From d50e846747ec552349a2586b5424451342864578 Mon Sep 17 00:00:00 2001 From: Ethan <39577870+ethanndickson@users.noreply.github.com> Date: Fri, 21 Feb 2025 12:21:20 +1100 Subject: [PATCH] fix: block vpn tailnet endpoint when `--browser-only` is set (#16647) The work on CoderVPN required a new user-scoped `/tailnet` endpoint for coordinating with multiple workspace agents, and receiving workspace updates. Much like the `/coordinate` endpoint, this needs to respect the `CODER_BROWSER_ONLY`/`--browser-only` deployment config value. --- coderd/workspaceagents.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go index 8132da9bd7..ddfb21a751 100644 --- a/coderd/workspaceagents.go +++ b/coderd/workspaceagents.go @@ -906,6 +906,7 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R } // This is used by Enterprise code to control the functionality of this route. + // Namely, disabling the route using `CODER_BROWSER_ONLY`. override := api.WorkspaceClientCoordinateOverride.Load() if override != nil { overrideFunc := *override @@ -1576,6 +1577,16 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R func (api *API) tailnetRPCConn(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() + // This is used by Enterprise code to control the functionality of this route. + // Namely, disabling the route using `CODER_BROWSER_ONLY`. + override := api.WorkspaceClientCoordinateOverride.Load() + if override != nil { + overrideFunc := *override + if overrideFunc != nil && overrideFunc(rw) { + return + } + } + version := "2.0" qv := r.URL.Query().Get("version") if qv != "" {