feat: tailscale oauth

2025-10-29 05:05:42 +00:00 · 2025-02-01 16:28:39 +02:00
parent 99268f80c9
commit 6e5f882e0b
8 changed files with 244 additions and 53 deletions
--- a/internal/providers/providers.go
+++ b/internal/providers/providers.go
@@ -17,10 +17,11 @@ func NewProviders(config types.OAuthConfig) *Providers {
 }

 type Providers struct {
-	Config  types.OAuthConfig
-	Github  *oauth.OAuth
-	Google  *oauth.OAuth
-	Generic *oauth.OAuth
+	Config    types.OAuthConfig
+	Github    *oauth.OAuth
+	Google    *oauth.OAuth
+	Tailscale *oauth.OAuth
+	Generic   *oauth.OAuth
 }

 func (providers *Providers) Init() {
@@ -46,6 +47,17 @@ func (providers *Providers) Init() {
 		})
 		providers.Google.Init()
 	}
+	if providers.Config.TailscaleClientId != "" && providers.Config.TailscaleClientSecret != "" {
+		log.Info().Msg("Initializing Tailscale OAuth")
+		providers.Tailscale = oauth.NewOAuth(oauth2.Config{
+			ClientID:     providers.Config.TailscaleClientId,
+			ClientSecret: providers.Config.TailscaleClientSecret,
+			RedirectURL:  fmt.Sprintf("%s/api/oauth/callback/tailscale", providers.Config.AppURL),
+			Scopes:       TailscaleScopes(),
+			Endpoint:     TailscaleEndpoint,
+		})
+		providers.Tailscale.Init()
+	}
 	if providers.Config.GenericClientId != "" && providers.Config.GenericClientSecret != "" {
 		log.Info().Msg("Initializing Generic OAuth")
 		providers.Generic = oauth.NewOAuth(oauth2.Config{
@@ -68,6 +80,8 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 		return providers.Github
 	case "google":
 		return providers.Google
+	case "tailscale":
+		return providers.Tailscale
 	case "generic":
 		return providers.Generic
 	default:
@@ -103,6 +117,19 @@ func (providers *Providers) GetUser(provider string) (string, error) {
 		}
 		log.Debug().Msg("Got email from google")
 		return email, nil
+	case "tailscale":
+		if providers.Tailscale == nil {
+			log.Debug().Msg("Tailscale provider not configured")
+			return "", nil
+		}
+		client := providers.Tailscale.GetClient()
+		log.Debug().Msg("Got client from tailscale")
+		email, emailErr := GetTailscaleEmail(client)
+		if emailErr != nil {
+			return "", emailErr
+		}
+		log.Debug().Msg("Got email from tailscale")
+		return email, nil
 	case "generic":
 		if providers.Generic == nil {
 			log.Debug().Msg("Generic provider not configured")
@@ -129,6 +156,9 @@ func (provider *Providers) GetConfiguredProviders() []string {
 	if provider.Google != nil {
 		providers = append(providers, "google")
 	}
+	if provider.Tailscale != nil {
+		providers = append(providers, "tailscale")
+	}
 	if provider.Generic != nil {
 		providers = append(providers, "generic")
 	}
--- a/internal/providers/tailscale.go
+++ b/internal/providers/tailscale.go
@@ -0,0 +1,56 @@
+package providers
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/rs/zerolog/log"
+	"golang.org/x/oauth2"
+)
+
+type TailscaleUser struct {
+	LoginName string `json:"loginName"`
+}
+
+type TailscaleUserInfoResponse struct {
+	Users []TailscaleUser `json:"users"`
+}
+
+func TailscaleScopes() []string {
+	return []string{"users:read"}
+}
+
+var TailscaleEndpoint = oauth2.Endpoint{
+	TokenURL: "https://api.tailscale.com/api/v2/oauth/token",
+}
+
+func GetTailscaleEmail(client *http.Client) (string, error) {
+	res, resErr := client.Get("https://api.tailscale.com/api/v2/tailnet/-/users")
+
+	if resErr != nil {
+		return "", resErr
+	}
+
+	log.Debug().Msg("Got response from tailscale")
+
+	body, bodyErr := io.ReadAll(res.Body)
+
+	if bodyErr != nil {
+		return "", bodyErr
+	}
+
+	log.Debug().Msg("Read body from tailscale")
+
+	var users TailscaleUserInfoResponse
+
+	jsonErr := json.Unmarshal(body, &users)
+
+	if jsonErr != nil {
+		return "", jsonErr
+	}
+
+	log.Debug().Msg("Parsed users from tailscale")
+
+	return users.Users[0].LoginName, nil
+}