let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix tailscale allowTailscale bypass in token mode

Browse Source
This commit is contained in:
Roshan Singh
2026-01-13 03:55:04 +00:00
committed by Peter Steinberger
parent d4c205f8e1
commit 7616b02bb1
2 changed files with 39 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/gateway/auth.test.ts
View File

@@ -92,4 +92,26 @@ describe("gateway auth", () => {
expect(missingProxy.ok).toBe(false); expect(missingProxy.ok).toBe(false);
expect(missingProxy.reason).toBe("tailscale_proxy_missing"); expect(missingProxy.reason).toBe("tailscale_proxy_missing");
}); });
it("allows tailscale identity to satisfy token mode auth", async () => {
const res = await authorizeGatewayConnect({
auth: { mode: "token", token: "secret", allowTailscale: true },
connectAuth: null,
req: {
socket: { remoteAddress: "127.0.0.1" },
headers: {
host: "gateway.local",
"x-forwarded-for": "100.64.0.1",
"x-forwarded-proto": "https",
"x-forwarded-host": "ai-hub.bone-egret.ts.net",
"tailscale-user-login": "peter",
"tailscale-user-name": "Peter",
},
} as never,
});
expect(res.ok).toBe(true);
expect(res.method).toBe("tailscale");
expect(res.user).toBe("peter");
});
}); });

41
src/gateway/auth.ts
View File

@@ -146,21 +146,29 @@ export async function authorizeGatewayConnect(params: {
const { auth, connectAuth, req } = params; const { auth, connectAuth, req } = params;
const localDirect = isLocalDirectRequest(req); const localDirect = isLocalDirectRequest(req);
if (auth.mode === "none") { if (auth.allowTailscale && !localDirect) {
if (auth.allowTailscale && !localDirect) { const tailscaleUser = getTailscaleUser(req);
const tailscaleUser = getTailscaleUser(req); const tailscaleProxy = isTailscaleProxyRequest(req);
if (!tailscaleUser) {
return { ok: false, reason: "tailscale_user_missing" }; if (tailscaleUser && tailscaleProxy) {
}
if (!isTailscaleProxyRequest(req)) {
return { ok: false, reason: "tailscale_proxy_missing" };
}
return { return {
ok: true, ok: true,
method: "tailscale", method: "tailscale",
user: tailscaleUser.login, user: tailscaleUser.login,
}; };
} }
if (auth.mode === "none") {
if (!tailscaleUser) {
return { ok: false, reason: "tailscale_user_missing" };
}
if (!tailscaleProxy) {
return { ok: false, reason: "tailscale_proxy_missing" };
}
}
}
if (auth.mode === "none") {
return { ok: true, method: "none" }; return { ok: true, method: "none" };
} }
@@ -191,20 +199,5 @@ export async function authorizeGatewayConnect(params: {
return { ok: true, method: "password" }; return { ok: true, method: "password" };
} }
if (auth.allowTailscale) {
const tailscaleUser = getTailscaleUser(req);
if (!tailscaleUser) {
return { ok: false, reason: "tailscale_user_missing" };
}
if (!isTailscaleProxyRequest(req)) {
return { ok: false, reason: "tailscale_proxy_missing" };
}
return {
ok: true,
method: "tailscale",
user: tailscaleUser.login,
};
}
return { ok: false, reason: "unauthorized" }; return { ok: false, reason: "unauthorized" };
} }