Fix tailscale allowTailscale bypass in token mode

2026-01-13 03:55:04 +00:00
parent d4c205f8e1
commit 7616b02bb1
2 changed files with 39 additions and 24 deletions
--- a/src/gateway/auth.test.ts
+++ b/src/gateway/auth.test.ts
@@ -92,4 +92,26 @@ describe("gateway auth", () => {
    expect(missingProxy.ok).toBe(false);
    expect(missingProxy.reason).toBe("tailscale_proxy_missing");
  });
+
+  it("allows tailscale identity to satisfy token mode auth", async () => {
+    const res = await authorizeGatewayConnect({
+      auth: { mode: "token", token: "secret", allowTailscale: true },
+      connectAuth: null,
+      req: {
+        socket: { remoteAddress: "127.0.0.1" },
+        headers: {
+          host: "gateway.local",
+          "x-forwarded-for": "100.64.0.1",
+          "x-forwarded-proto": "https",
+          "x-forwarded-host": "ai-hub.bone-egret.ts.net",
+          "tailscale-user-login": "peter",
+          "tailscale-user-name": "Peter",
+        },
+      } as never,
+    });
+
+    expect(res.ok).toBe(true);
+    expect(res.method).toBe("tailscale");
+    expect(res.user).toBe("peter");
+  });
 });
--- a/src/gateway/auth.ts
+++ b/src/gateway/auth.ts
@@ -146,21 +146,29 @@ export async function authorizeGatewayConnect(params: {
  const { auth, connectAuth, req } = params;
  const localDirect = isLocalDirectRequest(req);

-  if (auth.mode === "none") {
-    if (auth.allowTailscale && !localDirect) {
-      const tailscaleUser = getTailscaleUser(req);
-      if (!tailscaleUser) {
-        return { ok: false, reason: "tailscale_user_missing" };
-      }
-      if (!isTailscaleProxyRequest(req)) {
-        return { ok: false, reason: "tailscale_proxy_missing" };
-      }
+  if (auth.allowTailscale && !localDirect) {
+    const tailscaleUser = getTailscaleUser(req);
+    const tailscaleProxy = isTailscaleProxyRequest(req);
+
+    if (tailscaleUser && tailscaleProxy) {
      return {
        ok: true,
        method: "tailscale",
        user: tailscaleUser.login,
      };
    }
+
+    if (auth.mode === "none") {
+      if (!tailscaleUser) {
+        return { ok: false, reason: "tailscale_user_missing" };
+      }
+      if (!tailscaleProxy) {
+        return { ok: false, reason: "tailscale_proxy_missing" };
+      }
+    }
+  }
+
+  if (auth.mode === "none") {
    return { ok: true, method: "none" };
  }

@@ -191,20 +199,5 @@ export async function authorizeGatewayConnect(params: {
    return { ok: true, method: "password" };
  }

-  if (auth.allowTailscale) {
-    const tailscaleUser = getTailscaleUser(req);
-    if (!tailscaleUser) {
-      return { ok: false, reason: "tailscale_user_missing" };
-    }
-    if (!isTailscaleProxyRequest(req)) {
-      return { ok: false, reason: "tailscale_proxy_missing" };
-    }
-    return {
-      ok: true,
-      method: "tailscale",
-      user: tailscaleUser.login,
-    };
-  }
-
  return { ok: false, reason: "unauthorized" };
 }