feat: tailscale integration (#847)

internal/bootstrap/app_bootstrap.go

@@ -7,7 +7,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"net/url"
 	"os"
@@ -35,20 +34,22 @@ type Services struct {
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
 	oidcService          *service.OIDCService
+	tailscaleService     *service.TailscaleService
 	policyEngine         *service.PolicyEngine
 }
 
 type BootstrapApp struct {
-	config   model.Config
-	runtime  model.RuntimeConfig
-	services Services
-	log      *logger.Logger
-	ctx      context.Context
-	cancel   context.CancelFunc
-	queries  repository.Store
-	router   *gin.Engine
-	db       *sql.DB
-	wg       sync.WaitGroup
+	config    model.Config
+	runtime   model.RuntimeConfig
+	services  Services
+	log       *logger.Logger
+	ctx       context.Context
+	cancel    context.CancelFunc
+	queries   repository.Store
+	router    *gin.Engine
+	db        *sql.DB
+	wg        sync.WaitGroup
+	listeners []Listener
 }
 
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -68,6 +69,8 @@ func (app *BootstrapApp) Setup() error {
 	log.Init()
 	app.log = log
 
+	app.log.App.Info().Msgf("Starting Tinyauth version: %s", model.Version)
+
 	// get app url
 	if app.config.AppURL == "" {
 		return errors.New("app url cannot be empty, perhaps config loading failed")
@@ -80,6 +83,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	app.runtime.AppURL = appUrl.Scheme + "://" + appUrl.Host
+	app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, app.runtime.AppURL)
 
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
@@ -231,6 +235,11 @@ func (app *BootstrapApp) Setup() error {
 
 	app.runtime.ConfiguredProviders = configuredProviders
 
+	// throw in tailscale if it's configured just before setting up the controllers
+	if app.services.tailscaleService != nil {
+		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
+	}
+
 	// setup router
 	err = app.setupRouter()
 
@@ -248,42 +257,18 @@ func (app *BootstrapApp) Setup() error {
 		app.wg.Go(app.heartbeatRoutine)
 	}
 
-	// create err channel to listen for server errors
-	errChanLen := 0
-
-	runUnix := app.config.Server.SocketPath != ""
-	runHTTP := app.config.Server.SocketPath == "" || app.config.Server.ConcurrentListenersEnabled
-
-	if runUnix {
-		errChanLen++
-	}
-
-	if runHTTP {
-		errChanLen++
-	}
-
-	errChan := make(chan error, errChanLen)
+	// setup listeners
+	app.listeners = app.calculateListenerPolicy()
 
 	if app.config.Server.ConcurrentListenersEnabled {
 		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
 	}
 
-	// serve unix
-	if runUnix {
-		app.wg.Go(func() {
-			if err := app.serveUnix(); err != nil {
-				errChan <- err
-			}
-		})
-	}
+	// run listeners
+	lec, err := app.runListeners()
 
-	// serve to http
-	if runHTTP {
-		app.wg.Go(func() {
-			if err := app.serveHTTP(); err != nil {
-				errChan <- err
-			}
-		})
+	if err != nil {
+		return fmt.Errorf("failed to run listeners: %w", err)
 	}
 
 	// monitor cancellation and server errors
@@ -292,89 +277,14 @@ func (app *BootstrapApp) Setup() error {
 		case <-app.ctx.Done():
 			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
 			return nil
-		case err := <-errChan:
+		case err := <-lec:
 			if err != nil {
-				return fmt.Errorf("server error: %w", err)
+				return fmt.Errorf("listener error: %w", err)
 			}
 		}
 	}
 }
 
-func (app *BootstrapApp) serveHTTP() error {
-	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
-
-	app.log.App.Info().Msgf("Starting server on %s", address)
-
-	server := &http.Server{
-		Addr:    address,
-		Handler: app.router.Handler(),
-	}
-
-	go func() {
-		<-app.ctx.Done()
-		app.log.App.Debug().Msg("Shutting down http listener")
-		server.Shutdown(app.ctx)
-	}()
-
-	err := server.ListenAndServe()
-
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		return fmt.Errorf("failed to start http listener: %w", err)
-	}
-
-	return nil
-}
-
-func (app *BootstrapApp) serveUnix() error {
-	if app.config.Server.SocketPath == "" {
-		return nil
-	}
-
-	_, err := os.Stat(app.config.Server.SocketPath)
-
-	if err == nil {
-		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-		err := os.Remove(app.config.Server.SocketPath)
-
-		if err != nil {
-			return fmt.Errorf("failed to remove existing socket file: %w", err)
-		}
-	}
-
-	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-
-	listener, err := net.Listen("unix", app.config.Server.SocketPath)
-
-	if err != nil {
-		return fmt.Errorf("failed to create unix socket listener: %w", err)
-	}
-
-	server := &http.Server{
-		Handler: app.router.Handler(),
-	}
-
-	shutdown := func() {
-		server.Shutdown(app.ctx)
-		listener.Close()
-		os.Remove(app.config.Server.SocketPath)
-	}
-
-	go func() {
-		<-app.ctx.Done()
-		app.log.App.Debug().Msg("Shutting down unix socket listener")
-		shutdown()
-	}()
-
-	err = server.Serve(listener)
-
-	if err != nil && !errors.Is(err, http.ErrServerClosed) {
-		shutdown()
-		return fmt.Errorf("failed to start unix socket listener: %w", err)
-	}
-
-	return nil
-}
-
 func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()

internal/bootstrap/router_bootstrap.go

@@ -1,14 +1,29 @@
 package bootstrap
 
 import (
+	"context"
+	"errors"
 	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"time"
 
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 
 	"github.com/gin-gonic/gin"
 )
 
+type Listener int
+
+const (
+	ListenerHTTP Listener = iota
+	ListenerUnix
+	ListenerTailscale
+)
+
 func (app *BootstrapApp) setupRouter() error {
 	// we don't want gin debug mode
 	gin.SetMode(gin.ReleaseMode)
@@ -24,7 +39,7 @@ func (app *BootstrapApp) setupRouter() error {
 		}
 	}
 
-	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService)
+	contextMiddleware := middleware.NewContextMiddleware(app.log, app.runtime, app.services.authService, app.services.oauthBrokerService, app.services.tailscaleService)
 	engine.Use(contextMiddleware.Middleware())
 
 	uiMiddleware, err := middleware.NewUIMiddleware()
@@ -53,3 +68,161 @@ func (app *BootstrapApp) setupRouter() error {
 	app.router = engine
 	return nil
 }
+
+func (app *BootstrapApp) runListeners() (chan error, error) {
+	// lec -> listener error channel
+	lec := make(chan error, len(app.listeners))
+
+	for _, listenerType := range app.listeners {
+		listenerFunc, err := app.listenerFromType(listenerType)
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to get listener function: %w", err)
+		}
+
+		app.wg.Go(func() {
+			lec <- listenerFunc()
+		})
+	}
+
+	return lec, nil
+}
+
+// The way we calculate listeners is as follows:
+// If concurrent listeners are disabled, we pick the first available listener, so:
+// 1. If tailscale is enabled, we use tailscale
+// 2. If socket path is configured, we use unix socket
+// 3. Finally if none is configured we use http
+// If concurrent listeners are enabled, we add all available listeners in the following order
+func (app *BootstrapApp) calculateListenerPolicy() []Listener {
+	l := []Listener{}
+
+	if !app.config.Server.ConcurrentListenersEnabled {
+		if app.config.Tailscale.Enabled {
+			l = append(l, ListenerTailscale)
+			return l
+		}
+
+		if app.config.Server.SocketPath != "" {
+			l = append(l, ListenerUnix)
+			return l
+		}
+
+		l = append(l, ListenerHTTP)
+		return l
+	}
+
+	if app.config.Server.SocketPath != "" {
+		l = append(l, ListenerUnix)
+	}
+
+	if app.config.Tailscale.Enabled {
+		l = append(l, ListenerTailscale)
+	}
+
+	l = append(l, ListenerHTTP)
+
+	return l
+}
+
+func (app *BootstrapApp) listenerFromType(listenerType Listener) (func() error, error) {
+	switch listenerType {
+	case ListenerHTTP:
+		return app.serveHTTP, nil
+	case ListenerUnix:
+		return app.serveUnix, nil
+	case ListenerTailscale:
+		return app.serveTailscale, nil
+	default:
+		return nil, fmt.Errorf("invalid listener type: %d", listenerType)
+	}
+}
+
+func (app *BootstrapApp) serveHTTP() error {
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
+
+	app.log.App.Info().Msgf("Starting server on %s", address)
+
+	listener, err := net.Listen("tcp", address)
+
+	if err != nil {
+		return fmt.Errorf("failed to create tcp listener: %w", err)
+	}
+
+	server := &http.Server{
+		Addr:    address,
+		Handler: app.router.Handler(),
+	}
+
+	return app.serve(listener, server, "http")
+}
+
+func (app *BootstrapApp) serveUnix() error {
+	_, err := os.Stat(app.config.Server.SocketPath)
+
+	if err == nil {
+		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
+		err := os.Remove(app.config.Server.SocketPath)
+
+		if err != nil {
+			return fmt.Errorf("failed to remove existing socket file: %w", err)
+		}
+	}
+
+	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+
+	listener, err := net.Listen("unix", app.config.Server.SocketPath)
+
+	if err != nil {
+		return fmt.Errorf("failed to create unix socket listener: %w", err)
+	}
+
+	server := &http.Server{
+		Handler: app.router.Handler(),
+	}
+
+	return app.serve(listener, server, "unix socket")
+}
+
+func (app *BootstrapApp) serveTailscale() error {
+	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
+
+	listener, err := app.services.tailscaleService.CreateListener()
+
+	if err != nil {
+		return fmt.Errorf("failed to create tailscale listener: %w", err)
+	}
+
+	server := &http.Server{
+		Handler: app.router.Handler(),
+	}
+
+	return app.serve(listener, server, "tailscale")
+}
+
+func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, name string) error {
+	shutdown := func() {
+		ctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
+		defer cancel()
+		err := server.Shutdown(ctx)
+		if err != nil {
+			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
+		}
+		listener.Close()
+	}
+
+	go func() {
+		<-app.ctx.Done()
+		app.log.App.Debug().Msgf("Shutting down %s listener", name)
+		shutdown()
+	}()
+
+	err := server.Serve(listener)
+
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		shutdown()
+		return fmt.Errorf("failed to start %s listener: %w", name, err)
+	}
+
+	return nil
+}

internal/bootstrap/service_bootstrap.go

@@ -2,6 +2,7 @@ package bootstrap
 
 import (
 	"fmt"
+
 	"os"
 
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -22,6 +23,14 @@ func (app *BootstrapApp) setupServices() error {
 		return fmt.Errorf("failed to initialize label provider: %w", err)
 	}
 
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
+
+	if err != nil {
+		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
+	}
+
+	app.services.tailscaleService = tailscaleService
+
 	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService
 
@@ -34,7 +43,7 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
 	app.services.authService = authService
 
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)

internal/controller/context_controller.go

@@ -1,39 +1,74 @@
 package controller
 
 import (
-	"fmt"
-	"net/url"
-
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 
 	"github.com/gin-gonic/gin"
 )
 
+// UCR -> User Context Response
+
+type UCRAuth struct {
+	Authenticated bool   `json:"authenticated"`
+	Username      string `json:"username"`
+	Name          string `json:"name"`
+	Email         string `json:"email"`
+	ProviderID    string `json:"providerId"`
+}
+
+type UCROAuth struct {
+	Active      bool   `json:"active"`
+	DisplayName string `json:"displayName"`
+}
+
+type UCRTOTP struct {
+	Pending bool `json:"pending"`
+}
+
+type UCRTailscale struct {
+	NodeName string `json:"nodeName,omitempty"`
+}
+
 type UserContextResponse struct {
-	Status      int    `json:"status"`
-	Message     string `json:"message"`
-	IsLoggedIn  bool   `json:"isLoggedIn"`
-	Username    string `json:"username"`
-	Name        string `json:"name"`
-	Email       string `json:"email"`
-	Provider    string `json:"provider"`
-	OAuth       bool   `json:"oauth"`
-	TOTPPending bool   `json:"totpPending"`
-	OAuthName   string `json:"oauthName"`
+	Status    int          `json:"status"`
+	Message   string       `json:"message"`
+	Auth      UCRAuth      `json:"auth"`
+	OAuth     UCROAuth     `json:"oauth"`
+	TOTP      UCRTOTP      `json:"totp"`
+	Tailscale UCRTailscale `json:"tailscale"`
+}
+
+// ACR -> App Context Response
+
+type ACRAuth struct {
+	Providers []model.Provider `json:"providers"`
+}
+
+type ACROAuth struct {
+	AutoRedirect string `json:"autoRedirect"`
+}
+
+type ACRUI struct {
+	Title                 string `json:"title"`
+	ForgotPasswordMessage string `json:"forgotPasswordMessage"`
+	BackgroundImage       string `json:"backgroundImage"`
+	WarningsEnabled       bool   `json:"warningsEnabled"`
+}
+
+type ACRApp struct {
+	AppURL         string   `json:"appUrl"`
+	CookieDomain   string   `json:"cookieDomain"`
+	TrustedDomains []string `json:"trustedDomains"`
 }
 
 type AppContextResponse struct {
-	Status                int              `json:"status"`
-	Message               string           `json:"message"`
-	Providers             []model.Provider `json:"providers"`
-	Title                 string           `json:"title"`
-	AppURL                string           `json:"appUrl"`
-	CookieDomain          string           `json:"cookieDomain"`
-	ForgotPasswordMessage string           `json:"forgotPasswordMessage"`
-	BackgroundImage       string           `json:"backgroundImage"`
-	OAuthAutoRedirect     string           `json:"oauthAutoRedirect"`
-	WarningsEnabled       bool             `json:"warningsEnabled"`
+	Status  int      `json:"status"`
+	Message string   `json:"message"`
+	Auth    ACRAuth  `json:"auth"`
+	OAuth   ACROAuth `json:"oauth"`
+	UI      ACRUI    `json:"ui"`
+	App     ACRApp   `json:"app"`
 }
 
 type ContextController struct {
@@ -71,51 +106,58 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
 		c.JSON(200, UserContextResponse{
-			Status:     401,
-			Message:    "Unauthorized",
-			IsLoggedIn: false,
+			Status:  401,
+			Message: "Unauthorized",
+			Auth:    UCRAuth{Authenticated: false},
 		})
 		return
 	}
 
 	userContext := UserContextResponse{
-		Status:      200,
-		Message:     "Success",
-		IsLoggedIn:  context.Authenticated,
-		Username:    context.GetUsername(),
-		Name:        context.GetName(),
-		Email:       context.GetEmail(),
-		Provider:    context.GetProviderID(),
-		OAuth:       context.IsOAuth(),
-		TOTPPending: context.TOTPPending(),
-		OAuthName:   context.OAuthName(),
+		Status:  200,
+		Message: "Success",
+		Auth: UCRAuth{
+			Authenticated: context.Authenticated,
+			Username:      context.GetUsername(),
+			Name:          context.GetName(),
+			Email:         context.GetEmail(),
+			ProviderID:    context.GetProviderID(),
+		},
+		OAuth: UCROAuth{
+			Active:      context.IsOAuth(),
+			DisplayName: context.OAuthName(),
+		},
+		TOTP: UCRTOTP{
+			Pending: context.TOTPPending(),
+		},
+		Tailscale: UCRTailscale{
+			NodeName: context.TailscaleNodeName(),
+		},
 	}
 
 	c.JSON(200, userContext)
 }
 
 func (controller *ContextController) appContextHandler(c *gin.Context) {
-	appUrl, err := url.Parse(controller.runtime.AppURL)
-
-	if err != nil {
-		controller.log.App.Error().Err(err).Msg("Failed to parse app URL")
-		c.JSON(500, gin.H{
-			"status":  500,
-			"message": "Internal Server Error",
-		})
-		return
-	}
-
 	c.JSON(200, AppContextResponse{
-		Status:                200,
-		Message:               "Success",
-		Providers:             controller.runtime.ConfiguredProviders,
-		Title:                 controller.config.UI.Title,
-		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
-		CookieDomain:          controller.runtime.CookieDomain,
-		ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
-		BackgroundImage:       controller.config.UI.BackgroundImage,
-		OAuthAutoRedirect:     controller.config.OAuth.AutoRedirect,
-		WarningsEnabled:       controller.config.UI.WarningsEnabled,
+		Status:  200,
+		Message: "Success",
+		Auth: ACRAuth{
+			Providers: controller.runtime.ConfiguredProviders,
+		},
+		OAuth: ACROAuth{
+			AutoRedirect: controller.config.OAuth.AutoRedirect,
+		},
+		UI: ACRUI{
+			Title:                 controller.config.UI.Title,
+			ForgotPasswordMessage: controller.config.UI.ForgotPasswordMessage,
+			BackgroundImage:       controller.config.UI.BackgroundImage,
+			WarningsEnabled:       controller.config.UI.WarningsEnabled,
+		},
+		App: ACRApp{
+			AppURL:         controller.runtime.AppURL,
+			CookieDomain:   controller.runtime.CookieDomain,
+			TrustedDomains: controller.runtime.TrustedDomains,
+		},
 	})
 }

internal/controller/context_controller_test.go

@@ -34,16 +34,25 @@ func TestContextController(t *testing.T) {
 			path:        "/api/context/app",
 			expected: func() string {
 				expectedAppContextResponse := controller.AppContextResponse{
-					Status:                200,
-					Message:               "Success",
-					Providers:             runtime.ConfiguredProviders,
-					Title:                 cfg.UI.Title,
-					AppURL:                runtime.AppURL,
-					CookieDomain:          runtime.CookieDomain,
-					ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
-					BackgroundImage:       cfg.UI.BackgroundImage,
-					OAuthAutoRedirect:     cfg.OAuth.AutoRedirect,
-					WarningsEnabled:       cfg.UI.WarningsEnabled,
+					Status:  200,
+					Message: "Success",
+					Auth: controller.ACRAuth{
+						Providers: runtime.ConfiguredProviders,
+					},
+					OAuth: controller.ACROAuth{
+						AutoRedirect: cfg.OAuth.AutoRedirect,
+					},
+					UI: controller.ACRUI{
+						Title:                 cfg.UI.Title,
+						ForgotPasswordMessage: cfg.UI.ForgotPasswordMessage,
+						BackgroundImage:       cfg.UI.BackgroundImage,
+						WarningsEnabled:       cfg.UI.WarningsEnabled,
+					},
+					App: controller.ACRApp{
+						AppURL:         runtime.AppURL,
+						CookieDomain:   runtime.CookieDomain,
+						TrustedDomains: runtime.TrustedDomains,
+					},
 				}
 				bytes, err := json.Marshal(expectedAppContextResponse)
 				require.NoError(t, err)
@@ -84,13 +93,15 @@ func TestContextController(t *testing.T) {
 			path: "/api/context/user",
 			expected: func() string {
 				expectedUserContextResponse := controller.UserContextResponse{
-					Status:     200,
-					Message:    "Success",
-					IsLoggedIn: true,
-					Username:   "johndoe",
-					Name:       "John Doe",
-					Email:      utils.CompileUserEmail("johndoe", runtime.CookieDomain),
-					Provider:   "local",
+					Status:  200,
+					Message: "Success",
+					Auth: controller.UCRAuth{
+						Authenticated: true,
+						Username:      "johndoe",
+						Name:          "John Doe",
+						Email:         utils.CompileUserEmail("johndoe", runtime.CookieDomain),
+						ProviderID:    "local",
+					},
 				}
 				bytes, err := json.Marshal(expectedUserContextResponse)
 				require.NoError(t, err)

internal/controller/proxy_controller_test.go

@@ -357,7 +357,7 @@ func TestProxyController(t *testing.T) {
 	ctx := context.TODO()
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 	aclsService := service.NewAccessControlsService(log, cfg, nil)
 
 	policyEngine, err := service.NewPolicyEngine(cfg, log)

internal/controller/user_controller.go

@@ -47,6 +47,7 @@ func NewUserController(
 	userGroup.POST("/login", controller.loginHandler)
 	userGroup.POST("/logout", controller.logoutHandler)
 	userGroup.POST("/totp", controller.totpHandler)
+	userGroup.POST("/tailscale", controller.tailscaleHandler)
 
 	return controller
 }
@@ -394,3 +395,53 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		"message": "Login successful",
 	})
 }
+
+func (controller *UserController) tailscaleHandler(c *gin.Context) {
+	context, err := new(model.UserContext).NewFromGin(c)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to create user context from request")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	if context.Tailscale == nil {
+		controller.log.App.Warn().Msg("Tailscale login attempt without Tailscale context")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	sessionCookie := repository.Session{
+		Username: context.Tailscale.Username,
+		Name:     context.Tailscale.Name,
+		Email:    context.Tailscale.Email,
+		Provider: "tailscale",
+	}
+
+	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	http.SetCookie(c.Writer, cookie)
+
+	controller.log.App.Info().Str("username", context.GetUsername()).Msg("Tailscale login successful, login complete")
+	controller.log.AuditLoginSuccess(context.GetUsername(), "tailscale", c.ClientIP())
+
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Login successful",
+	})
+}

internal/controller/user_controller_test.go

@@ -415,7 +415,7 @@ func TestUserController(t *testing.T) {
 	wg := &sync.WaitGroup{}
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 
 	beforeEach := func() {
 		// Clear failed login attempts before each test

internal/middleware/context_middleware.go

@@ -36,10 +36,11 @@ var (
 )
 
 type ContextMiddleware struct {
-	log     *logger.Logger
-	runtime model.RuntimeConfig
-	auth    *service.AuthService
-	broker  *service.OAuthBrokerService
+	log       *logger.Logger
+	runtime   model.RuntimeConfig
+	auth      *service.AuthService
+	broker    *service.OAuthBrokerService
+	tailscale *service.TailscaleService
 }
 
 func NewContextMiddleware(
@@ -47,12 +48,14 @@ func NewContextMiddleware(
 	runtime model.RuntimeConfig,
 	auth *service.AuthService,
 	broker *service.OAuthBrokerService,
+	tailscale *service.TailscaleService,
 ) *ContextMiddleware {
 	return &ContextMiddleware{
-		log:     log,
-		runtime: runtime,
-		auth:    auth,
-		broker:  broker,
+		log:       log,
+		runtime:   runtime,
+		auth:      auth,
+		broker:    broker,
+		tailscale: tailscale,
 	}
 }
 
@@ -66,7 +69,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 		uuid, err := c.Cookie(m.runtime.SessionCookieName)
 
 		if err == nil {
-			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid)
+			userContext, cookie, err := m.cookieAuth(c.Request.Context(), uuid, c.RemoteIP())
 
 			if err == nil {
 				if cookie != nil {
@@ -102,11 +105,28 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			return
 		}
 
+		// Lastly check if we have a tailscale session to add
+		if m.tailscale != nil {
+			tailscaleContext, err := m.tailscaleWhois(c.Request.Context(), c.RemoteIP())
+
+			if err != nil {
+				m.log.App.Error().Err(err).Msgf("Error performing tailscale whois for IP %s: %v", c.RemoteIP(), err)
+			}
+
+			if tailscaleContext != nil {
+				c.Set("context", &model.UserContext{
+					Authenticated: false,
+					Provider:      model.ProviderTailscale,
+					Tailscale:     tailscaleContext,
+				})
+			}
+		}
+
 		c.Next()
 	}
 }
 
-func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model.UserContext, *http.Cookie, error) {
+func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip string) (*model.UserContext, *http.Cookie, error) {
 	session, err := m.auth.GetSession(ctx, uuid)
 
 	if err != nil {
@@ -141,6 +161,18 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string) (*model
 		if userContext.Local.Attributes.Email == "" {
 			userContext.Local.Attributes.Email = utils.CompileUserEmail(user.Username, m.runtime.CookieDomain)
 		}
+	case model.ProviderTailscale:
+		tailscaleContext, err := m.tailscaleWhois(ctx, ip)
+
+		if err != nil {
+			return nil, nil, fmt.Errorf("error performing tailscale whois: %w", err)
+		}
+
+		if tailscaleContext == nil {
+			return nil, nil, fmt.Errorf("tailscale whois returned no result for IP: %s", ip)
+		}
+
+		userContext.Tailscale = tailscaleContext
 	case model.ProviderLDAP:
 		search, err := m.auth.SearchUser(userContext.LDAP.Username)
 
@@ -266,3 +298,36 @@ func (m *ContextMiddleware) isIgnorePath(path string) bool {
 	}
 	return false
 }
+
+func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*model.TailscaleContext, error) {
+	if m.tailscale == nil {
+		return nil, nil
+	}
+
+	whois, err := m.tailscale.Whois(ctx, ip)
+
+	if err != nil {
+		m.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return nil, err
+	}
+
+	if whois == nil {
+		return nil, nil
+	}
+
+	uctx := model.TailscaleContext{
+		BaseContext: model.BaseContext{
+			Username: whois.NodeName,
+			Email:    whois.LoginName,
+			Name:     whois.DisplayName,
+		},
+		UserID: whois.UserID,
+		Tags:   whois.Tags,
+	}
+
+	if !strings.ContainsAny(uctx.Email, "@") {
+		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
+	}
+
+	return &uctx, nil
+}

internal/middleware/context_middleware_test.go

@@ -255,9 +255,9 @@ func TestContextMiddleware(t *testing.T) {
 	store := memory.New()
 
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
 
-	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker)
+	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 
 	for _, test := range tests {
 		authService.ClearRateLimitsTestingOnly()

internal/model/config.go

@@ -65,6 +65,9 @@ func NewDefaultConfiguration() *Config {
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
+		Tailscale: TailscaleConfig{
+			Dir: "./tailscale_state",
+		},
 		LabelProvider: "auto",
 	}
 }
@@ -84,6 +87,7 @@ type Config struct {
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
 	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
+	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
 }
 
 type DatabaseConfig struct {
@@ -207,6 +211,16 @@ type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 
+type TailscaleConfig struct {
+	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
+	Dir       string `description:"Tailscale state directory." yaml:"dir"`
+	Hostname  string `description:"Tailscale hostname." yaml:"hostname"`
+	AuthKey   string `description:"Tailscale auth key." yaml:"authKey"`
+	Ephemeral bool   `description:"Use ephemeral Tailscale node." yaml:"ephemeral"`
+}
+
+// OAuth/OIDC config
+
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`

internal/model/constants.go

@@ -21,3 +21,5 @@ const SessionCookieName = "tinyauth-session"
 const CSRFCookieName = "tinyauth-csrf"
 const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
+
+const GracefulShutdownTimeout = 5 // seconds

internal/model/context.go

@@ -19,6 +19,7 @@ const (
 	ProviderBasicAuth
 	ProviderOAuth
 	ProviderLDAP
+	ProviderTailscale
 )
 
 type UserContext struct {
@@ -27,6 +28,7 @@ type UserContext struct {
 	Local         *LocalContext
 	OAuth         *OAuthContext
 	LDAP          *LDAPContext
+	Tailscale     *TailscaleContext
 }
 
 type BaseContext struct {
@@ -54,6 +56,13 @@ type LDAPContext struct {
 	Groups []string
 }
 
+type TailscaleContext struct {
+	BaseContext
+	UserID string
+	// for future use
+	Tags []string
+}
+
 func (c *UserContext) IsAuthenticated() bool {
 	return c.Authenticated
 }
@@ -74,6 +83,10 @@ func (c *UserContext) IsBasicAuth() bool {
 	return c.Provider == ProviderBasicAuth && c.Local != nil
 }
 
+func (c *UserContext) IsTailscale() bool {
+	return c.Provider == ProviderTailscale && c.Tailscale != nil
+}
+
 func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 	userContextValue, exists := ginctx.Get("context")
 
@@ -87,7 +100,7 @@ func (c *UserContext) NewFromGin(ginctx *gin.Context) (*UserContext, error) {
 		return nil, errors.New("invalid user context type")
 	}
 
-	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil {
+	if userContext.LDAP == nil && userContext.Local == nil && userContext.OAuth == nil && userContext.Tailscale == nil {
 		return nil, errors.New("incomplete user context")
 	}
 
@@ -121,6 +134,15 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 				Email:    session.Email,
 			},
 		}
+	case "tailscale":
+		c.Provider = ProviderTailscale
+		c.Tailscale = &TailscaleContext{
+			BaseContext: BaseContext{
+				Username: session.Username,
+				Name:     session.Name,
+				Email:    session.Email,
+			},
+		}
 	// By default we assume an unknown name which is oauth
 	default:
 		c.Provider = ProviderOAuth
@@ -145,85 +167,55 @@ func (c *UserContext) NewFromSession(session *repository.Session) (*UserContext,
 	return c, nil
 }
 
-func (c *UserContext) GetUsername() string {
+func (c *UserContext) getBaseContext() *BaseContext {
 	switch c.Provider {
-	case ProviderLocal:
+	case ProviderLocal, ProviderBasicAuth:
 		if c.Local == nil {
-			return ""
+			return nil
 		}
-		return c.Local.Username
+		return &c.Local.BaseContext
 	case ProviderLDAP:
 		if c.LDAP == nil {
-			return ""
+			return nil
 		}
-		return c.LDAP.Username
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Username
+		return &c.LDAP.BaseContext
 	case ProviderOAuth:
 		if c.OAuth == nil {
-			return ""
+			return nil
 		}
-		return c.OAuth.Username
+		return &c.OAuth.BaseContext
+	case ProviderTailscale:
+		if c.Tailscale == nil {
+			return nil
+		}
+		return &c.Tailscale.BaseContext
 	default:
+		return nil
+	}
+}
+
+func (c *UserContext) GetUsername() string {
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Username
 }
 
 func (c *UserContext) GetEmail() string {
-	switch c.Provider {
-	case ProviderLocal:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Email
-	case ProviderLDAP:
-		if c.LDAP == nil {
-			return ""
-		}
-		return c.LDAP.Email
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Email
-	case ProviderOAuth:
-		if c.OAuth == nil {
-			return ""
-		}
-		return c.OAuth.Email
-	default:
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Email
 }
 
 func (c *UserContext) GetName() string {
-	switch c.Provider {
-	case ProviderLocal:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Name
-	case ProviderLDAP:
-		if c.LDAP == nil {
-			return ""
-		}
-		return c.LDAP.Name
-	case ProviderBasicAuth:
-		if c.Local == nil {
-			return ""
-		}
-		return c.Local.Name
-	case ProviderOAuth:
-		if c.OAuth == nil {
-			return ""
-		}
-		return c.OAuth.Name
-	default:
+	base := c.getBaseContext()
+	if base == nil {
 		return ""
 	}
+	return base.Name
 }
 
 func (c *UserContext) GetProviderID() string {
@@ -234,6 +226,8 @@ func (c *UserContext) GetProviderID() string {
 		return "ldap"
 	case ProviderOAuth:
 		return c.OAuth.ID
+	case ProviderTailscale:
+		return "tailscale"
 	default:
 		return "unknown"
 	}
@@ -252,3 +246,10 @@ func (c *UserContext) OAuthName() string {
 	}
 	return ""
 }
+
+func (c *UserContext) TailscaleNodeName() string {
+	if c.Tailscale != nil {
+		return c.Tailscale.Username
+	}
+	return ""
+}

internal/model/runtime.go

@@ -13,6 +13,7 @@ type RuntimeConfig struct {
 	OAuthWhitelist         []string
 	ConfiguredProviders    []Provider
 	OIDCClients            []OIDCClientConfig
+	TrustedDomains         []string
 }
 
 type Provider struct {

internal/service/auth_service.go

@@ -78,6 +78,7 @@ type AuthService struct {
 	ldap        *LdapService
 	queries     repository.Store
 	oauthBroker *OAuthBrokerService
+	tailscale   *TailscaleService
 
 	loginAttempts        map[string]*LoginAttempt
 	ldapGroupsCache      map[string]*LdapGroupsCache
@@ -99,6 +100,7 @@ func NewAuthService(
 	ldap *LdapService,
 	queries repository.Store,
 	oauthBroker *OAuthBrokerService,
+	tailscale *TailscaleService,
 ) *AuthService {
 	service := &AuthService{
 		log:                  log,
@@ -111,6 +113,7 @@ func NewAuthService(
 		ldap:                 ldap,
 		queries:              queries,
 		oauthBroker:          oauthBroker,
+		tailscale:            tailscale,
 	}
 
 	wg.Go(service.CleanupOAuthSessionsRoutine)
@@ -292,6 +295,10 @@ func (auth *AuthService) IsEmailWhitelisted(email string) bool {
 }
 
 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
+	if data.Provider == "tailscale" && auth.tailscale == nil {
+		return nil, fmt.Errorf("tailscale service not configured, cannot create session for tailscale user")
+	}
+
 	uuid, err := uuid.NewRandom()
 
 	if err != nil {
@@ -328,6 +335,28 @@ func (auth *AuthService) CreateSession(ctx context.Context, data repository.Sess
 		return nil, fmt.Errorf("failed to create session entry: %w", err)
 	}
 
+	if data.Provider == "tailscale" {
+		auth.log.App.Trace().Str("url", fmt.Sprintf("https://%s", auth.tailscale.GetHostname())).Msg("Extracting root domain from Tailscale hostname")
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", auth.tailscale.GetHostname()))
+
+		if err != nil {
+			return nil, fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		return &http.Cookie{
+			Name:     auth.runtime.SessionCookieName,
+			Value:    session.UUID,
+			Path:     "/",
+			Domain:   fmt.Sprintf(".%s", tsCookieDomain),
+			Expires:  expiresAt,
+			MaxAge:   int(time.Until(expiresAt).Seconds()),
+			Secure:   auth.config.Auth.SecureCookie,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+		}, nil
+	}
+
 	return &http.Cookie{
 		Name:     auth.runtime.SessionCookieName,
 		Value:    session.UUID,

internal/service/tailscale_service.go

@@ -0,0 +1,170 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/tinyauthapp/tinyauth/internal/model"
+	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
+	"tailscale.com/client/local"
+	"tailscale.com/tsnet"
+)
+
+type TailscaleWhoisResponse struct {
+	UserID      string
+	LoginName   string
+	DisplayName string
+	NodeName    string
+	Tags        []string
+}
+
+type TailscaleService struct {
+	log    *logger.Logger
+	wg     *sync.WaitGroup
+	config model.Config
+	ctx    context.Context
+
+	srv *tsnet.Server
+	lc  *local.Client
+	ln  *net.Listener
+	mu  sync.Mutex
+}
+
+func NewTailscaleService(log *logger.Logger, config model.Config, ctx context.Context, wg *sync.WaitGroup) (*TailscaleService, error) {
+	if !config.Tailscale.Enabled {
+		return nil, nil
+	}
+
+	srv := new(tsnet.Server)
+
+	// node options
+	srv.Dir = config.Tailscale.Dir
+	srv.Hostname = config.Tailscale.Hostname
+	srv.AuthKey = config.Tailscale.AuthKey
+	srv.Ephemeral = config.Tailscale.Ephemeral
+
+	// redirect logs to zerolog
+	srv.Logf = log.App.Printf
+	srv.UserLogf = log.App.Printf
+
+	err := srv.Start()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to start tailscale server: %w", err)
+	}
+
+	lc, err := srv.LocalClient()
+
+	if err != nil {
+		_ = srv.Close()
+		return nil, fmt.Errorf("failed to get tailscale local client: %w", err)
+	}
+
+	service := &TailscaleService{
+		log:    log,
+		wg:     wg,
+		config: config,
+		ctx:    ctx,
+		srv:    srv,
+		lc:     lc,
+	}
+
+	connectCtx, cancel := context.WithTimeout(ctx, 2*time.Minute) // large enough timeout to allow for user to manually authenticate with link if needed
+	defer cancel()
+
+	err = service.waitForConn(connectCtx)
+
+	if err != nil {
+		_ = srv.Close()
+		return nil, fmt.Errorf("failed to connect to tailscale network: %w", err)
+	}
+
+	wg.Go(service.watchAndClose)
+
+	return service, nil
+}
+
+func (ts *TailscaleService) watchAndClose() {
+	<-ts.ctx.Done()
+	ts.log.App.Debug().Msg("Shutting down Tailscale service")
+	ts.mu.Lock()
+	srv := ts.srv
+	ln := ts.ln
+	ts.ln = nil
+	ts.srv = nil
+	ts.mu.Unlock()
+	if ln != nil {
+		(*ts.ln).Close()
+	}
+	if srv != nil {
+		ts.srv.Close()
+	}
+}
+
+func (ts *TailscaleService) Whois(ctx context.Context, addr string) (*TailscaleWhoisResponse, error) {
+	who, err := ts.lc.WhoIs(ctx, addr)
+
+	if err != nil {
+		if errors.Is(err, local.ErrPeerNotFound) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("failed to get client whois: %w", err)
+	}
+
+	res := TailscaleWhoisResponse{
+		UserID:      who.UserProfile.ID.String(),
+		LoginName:   who.UserProfile.LoginName,
+		DisplayName: who.UserProfile.DisplayName,
+		NodeName:    strings.TrimSuffix(who.Node.Name, "."),
+		Tags:        who.Node.Tags,
+	}
+
+	return &res, nil
+}
+
+func (ts *TailscaleService) CreateListener() (net.Listener, error) {
+	ts.mu.Lock()
+	defer ts.mu.Unlock()
+
+	if ts.ln != nil {
+		return *ts.ln, nil
+	}
+	ln, err := ts.srv.ListenTLS("tcp", ":443")
+	if err != nil {
+		return nil, err
+	}
+	ts.ln = &ln
+	return ln, nil
+}
+
+func (ts *TailscaleService) GetHostname() string {
+	status, err := ts.lc.Status(ts.ctx)
+
+	if err != nil {
+		ts.log.App.Error().Err(err).Msg("Failed to get Tailscale status")
+		return ""
+	}
+
+	return strings.TrimSuffix(status.Self.DNSName, ".")
+}
+
+func (ts *TailscaleService) waitForConn(ctx context.Context) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return fmt.Errorf("timed out waiting for tailscale connection")
+		default:
+			ip4, _ := ts.srv.TailscaleIPs()
+			if !ip4.IsValid() {
+				time.Sleep(1 * time.Second)
+				continue
+			}
+			return nil
+		}
+	}
+}