fix: allow rediss:// TLS endpoint with separately-configured password (#2099)

jalee-cpu · claude · Ullaakut · web-flow · commit b56bb3ba9f6f · 2026-04-05T08:53:41.000+02:00
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: Brendan Le Glaunec &lt;brendan@glaulabs.com&gt;
diff --git a/pkg/stash/with_redis.go b/pkg/stash/with_redis.go
@@ -39,14 +39,18 @@ func getRedisClientOptions(endpoint, password string) (*redis.Options, error) {
 		}, nil
 	}
 
-	// Ensure the password is either empty or that it matches the password
-	// parsed from the url into redis.Options. This ensures that if the
-	// config supplies the password but a redis url doesn't the behavior
-	// is clear vs. failing later on at the time of the first connection
-	// with an 'invalid password' like error.
-	if password != "" && options.Password != password {
+	// Ensure the passwords are consistent:
+	// - If the URL contains a password and a separate password is also provided,
+	//   they must match to avoid silent misconfigurations.
+	// - If the URL contains no password (e.g. rediss://host:6379) but a separate
+	//   password is provided, apply it to the options so it is used for AUTH.
+	//   This supports TLS endpoints (rediss://) with separately-configured passwords.
+	if options.Password != "" && password != "" && options.Password != password {
 		return nil, errPasswordsDoNotMatch
 	}
+	if options.Password == "" && password != "" {
+		options.Password = password
+	}
 
 	return options, nil
 }
diff --git a/pkg/stash/with_redis_test.go b/pkg/stash/with_redis_test.go
@@ -147,13 +147,18 @@ func Test_getRedisClientOptions(t *testing.T) {
 		},
 		{
 			endpoint: "rediss://username:password@127.0.0.1:6379",
-			password: "1234", // Ignored because password was parsed
+			password: "1234", // Mismatched: URL has "password", config has "1234"
 			err:      errors.E("stash.WithRedisLock", errPasswordsDoNotMatch),
 		},
 		{
-			endpoint: "rediss://username:password@127.0.0.1:6379",
-			password: "1234", // Ignored because password was parsed
-			err:      errors.E("stash.WithRedisLock", errPasswordsDoNotMatch),
+			// TLS endpoint with no embedded password + separate password:
+			// should succeed and apply the password to options.
+			endpoint: "rediss://127.0.0.1:6379",
+			password: "1234",
+			options: &redis.Options{
+				Addr:     "127.0.0.1:6379",
+				Password: "1234",
+			},
 		},
 	}
 
