
         return;
     }
 
+    if (values.cert) {
+        process.exitCode = generateCertificates(positionals) ? 0 : 1;
+        return;
+    }
+
+    if (positionals.length) {
+        console.error(USAGE);
+        process.exitCode = 1;
+        return;
+    }
+
     if (values.metadata) {
         await buildMetadata();
         return;

examples/package.json

@@ -8,9 +8,10 @@
     "build": "cross-env NODE_ENV=production node build.mjs",
     "build:metadata": "node build.mjs --metadata",
     "build:thumbnails": "node build.mjs --thumbnails",
-    "cert": "node utils/generate-certs.mjs",
+    "cert": "node build.mjs --cert",
     "clean": "node build.mjs --clean",
     "dev": "npm run -s build:metadata && cross-env NODE_ENV=development vite",
+    "dev:https": "npm run -s build:metadata && cross-env NODE_ENV=development EXAMPLES_HTTPS=1 vite",
     "develop": "npm run -s build:metadata && cross-env NODE_ENV=development EXAMPLES_AUTO_RELOAD=false vite",
     "develop:https": "npm run -s build:metadata && cross-env NODE_ENV=development EXAMPLES_AUTO_RELOAD=false EXAMPLES_HTTPS=1 vite",
     "lint": "eslint .",

examples/utils/certificates.mjs

@@ -0,0 +1,83 @@
+import { spawnSync } from 'node:child_process';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+const CERT_DIR = path.resolve('.cert');
+const CERT_FILE = path.join(CERT_DIR, 'cert.pem');
+const KEY_FILE = path.join(CERT_DIR, 'key.pem');
+const MKCERT_HELP = `mkcert failed.
+
+Install mkcert, run:
+  mkcert -install
+
+Then re-run:
+  npm run cert`;
+
+export const ALLOWED_HOSTS = ['localhost', '.local'];
+
+/**
+ * @returns {{ cert: Buffer, key: Buffer } | undefined} vite https config.
+ */
+export const httpsConfig = () => {
+    if (process.env.EXAMPLES_HTTPS !== '1') {
+        return undefined;
+    }
+
+    if (!fs.existsSync(CERT_FILE) || !fs.existsSync(KEY_FILE)) {
+        throw new Error(
+            `HTTPS dev requested but certs not found in ${CERT_DIR}. ` +
+            'Run "npm run cert" to generate them.'
+        );
+    }
+
+    return {
+        cert: fs.readFileSync(CERT_FILE),
+        key: fs.readFileSync(KEY_FILE)
+    };
+};
+
+/**
+ * @param {string[]} hosts - extra host names or lan ips.
+ * @returns {boolean} true if certs were generated.
+ */
+export const generateCertificates = (hosts) => {
+    fs.mkdirSync(CERT_DIR, { recursive: true });
+
+    const local = process.platform === 'darwin' ?
+        spawnSync('scutil', ['--get', 'LocalHostName'], { encoding: 'utf8' }) : null;
+    const host = local?.status === 0 && local.stdout.trim() ?
+        local.stdout.trim() : os.hostname().replace(/\.local$/, '');
+    const sans = [...new Set([
+        'localhost',
+        '127.0.0.1',
+        '::1',
+        `${host}.local`,
+        ...hosts.map(value => value.trim()).filter(Boolean)
+    ])];
+
+    console.log(`Generating dev cert for: ${sans.join(', ')}`);
+
+    const result = spawnSync('mkcert', ['-cert-file', CERT_FILE, '-key-file', KEY_FILE, ...sans], {
+        stdio: 'inherit'
+    });
+    if (result.status !== 0) {
+        console.error(MKCERT_HELP);
+        return false;
+    }
+
+    console.log(`Wrote ${path.relative(process.cwd(), CERT_FILE)}
+Wrote ${path.relative(process.cwd(), KEY_FILE)}
+
+Start the HTTPS dev server with:
+  npm run dev:https
+
+Or without automatic reloads:
+  npm run develop:https
+
+Then open on this machine:
+  https://${host}.local:${process.env.EXAMPLES_PORT ?? 5555}
+  https://localhost:${process.env.EXAMPLES_PORT ?? 5555}`);
+
+    return true;
+};

examples/utils/generate-certs.mjs

@@ -1,35 +1,15 @@
-import fs from 'node:fs';
 import path from 'node:path';
 
 import { defineConfig } from 'vite';
 
 import { revision, version } from '../utils/rollup-version-revision.mjs';
+import { ALLOWED_HOSTS, httpsConfig } from './utils/certificates.mjs';
 import { examplesDevServer } from './utils/vite-dev-server.mjs';
 
 const HOST = process.env.EXAMPLES_HOST ?? '0.0.0.0';
 const PORT = Number(process.env.EXAMPLES_PORT ?? 5555);
 const AUTO_RELOAD = process.env.EXAMPLES_AUTO_RELOAD !== 'false';
 
-const CERT_DIR = path.resolve('.cert');
-const CERT_FILE = path.join(CERT_DIR, 'dev-cert.pem');
-const KEY_FILE = path.join(CERT_DIR, 'dev-key.pem');
-
-const httpsConfig = () => {
-    if (process.env.EXAMPLES_HTTPS !== '1') return undefined;
-    if (!fs.existsSync(CERT_FILE) || !fs.existsSync(KEY_FILE)) {
-        throw new Error(
-            `HTTPS dev requested but certs not found in ${CERT_DIR}. ` +
-            'Run "npm run cert" to generate them.'
-        );
-    }
-    return {
-        cert: fs.readFileSync(CERT_FILE),
-        key: fs.readFileSync(KEY_FILE)
-    };
-};
-
-const ALLOWED_HOSTS = ['localhost', '.local'];
-
 const examplesPreviewServer = () => ({
     name: 'playcanvas-examples-preview-server',