UNPKG

express-tailscale-auth

Version:

Express middleware for Tailscale authentication

2 lines 1.9 kB
1
2
import {b,a}from'./chunk-X55742K6.js';import {a as a$1}from'./chunk-2YKGTWDO.js';import T from'picomatch';import x,{all,compile}from'proxy-addr';import {TailscaleLocalApi}from'tailscale-local-api';var g=false,U=(i={})=>{let u=new TailscaleLocalApi(i),s=i.debug||false,y=e=>{s&&console.debug("all addrs of req",all(e)),!g&&a$1(e)&&(g=true);let t=e.app.get("trust proxy");if(t===false||t===void 0)return s&&console.debug("Not trusting reverse proxy, returning socket address",e.socket.remoteAddress),e.socket.remoteAddress;if(typeof t=="boolean"&&t===true)return all(e).at(-1);let l=compile(t),o=x(e,l);return s&&console.debug("trusting remote address",o),o};return async(e,t,l)=>{let o=y(e);if(!o){s&&console.debug("No client IP found",o),t.status(404).send(`Cannot ${e.method} ${e.path}`);return}let d=u.isInTailscaleIpRange(o);if(!d){s&&console.debug("Request IP not from Tailscale range",o),t.status(404).send(`Cannot ${e.method} ${e.path}`);return}let r;try{let a=await u.whoIs(d),p=i.capabilitiesNamespace?a.capMap[i.capabilitiesNamespace]?.[0]:{routes:[{route:"**",methods:["*"]}]},n=b.safeParse(p);if(r=n.data,e.tailscaleUser={...a.userProfile,capabilities:r??{}},!n.success){s&&console.debug("Couldn't find or parse capabilities",n.error),t.status(401).send(`Cannot ${e.method} ${e.path}`);return}}catch(a){console.error(a),t.status(401).send(`Cannot ${e.method} ${e.path}`);return}let C=e.originalUrl,c=a.safeParse(e.method);if(!c.success){s&&console.debug("Invalid method",c.error),t.status(401).send(`Cannot ${e.method} ${e.path}`);return}let R=c.data;if(!r?.routes?.some(a=>T(a.route)(C)?a.methods.includes("*")||a.methods.includes(R):false)){s&&console.debug("Requester has no capability for route",e.path,e.method),t.status(401).send(`Cannot ${e.method} ${e.path}`);return}l();}};export{U as createTailscaleAuthMw};//# sourceMappingURL=index.js.map //# sourceMappingURL=index.js.map