Skip to content

fix(auth): treat Tailscale Serve loopback host as remote-reachable#4

Merged
justingray0 merged 1 commit into
mainfrom
fix/tailscale-serve-remote-reachable
Jun 29, 2026
Merged

fix(auth): treat Tailscale Serve loopback host as remote-reachable#4
justingray0 merged 1 commit into
mainfrom
fix/tailscale-serve-remote-reachable

Conversation

@justingray0

Copy link
Copy Markdown
Owner

Summary

When Tailscale Serve is enabled it proxies the loopback-bound backend onto the tailnet, so the server is reachable from other devices even though config.host stays on 127.0.0.1. The EnvironmentAuthPolicy previously keyed solely off the bind host and therefore selected a local-only policy in that case, skipping the one-time-token bootstrap that remote clients need.

This change treats the server as remote-reachable whenever tailscaleServeEnabled is set, in addition to the existing wildcard / non-loopback host checks.

Changes

  • EnvironmentAuthPolicy.make now factors config.tailscaleServeEnabled into isRemoteReachable.
  • Added a test covering the mode: "web" + loopback host + Tailscale Serve case, asserting a remote-reachable policy with one-time-token bootstrap.

🤖 Generated with Claude Code

When Tailscale Serve is enabled it proxies the loopback-bound backend onto
the tailnet, so the server is reachable from other devices even though
`config.host` stays on 127.0.0.1. Previously the auth policy keyed solely
off the bind host and selected a local-only policy in that case, skipping
the one-time-token bootstrap required for remote access.

Treat the server as remote-reachable whenever `tailscaleServeEnabled` is
set, in addition to the existing wildcard / non-loopback host checks, so
remote clients get the `remote-reachable` policy with one-time-token
bootstrap.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions github-actions Bot added vouch:trusted PR author is trusted by repo permissions or the VOUCHED list. size:XS labels Jun 29, 2026
@justingray0 justingray0 merged commit 2ee6b58 into main Jun 29, 2026
6 of 10 checks passed
@justingray0 justingray0 deleted the fix/tailscale-serve-remote-reachable branch June 29, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS vouch:trusted PR author is trusted by repo permissions or the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant