wip

2026-03-11 09:12:01 +00:00 · 2026-01-31 10:33:55 +02:00
parent 252ba10f48
commit 0cd3ba8236
10 changed files with 461 additions and 95 deletions
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -13,6 +13,8 @@ import (
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
+	tsLocal "tailscale.com/client/local"
+	"tailscale.com/client/tailscale/apitype"

 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -52,16 +54,18 @@ type AuthService struct {
 	loginMutex      sync.RWMutex
 	ldapGroupsMutex sync.RWMutex
 	ldap            *LdapService
+	tailscale       *TailscaleService
 	queries         *repository.Queries
 }

-func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, queries *repository.Queries) *AuthService {
+func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, tailscale *TailscaleService, queries *repository.Queries) *AuthService {
 	return &AuthService{
 		config:          config,
 		docker:          docker,
 		loginAttempts:   make(map[string]*LoginAttempt),
 		ldapGroupsCache: make(map[string]*LdapGroupsCache),
 		ldap:            ldap,
+		tailscale:       tailscale,
 		queries:         queries,
 	}
 }
@@ -553,3 +557,20 @@ func (auth *AuthService) IsBypassedIP(acls config.AppIP, ip string) bool {
 	tlog.App.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
 	return false
 }
+
+func (auth *AuthService) IsTailscale(c *gin.Context) (*apitype.WhoIsResponse, error) {
+	if !auth.tailscale.IsConfigured() {
+		return nil, nil
+	}
+
+	who, err := auth.tailscale.Whois(c, c.Request.RemoteAddr)
+
+	if err != nil {
+		if errors.Is(err, tsLocal.ErrPeerNotFound) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return who, nil
+}
--- a/internal/service/tailscale_service.go
+++ b/internal/service/tailscale_service.go
@@ -0,0 +1,83 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"net"
+
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
+	"tailscale.com/client/local"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/tsnet"
+)
+
+var ErrNotConfigured = errors.New("tailscale service is not configured")
+
+type TailscaleServiceConfig struct {
+	AuthKey  string
+	Hostname string
+}
+
+type TailscaleService struct {
+	config TailscaleServiceConfig
+	server *tsnet.Server
+	client *local.Client
+}
+
+func NewTailscaleService(config TailscaleServiceConfig) *TailscaleService {
+	return &TailscaleService{
+		config: config,
+	}
+}
+
+func (service *TailscaleService) Init() error {
+	if !service.IsConfigured() {
+		return nil
+	}
+
+	server := new(tsnet.Server)
+
+	if service.config.AuthKey == "" {
+		tlog.App.Info().Msg("Auth key is empty but Tailscale is configured, a login link will appear below so as you can authenticate")
+	}
+
+	server.Hostname = service.config.Hostname
+	server.AuthKey = service.config.AuthKey
+
+	client, err := server.LocalClient()
+
+	if err != nil {
+		return err
+	}
+
+	service.client = client
+	service.server = server
+
+	return nil
+}
+
+func (service *TailscaleService) IsConfigured() bool {
+	return service.config.Hostname != ""
+}
+
+func (service *TailscaleService) Whois(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	if !service.IsConfigured() {
+		return nil, ErrNotConfigured
+	}
+
+	return service.client.WhoIs(ctx, remoteAddr)
+}
+
+func (service *TailscaleService) CreateListener() (net.Listener, error) {
+	if !service.IsConfigured() {
+		return nil, ErrNotConfigured
+	}
+
+	ln, err := service.server.ListenTLS("tcp", ":443")
+
+	if err != nil {
+		return nil, err
+	}
+
+	return ln, nil
+}