Skip to content

feat: Add Tailscale authentication middleware#90

Merged
evansenter merged 1 commit into
mainfrom
feat/tailscale-auth
Jan 24, 2026
Merged

feat: Add Tailscale authentication middleware#90
evansenter merged 1 commit into
mainfrom
feat/tailscale-auth

Conversation

@evansenter

Copy link
Copy Markdown
Owner

Summary

Port TailscaleAuthMiddleware from claude-event-bus for consistent security across MCP servers in multi-machine setups.

Changes

  • Add TailscaleAuthMiddleware class to server.py
  • Update create_app() to wrap app with auth middleware
  • Add pytest_configure hook to disable auth in tests
  • Add 3 middleware tests (with header, without header, non-HTTP passthrough)

Configuration

  • Auth enabled by default (requires tailscale serve proxy)
  • Set SESSION_ANALYTICS_AUTH_DISABLED=1 to disable for local dev/testing

Test plan

  • make check passes (384 tests)
  • Middleware tests cover: valid header → 200, missing header → 401, non-HTTP → passthrough
  • Manual test with tailscale serve --bg 8081 on server
  • Verify client connections via HTTPS URL work

Next steps (after merge)

  1. Run tailscale serve --bg 8081 on speck-vm
  2. Update client MCP configs to https://speck-vm.tailac7b3c.ts.net:8081/mcp

Closes #89

🤖 Generated with Claude Code

Port TailscaleAuthMiddleware from claude-event-bus for consistent
security across MCP servers in multi-machine setups.

Changes:
- Add TailscaleAuthMiddleware class to server.py
- Update create_app() to wrap app with auth middleware
- Add pytest_configure hook to disable auth in tests
- Add middleware tests (with/without header, non-HTTP passthrough)

Configuration:
- Auth enabled by default (requires tailscale serve proxy)
- Set SESSION_ANALYTICS_AUTH_DISABLED=1 to disable for local dev

Next steps:
- Run `tailscale serve --bg 8081` on server
- Update client MCP configs to use HTTPS URL

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@claude

claude Bot commented Jan 24, 2026

Copy link
Copy Markdown

Prompt: evansenter/dotfiles/.../claude-review.md

Code Review

Summary

This PR adds Tailscale authentication middleware to protect the MCP server when exposed over the network. Requests must include the Tailscale-User-Login header (injected by tailscale serve) or receive a 401 response. Auth can be disabled via SESSION_ANALYTICS_AUTH_DISABLED=1 for local development.

Issues Found

Critical

None

Important

None

Suggestions

None

Verdict

APPROVE - Clean implementation that follows the established pattern from claude-event-bus. The middleware correctly handles HTTP vs non-HTTP scopes, tests cover the key paths (authenticated, unauthenticated, passthrough), and the pytest_configure hook ensures tests run without auth requirements.


Automated review by Claude Code

@evansenter evansenter merged commit 4891f17 into main Jan 24, 2026
3 checks passed
@evansenter evansenter deleted the feat/tailscale-auth branch January 24, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Tailscale authentication for multi-machine setup

1 participant